docker.recipes

Kyverno Policy Engine

advanced

Kubernetes native policy management.

Overview

Kyverno is a Kubernetes-native policy engine that uses standard YAML manifests to define security, compliance, and governance policies without requiring specialized domain knowledge or a separate policy language. Originally developed by Nirmata and donated to the CNCF as a sandbox project, Kyverno operates as a dynamic admission controller that can validate, mutate, or generate Kubernetes resources based on defined policies. Unlike other policy engines that require learning new languages like Rego, Kyverno policies are written in familiar YAML syntax using standard Kubernetes resource patterns. This Docker configuration provides a development environment for testing Kyverno policies locally before deploying them to production clusters. The setup allows developers to experiment with policy creation, validation, and testing using the Kyverno CLI tools while maintaining an isolated environment. Organizations implementing Kubernetes governance frameworks, security teams establishing baseline security policies, and DevOps engineers working on compliance automation will find this stack valuable for policy development workflows. The containerized approach enables consistent policy development across different environments and facilitates CI/CD integration for automated policy testing.

Key Features

  • YAML-based policy definitions using familiar Kubernetes resource syntax without domain-specific languages
  • Three policy types: validate for admission control, mutate for automatic resource modification, and generate for creating supplementary resources
  • ClusterPolicy resources for cluster-wide governance and Policy resources for namespace-scoped rules
  • Built-in variables and JMESPath expressions for dynamic policy logic based on resource context
  • Policy exceptions mechanism allowing temporary or permanent exemptions from specific policies
  • Webhook configurations for both validating and mutating admission control with configurable failure modes
  • Background scanning capabilities to audit existing resources against newly deployed policies
  • Integration with external data sources through ConfigMaps and API calls for dynamic policy decisions

Common Use Cases

  • 1Security teams developing baseline security policies to block privileged containers and enforce security contexts
  • 2Compliance officers creating policies to ensure resources meet regulatory requirements like PCI-DSS or SOC 2
  • 3Platform engineers establishing resource quotas and limits to prevent resource exhaustion in multi-tenant clusters
  • 4DevOps teams implementing naming conventions and mandatory labels for resource organization and cost tracking
  • 5Infrastructure teams automating the creation of NetworkPolicies and RBAC rules for new namespaces
  • 6Development teams testing policy behavior in local environments before production deployment
  • 7Educational environments for learning Kubernetes policy management and admission control concepts

Prerequisites

  • Docker and Docker Compose installed with at least 2GB available memory for policy testing workloads
  • Understanding of Kubernetes resources, YAML syntax, and admission controller concepts
  • Familiarity with JMESPath expressions for advanced policy logic and resource field matching
  • kubectl CLI tool installed for interacting with Kubernetes clusters where policies will be deployed
  • Basic knowledge of Kubernetes RBAC, NetworkPolicies, and security contexts for effective policy creation
  • Access to a Kubernetes cluster (local or remote) for deploying and testing policies beyond container development

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  kyverno: 
3    image: ghcr.io/kyverno/kyverno:latest
4    container_name: kyverno
5    restart: unless-stopped
6    command: ["--help"]
7    volumes: 
8      - kyverno_data:/data
9
10volumes: 
11  kyverno_data:

.env Template

.env
1# Kyverno is designed for Kubernetes
2# Use kubectl apply for installation

Usage Notes

  1. 1Docs: https://kyverno.io/docs/
  2. 2Install: kubectl apply -f https://github.com/kyverno/kyverno/releases/download/v1.11.0/install.yaml
  3. 3Policies as K8s resources: ClusterPolicy (cluster-wide), Policy (namespaced)
  4. 4Policy types: validate (block/audit), mutate (auto-modify), generate (create resources)
  5. 5Test policies: kyverno test . (CLI tool for policy testing)
  6. 6Popular policies: require labels, block privileged pods, enforce resource limits

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  kyverno:
5    image: ghcr.io/kyverno/kyverno:latest
6    container_name: kyverno
7    restart: unless-stopped
8    command: ["--help"]
9    volumes:
10      - kyverno_data:/data
11
12volumes:
13  kyverno_data:
14EOF
15
16# 2. Create the .env file
17cat > .env << 'EOF'
18# Kyverno is designed for Kubernetes
19# Use kubectl apply for installation
20EOF
21
22# 3. Start the services
23docker compose up -d
24
25# 4. View logs
26docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/kyverno/run | bash

Troubleshooting

  • Error 'failed to download policy': Ensure internet connectivity and verify the policy URL or repository access permissions
  • Kyverno CLI exits immediately: The default --help command is intended for testing; modify the command to run specific policy operations
  • Policy validation fails with JMESPath errors: Verify JMESPath syntax using online validators and ensure referenced resource fields exist
  • Container restart loops: Check Docker logs for admission controller webhook configuration errors or certificate issues
  • Policy test failures with 'resource not found': Ensure test resource manifests match the policy resource types and API versions
  • Volume mount permission denied: Verify Docker has appropriate permissions to create and write to the kyverno_data volume location

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

kyverno

Tags

#kyverno#kubernetes#policy#security

Category

DevOps & CI/CD

Related Recipes

Ad Space