Kubernetes Operator for Kyverno Policy rules

Overview

In this document, we will discuss the Kyverno PolicyWriter Operator which is housed in this GitHub repository.

This operator is specifically built for Kubernetes using a Kind named PolicyWriter. Its main function is to dynamically generate Kyverno policy rules based on the specifications of the PolicyWriter and enforce these rules whenever a specific event, such as an update, occurs in the target Kubernetes resource.

How does it work?

The PolicyWriter kind accepts four fields: namespace, Kind (which can be either DaemonSet or Deployment), name of the Kind, and name of the secret that these kinds are observing. Once these fields are defined, the operator will automatically generate a Kyverno policy rule.

These policy rules look for changes in the designated Kubernetes secret. Whenever an update event is triggered in the secret object, the operator will proceed to patch the relevant DaemonSet or Deployment. The patching process will annotate the DaemonSet or Deployment with a new version annotation in the following format: daemonset-version: resourceversionofthesecret or deployment-version: resourceversionofthesecret respectively.

This on-the-fly generation of policy rules allows for real-time enforcement of policies based on changes in Kubernetes secrets.

For the real-time simulation please look at this video