Part 1 (AKS) What is Kyverno?

Kyverno is a Kubernetes-native policy engine used to validate, mutate, and generate Kubernetes resources — directly using YAML.

Think of it as a security guard and rule enforcer for your Kubernetes cluster.

🧠 Imagine this:

You run a big kitchen (Kubernetes), and lots of chefs (applications) are working there. To keep things organized, safe, and efficient, you need rules — like:

• Every chef must wear a hat.
• No one can use expired ingredients.
• Dishes must be labeled correctly.

But manually checking all this is hard. That’s where Kyverno comes in.

🔧 What Kyverno Does (in layman terms):

Kyverno is like a smart kitchen inspector who:

• Automatically checks if everyone is following the rules.
• Fixes things if something is wrong (e.g., adds a missing label).
• Stops bad stuff from entering the kitchen (e.g., blocks unsafe recipes).
• Keeps records of what’s happening.

Instead of writing complex code or using custom admission controllers, you define policies in YAML, and Kyverno takes care of the rest.

Kyverno helps automate governance and security in your Kubernetes clusters by defining rules (called policies) about:

• What kind of resources can be created.
• What fields must be set (like resource limits, labels, etc.).
• Automatically adding default values (like labels or annotations).
• Generating other Kubernetes resources (like network policies, configmaps).

Example Kyverno Policy (Validation):

apiVersion: kyverno.io/v1

kind: ClusterPolicy

metadata:

  name: require-resources

spec:

  validationFailureAction: enforce

  rules:

    – name: check-resources

      match:

        resources:

          kinds:

            – Pod

      validate:

        message: “Resource requests and limits are required.”

        pattern:

          spec:

            containers:

              – resources:

                  requests:

                    cpu: “?*”

                    memory: “?*”

                  limits:

                    cpu: “?*”

                    memory: “?*”

This policy blocks Pods that do not have CPU and memory requests and limits defined.

How to Use Kyverno:

1. Install Kyverno in your cluster (e.g. using Helm):

kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.11.1/install.yaml

Apply policies as YAML files (like any Kubernetes resource):

kubectl apply -f my-policy.yaml

Kyverno will monitor and enforce the policies.

Why use Kyverno?

• Native Kubernetes CRDs (no external language needed like Rego).
• Easy to write, human-readable YAML syntax.
• Great community support.
• Integrates well with CI/CD and GitOps pipelines.

When we add kyverno with ClusterPolicy then no need to apply same thing for all pods …it automatically add this policy to all pods, like add cpu and memory to all pods.