Skip to main content

Kyverno PSP Guide

Kyverno is more flexible and can Enforce security and compliance standards beyond what PSA provides. It installs as an admission webhook in your cluster. It checks every pod/deployment before creation. If your pod breaks a rule → Kyverno warns or blocks it. Install KyvernoApply essential security policies (best practices)

Step 1: Install Kyverno

kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.14.4/install.yaml
Check: 
kubectl get pods -n kyverno
You should see Kyverno pods running.

Step 2: Apply Essential Security Policies

Here are must-have policies for production clusters:

1. Disallow Privileged Containers

Prevent pods from running with privileged: true: 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privileged
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: check-privileged
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Privileged mode is not allowed."
        pattern:
          spec:
            containers:
              - securityContext:
                  privileged: "false"
Apply: 
kubectl apply -f disallow-privileged.yaml

2. Require runAsNonRoot

Enforce running containers as non-root: 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-non-root
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: run-as-non-root
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Containers must set runAsNonRoot=true."
        pattern:
          spec:
            containers:
              - securityContext:
                  runAsNonRoot: true

3. Disallow Privilege Escalation

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privilege-escalation
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: no-priv-escalation
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Privilege escalation is not allowed."
        pattern:
          spec:
            containers:
              - securityContext:
                  allowPrivilegeEscalation: "false"

4. Restrict HostPath Volumes

Block access to host file system: 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-hostpath
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: no-hostpath
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "HostPath volumes are not allowed."
        pattern:
          spec:
            =(volumes):
              - X(hostPath): "null"

5. Enforce Image Registry Policy

Allow only trusted image registries: 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: allow-only-approved-registries
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Images must be from approved registries: ghcr.io, docker.io, your-registry.com."
        pattern:
          spec:
            containers:
              - image: "ghcr.io/* | docker.io/* | your-registry.com/*"

How to Apply All Policies

Save these YAMLs in a folder (e.g., kyverno-policies/) and apply: 
kubectl apply -f kyverno-policies/
Keep Note: validationFailureAction: Enforce/Audit Enforce blocks the creation of resources that violate the policy, while Audit allows them but logs violations.
  • Mutating Admission Controller → Can add/change things (like injecting a sidecar or setting defaults).
  • Validating Admission Controller → Can allow or deny the object based on rules.

Step 3: Verify

Try to create a privileged pod: 
kubectl run test --image=nginx --overrides='{"spec":{"containers":[{"name":"test","image":"nginx","securityContext":{"privileged":true}}]}}'
It should be blocked.

Essential Kyverno Policies for Production

1. Block latest Image Tag

Reason: Using latest can cause unpredictable deployments. 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: validate-image-tag
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Using 'latest' tag is not allowed. Use a specific version."
        pattern:
          spec:
            containers:
              - image: "!*:latest"

2. Enforce Read-Only Root Filesystem

Prevents tampering inside containers. 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-readonly-rootfs
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: check-readonly-rootfs
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Containers must set readOnlyRootFilesystem=true."
        pattern:
          spec:
            containers:
              - securityContext:
                  readOnlyRootFilesystem: true

3. Limit Container Capabilities

Drop all Linux capabilities except required ones. 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-capabilities
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: drop-all-add-none
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Containers must drop all capabilities."
        pattern:
          spec:
            containers:
              - securityContext:
                  capabilities:
                    drop: ["ALL"]

4. Require CPU & Memory Limits

Guarantee resource allocation to prevent noisy neighbor issues. 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resource-limits
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: validate-limits
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "CPU and memory limits must be set."
        pattern:
          spec:
            containers:
              - resources:
                  limits:
                    cpu: "?*"
                    memory: "?*"

5. Block Containers Running as Root (UID 0)

Even if runAsNonRoot is missed, Enforce UID check. 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-root-user
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: no-root-uid
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Containers cannot run as root user."
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[*].securityContext.runAsUser }}"
                operator: In
                value: [0]

