Policy Engine — Kyverno¶
Kyverno is the cluster's admission controller and policy engine. It validates, mutates, and generates Kubernetes resources using policies expressed in YAML.
See ADR-017 for the rationale behind choosing Kyverno over OPA/Gatekeeper.
Policy Reporter UI¶
The Policy Reporter dashboard is accessible at https://polr.local (add minikube IP to /etc/hosts). It shows a compliance overview across all namespaces, per-policy results, and trend graphs — no kubectl required.
Active Policies¶
Pod Security Standards (PSS) Library¶
The kyverno-policies chart deploys the community-maintained PSS baseline profile in Audit mode. It covers the most critical misconfigurations:
- Host namespaces (
hostPID,hostIPC,hostNetwork) - Privileged containers and dangerous
capabilities hostPathvolume mounts- Unsafe
seccompandAppArmorprofiles
See the full list at kyverno.io/policies/pod-security.
Custom ClusterPolicies¶
| Policy | Mode | What it checks |
|---|---|---|
disallow-latest-tag |
Enforce | Rejects Pods whose containers reference :latest or an untagged image |
require-labels |
Audit | Deployments must carry app.kubernetes.io/name |
require-resource-limits |
Audit | Containers must set resources.limits.cpu and .memory |
Policies in Enforce mode block the admission of non-compliant resources immediately. Audit mode allows the resource through but records the violation in a PolicyReport.
Viewing Policy Results¶
# List all PolicyReport objects across namespaces
kubectl get polr -A
# Show violations in a specific namespace
kubectl describe polr -n <namespace> <name>
# Watch Kyverno logs for real-time admission decisions
kubectl logs -n kyverno -l app.kubernetes.io/component=admission-controller -f
Escalating a Policy to Enforce¶
- Check current violations:
kubectl get polr -Aor open the Policy Reporter UI. - Fix non-compliant resources.
- Edit the policy file in
policies/, changevalidationFailureAction: Audit→Enforce. - Open a PR — the change takes effect on the next Flux reconciliation.