Kyverno策略与准入治理实践

概述目标：通过Kyverno实现标签规范、禁止最新镜像标签、自动补全注解等策略，以准入控制保障一致性。适用：生产集群资源规范与安全治理、GitOps策略即代码。核心与实战验证策略：禁止使用`latest`镜像标签（ClusterPolicy）：apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-latest-tag spec: validationFailureAction: enforce rules: - name: no-latest match: any: - resources: kinds: [Deployment, StatefulSet, DaemonSet] validate: message: "image tag 'latest' is not allowed" pattern: spec: template: spec: containers: - image: "*:*" deny: conditions: any: - key: "{{ images.containers.[].image | split(':')[1] }}" operator: Equals value: latest 验证策略：必须包含`app`与`env`标签：apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-labels spec: validationFailureAction: enforce rules: - name: require-app-env match: any: - resources: kinds: [Deployment, Service] validate: message: "app and env labels are required" pattern: metadata: labels: app: "?*" env: "?*" 变更策略：自动添加注解：apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-annotations spec: rules: - name: add-contact match: any: - resources: kinds: [Deployment] mutate: patchStrategicMerge: metadata: annotations: contact: [email protected] 示例应用策略与检查：kubectl apply -f disallow-latest-tag.yaml kubectl apply -f require-labels.yaml kubectl apply -f add-annotations.yaml kubectl get clusterpolicy 测试不合规资源被拒：kubectl apply -f bad-deploy.yaml # 期望：Kyverno拒绝并返回策略信息 验证与监控策略状态：观察`kubectl get policyreport/clusterpolicyreport`；查看失败条目与资源列表。日志与审计：查看Kyverno控制器日志；在GitOps中版本化策略并审查变更。例外与范围：使用`match`与`exclude`精确限定命名空间与资源类型。常见误区仅创建Policy未设`validationFailureAction`导致不强制；生产需`enforce`。规则匹配过宽导致误拒；需精确匹配kind与命名空间。忽视PolicyReport，无法及时发现违规资源；应接入告警与仪表盘。结语Kyverno以策略即代码实现准入治理与自动修复，配合报告与审计可提升资源合规性与生产一致性。