概述目标:通过Kyverno实现标签规范、禁止最新镜像标签、自动补全注解等策略,以准入控制保障一致性。适用:生产集群资源规范与安全治理、GitOps策略即代码。核心与实战验证策略:禁止使用latest镜像标签(ClusterPolicy):apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: enforce
rules:
- name: no-latest
match:
any:
- resources:
kinds: [Deployment, StatefulSet, DaemonSet]
validate:
message: "image tag 'latest' is not allowed"
pattern:
spec:
template:
spec:
containers:
- image: "*:*"
deny:
conditions:
any:
- key: "{{ images.containers.[].image | split(':')[1] }}"
operator: Equals
value: latest
验证策略:必须包含app与env标签:apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: enforce
rules:
- name: require-app-env
match:
any:
- resources:
kinds: [Deployment, Service]
validate:
message: "app and env labels are required"
pattern:
metadata:
labels:
app: "?*"
env: "?*"
变更策略:自动添加注解:apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-annotations
spec:
rules:
- name: add-contact
match:
any:
- resources:
kinds: [Deployment]
mutate:
patchStrategicMerge:
metadata:
annotations:
contact: [email protected]
示例应用策略与检查:kubectl apply -f disallow-latest-tag.yaml
kubectl apply -f require-labels.yaml
kubectl apply -f add-annotations.yaml
kubectl get clusterpolicy
测试不合规资源被拒:kubectl apply -f bad-deploy.yaml
验证与监控策略状态:观察kubectl get policyreport/clusterpolicyreport;查看失败条目与资源列表。日志与审计:查看Kyverno控制器日志;在GitOps中版本化策略并审查变更。例外与范围:使用match与exclude精确限定命名空间与资源类型。常见误区仅创建Policy未设validationFailureAction导致不强制;生产需enforce。规则匹配过宽导致误拒;需精确匹配kind与命名空间。忽视PolicyReport,无法及时发现违规资源;应接入告警与仪表盘。结语Kyverno以策略即代码实现准入治理与自动修复,配合报告与审计可提升资源合规性与生产一致性。
发表评论 取消回复