Kyverno, a New CNCF Sandbox Project, Offers Kubernetes-Native Policy Management
Honeycomb is sponsoring The New Stack’s coverage of Kubecon+CloudNativeCon North America 2020.
Kyverno, the open source Kubernetes-native policy engine built by Nirmata, has joined the Cloud Native Computing Foundation (CNCF) this week at the sandbox level. The development team hopes the software will help adoption of Kubernetes policies, by providing a method for doing so with native tools and languages, rather than requiring users to learn and adopt new ones.
Jim Bugwadia, founder and CEO at Nirmata, said that the complexity of Kubernetes policies has not only to do with the complex nature of Kubernetes and the problems it solves, but also its declarative nature. Kubernetes’ declarative approach, which allows users to declare an intended end state that Kubernetes then attempts to match, is one of its strengths, he said, but it also lends to this complexity.
“Because of that declarative nature of configuration management in Kubernetes, there’s a lot of details to specify,” explained Bugwadia. “For every configuration, there’s hundreds of parameters in the API. The challenge there becomes, especially if you’re an enterprise, what is it that you want to allow your teams to configure? What team configuration should be managed centrally? How do you make sure your teams are following best practices? Things like that need to be governed centrally. There needs to be auditing and reporting. That’s why policy engines are so critical and so important for Kubernetes, especially for enterprise use cases.”
Kyverno does this using YAML or JSON, in much the same way Kubernetes does, and relies on familiar tools such as kubectl, git, and kustomize. Bugwadia explained that, by contrast, Open Policy Agent, another CNCF project, requires users to use Rego, a custom and “powerful” language, “but at the same time, it’s complex to learn, complex to manage, and we found that, as we spoke to our customers and Kubernetes administrators, they wanted to use the same Kubernetes native patterns, the same way of defining and managing resources that you would find in Kubernetes, along with all the tools that they loved.”
Kyverno not only helps with the creation of policies, but performs “admission control,” wherein Kyverno “runs as a validating and mutating webhook that works with the Kubernetes API server to provide configuration security and block invalid and non-compliant configurations,” according to a statement. Bugwadia pointed to this, alongside its ability to mutate and generate policy, as standout features for the project.
“Kyverno also can mutate resources as well as can generate resources on the fly, which allows you to do very fine-grained configuration management, which is just impossible to do manually,” said Bugwadia. “With Kyverno, you can automate these use cases. Some of our customers are using Kyverno, for example, to automatically mount certificates into pods to do things like even generate sidecar containers. All of that can now be automated, set as a policy, and then it’s basically self-driving from there on.”
Bugwadia said that they hope that Kyverno can help to drastically increase the widespread use of Kubernetes policy, which currently enjoys very little adoption due to its complexity.
“Today, there tends to be a lot of challenges in terms of applying security policies. Some surveys show only 10% to 15% of Kubernetes users in general even thought about applying policies just because of the complexity,” said Bugwadia. “We saw this need to improve the overall Kubernetes security posture, as well as the compliance levels within enterprises. What we’re hoping is that we drive that percent up from 10% of Kubernetes users to 90+%, using policies by default.”
Moving forward, the Kyverno project also looks to collaborate with other CNCF projects, such as cert-manager, another new CNCF sandbox project, which Bugwadia said has expressed interest in using Kyverno for policies for certificate management.
Joining the CNCF, he said, leads to those forms of collaboration, which we would not have been able to do otherwise.
The Cloud Native Computing Foundation and KubeCon+CloudNativeCon are sponsors of The New Stack.
Feature image by Gerd Altmann via Pixabay.