32 lines
1.6 KiB
Markdown
32 lines
1.6 KiB
Markdown
# Kyverno (noble)
|
|
|
|
Admission policies using [Kyverno](https://kyverno.io/). The main chart installs controllers and CRDs; **`kyverno-policies`** installs **Pod Security Standard** rules matching the **`baseline`** profile in **`Audit`** mode (violations are visible in policy reports; workloads are not denied).
|
|
|
|
- **Charts:** `kyverno/kyverno` **3.7.1** (app **v1.17.1**), `kyverno/kyverno-policies` **3.7.1**
|
|
- **Namespace:** `kyverno`
|
|
|
|
## Install
|
|
|
|
```bash
|
|
helm repo add kyverno https://kyverno.github.io/kyverno/
|
|
helm repo update
|
|
kubectl apply -f clusters/noble/bootstrap/kyverno/namespace.yaml
|
|
helm upgrade --install kyverno kyverno/kyverno -n kyverno \
|
|
--version 3.7.1 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
|
|
helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
|
|
--version 3.7.1 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m
|
|
```
|
|
|
|
Verify:
|
|
|
|
```bash
|
|
kubectl -n kyverno get pods
|
|
kubectl get clusterpolicy | head
|
|
```
|
|
|
|
## Notes
|
|
|
|
- **`validationFailureAction: Audit`** in `policies-values.yaml` avoids breaking namespaces that need **privileged** behavior (Longhorn, monitoring node-exporter, etc.). Switch specific policies or namespaces to **`Enforce`** when you are ready.
|
|
- To use **`restricted`** instead of **`baseline`**, change **`podSecurityStandard`** in `policies-values.yaml` and reconcile expectations for host mounts and capabilities.
|
|
- Upgrade: bump **`--version`** on both charts together; read [Kyverno release notes](https://github.com/kyverno/kyverno/releases) for breaking changes.
|