DOCS ------------------------------------------------------------------------------------

Kyverno Admission Control: Mutate, Validate, Enforce, and Audit

Overview

Kyverno is a Kubernetes-native policy engine that manages and secures Kubernetes resources using admission control. It acts as a validating and mutating admission webhook, enabling:
  • Validation – Ensure configurations follow policies (block or warn)
  • Mutation – Add or modify resource configuration dynamically
  • Generation – Create new resources when needed
  • Verification – Check image signatures for security
Kyverno policies are written in YAML, making it easier for Kubernetes users compared to writing complex Rego scripts (OPA).

What is Admission Control in Kubernetes?

When a resource is created or modified, the request flows through:
  1. Authentication & Authorization
  2. Admission Controllers (Mutating → Validating)
  3. Persistence in etcd
Kyverno hooks into this flow as an admission controller:
  • Mutating Webhook – Modify resource before creation (e.g., add labels)
  • Validating Webhook – Accept or reject resource (enforce policies)

Kyverno Policy Types

1. Mutate Policies

  • Automatically add, modify, or remove fields in resource manifests.
  • Example use cases:
    • Add labels/annotations
    • Inject sidecar containers
    • Enforce default security settings
Example: 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-label
spec:
  rules:
    - name: add-kyverno-label
      match:
        resources:
          kinds:
            - Deployment
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              kyverno: "true"

2. Validate Policies

  • Ensure that resources meet security and compliance requirements.
  • Two modes:
    • enforce → Block non-compliant resources
    • audit → Report violations, but do not block
Example (Enforce Mode): 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privileged
spec:
  validationFailureAction: enforce  # Block requests
  rules:
    - name: no-privileged
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Privileged mode is not allowed."
        pattern:
          spec:
            containers:
              - securityContext:
                  privileged: "false"
Example (Audit Mode): 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: audit-resources
spec:
  validationFailureAction: audit  # Only warn
  rules:
    - name: check-resources
      match:
        resources:
          kinds:
            - Pod
            - Deployment
      validate:
        message: "Containers should have CPU/memory requests and limits."
        pattern:
          spec:
            containers:
              - resources:
                  requests:
                    cpu: "?*"
                    memory: "?*"
                  limits:
                    cpu: "?*"
                    memory: "?*"

Enforce vs Audit Mode

ModeBehavior
enforceDenies non-compliant resources (fails admission)
auditLogs violation in PolicyReport, resource is allowed

Kyverno Operations

OperationPurpose
MutateAdd or modify resource configuration
ValidateEnsure resources follow rules (block or allow)
GenerateCreate resources automatically
VerifyImagesEnforce signed images

Where to See Policy Violations

  • PolicyReports CRD:
kubectl get policyreport -A
  • Kyverno Logs:
kubectl logs -n kyverno deploy/kyverno
Example violation in logs: 
Policy disallow-privileged applied in audit mode for Pod/mypod in namespace default
Validation failed: Privileged mode is not allowed.

Examples for Common Use Cases

Mutate Example: Add Label

Add kyverno=true label if missing: 
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-label
spec:
  rules:
    - name: add-kyverno-label
      match:
        resources:
          kinds:
            - Deployment
          namespaces:
            - ai-assistant
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              kyverno: "true"

Validate Example: Disallow Privileged Pods

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privileged
spec:
  validationFailureAction: enforce
  rules:
    - name: no-privileged
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Privileged containers are not allowed."
        pattern:
          spec:
            containers:
              - securityContext:
                  privileged: "false"

Key Benefits

  • Kubernetes-native policies (YAML)
  • Admission control without coding
  • Easy enforce/audit switch
  • Supports mutate + validate together
Next Steps
  • Install Kyverno:
kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.11.0/install.yaml
  • Apply policies for:
    • Security (No privileged containers, Run as non-root)
    • Governance (Label enforcement, Registry restrictions)
    • Best Practices (Resource limits, Probes)