Kyverno
Last updated
Was this helpful?
Last updated
Was this helpful?
Kyverno serves an admission controller and is a critical component of the Kubernetes control plane. It is important to properly secure and monitor Kyverno. This section provides guidance on securing Kyverno and the security processes for the Kyverno project.
Security vulnerabilities are best handled swiftly and discretely with the goal of minimizing the total time users remain vulnerable to exploits.
If you find or suspect a vulnerability, please email the security group at with the following information:
description of the problem
precise and detailed steps (include screenshots) that created the problem
the affected version(s)
any known mitigations
The Kyverno security response team will send an initial acknowledgement of the disclosure in 3-5 working days. Once the vulnerability and mitigation are confirmed, the team will plan to release any necessary changes based on the severity and complexity. Additional details on the security policy and processes are available in the Kyverno .
To communicate with the Kyverno team, for any questions or discussions, use or .
All security related issues are labeled as security and can be viewed .
With each release, the following artifacts are uploaded:
checksums.txt
install.yaml
kyverno-cli-<version_number>.tar.gz
kyverno-cli_v<version_number>_darwin_arm64.tar.gz
kyverno-cli_v<version_number>_darwin_x86_64.tar.gz
kyverno-cli_v<version_number>_linux_arm64.tar.gz
kyverno-cli_v<version_number>_linux_s390x.tar.gz
kyverno-cli_v<version_number>_linux_x86_64.tar.gz
kyverno-cli_v<version_number>_windows_arm64.zip
kyverno-cli_v<version_number>_windows_x86_64.zip
Source code (zip)
Source code (tar.gz)
Configure the Kyverno signature repository:
bash
Verify the image:
bash
For Cosign v2.x, use the following command instead.
If the container image was properly signed, the output should be similar to:
Note that the important fields to verify in the output are optional.Issuer and optional.Subject. If Issuer and Subject do not match the values shown above, the image is not genuine.
All Kyverno images can be verified.
For v1.x of Cosign, use the following command.
For v2.x of Cosign, use the following command.
The output will look something similar to the below.
To save the SBOM to a file, run the following command:
The following sections discuss related best practices for Kyverno:
runAsNonRoot is set to true
privileged is set to false
allowPrivilegeEscalation is set to false
readOnlyRootFilesystem is set to true
all capabilities are dropped
limits and quotas are configured
liveness and readiness probes are configured
Use the following command to view all Kyverno roles:
Kyverno network traffic is encrypted and should be restricted using NetworkPolicies or similar constructs.
Kyverno requires the following network communications to be allowed:
ingress traffic to port 9443 from the API server
ingress traffic to port 9443 from the host for health checks
ingress traffic to port 8000 if metrics are collected by Prometheus or other metrics collectors
Use the following command to view all Kyverno Roles:
Kyverno creates the following mutating webhook configurations:
kyverno-policy-mutating-webhook-cfg: handles policy changes to index and cache policy sets.
kyverno-resource-mutating-webhook-cfg: handles resource admission requests to apply matching Kyverno mutate policy rules.
kyverno-verify-mutating-webhook-cfg: periodically tests Kyverno webhook configurations
Kyverno creates the following validating webhook configurations:
kyverno-policy-validating-webhook-cfg: validates Kyverno policies with checks that cannot be performed via schema validation
kyverno-resource-validating-webhook-cfg: handles resource resource admission requests to apply matching Kyverno validate policy rules.
kyverno-cleanup-validating-webhook-cfg: handles cleanup policies
kyverno-exception-validating-webhook-cfg: handles policy exceptions
Kyverno policies can be used to mutate and generate namespaced and cluster-wide resources. Hence, policies should be treated as critical resources and access to policies should be protected using RBAC.
The sections below list each threat, mitigation, and provide Kyverno specific details.
Mitigation:
Mitigations:
Mitigation:
Kyverno automatically generates webhook configurations based on the configured policy set. This ensures that webhooks are always updates and minimally configured.
Mitigation:
Mitigation:
Mitigation
N/A
Mitigation
Kyverno uses HTTPS for all webhook traffic.
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
N/A
Mitigation
The Kyverno container images are available .
Kyverno container images are signed using Cosign and the . The signatures are stored in a separate repository from the container image they reference located at ghcr.io/kyverno/signatures. To verify the container image using Cosign v1.x, follow the steps below.
Install
Kyverno creates and attests to the provenance of its builds using the and meets the SLSA specification. The attested provenance may be verified using the cosign tool.
An SBOM (Software Bill of Materials) in JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at ghcr.io/kyverno/sbom. To download and verify the SBOM for a specific version, install Cosign and run:
Kyverno uses to maintain repository-wide security standards. The current OSSF/scorecard score for Kyverno can be found in this . The Kyverno team is committed to achieving and maintaining a high score. Contributions are welcome.
The Kyverno Helm Chart is available via the along with an auto-generated generated by Artifact Hub for all the releases.
Kyverno Pods are configured to follow security best practices and conform to the restricted profile:
The Kyverno RBAC configurations are described in the section.
By default, a Kyverno installation does not configure NetworkPolicies (see ). The has a networkPolicy.enabled option to enable a NetworkPolicy.
egress traffic to the API server if the feature is used
egress (HTTPS) traffic to OCI registries if policy rules are configured or if are used
egress (HTTP or HTTPS) traffic to external services if the feature is used
Kyverno policies are configured to fail-closed by default. This setting can be tuned on a . Kyverno uses the configured policy set to automatically configure webhooks.
By default, Kyverno automatically generates and manage TLS certificates used for authentication with the API server and encryption of network traffic. To use a custom CA, please refer to the details in the .
The Kyverno community manages a set of .
At a minimum, the and policy sets are recommended for use.
The team has defined an . It is highly recommended that Kyverno administrators read and understand the threat model, and use it as a starting point to create their own threat model.
Kyverno policies are configured fail-closed by default. This setting can be tuned on a . Kyverno uses the configured policy set to automatically configure webhooks.
Kyverno policies are configured fail-closed by default. This setting can be tuned on a . Kyverno uses the configured policy set to automatically configure webhooks.
By default, Kyverno generates a CA and X.509 certificates for the webhook registration. A custom CA and certificates can be used as discussed in the . Currently, Kyverno does not authenticate the API server. A network policy can be used to restrict traffic to the Kyverno webhook port.
Kyverno RBAC configurations are described in the . The kyverno:admission-controller role is used by Kyverno to configure webhooks. It is important to limit Kyverno to the required permissions and audit changes in the RBAC roles and role bindings.
Kyverno policies are configured fail-closed by default. This setting can be tuned on a . Kyverno uses the configured policy set to automatically configure webhooks.
By default, Kyverno generates a CA and X.509 certificates for the webhook registration. A custom CA and certificates can be used as discussed in the . Currently, Kyverno does not authenticate the API server. A network policy can be used to restrict traffic to the Kyverno webhook port.
By default, Kyverno generates a CA and X.509 certificates for the webhook registration. A custom CA and certificates can be used as discussed in the . Currently, Kyverno does not authenticate the API server. A network policy can be used to restrict traffic to the Kyverno webhook port.
Kyverno rules are Kubernetes resources written in YAML and managed by an OpenAPIv3 schema. This approach makes it easy to understand policy definitions and to apply policy-as-code best practices, like code reviews, to Kyverno policies. The provides a test command for executing unit tests as part of a continuous delivery pipeline.
Kyverno RBAC configurations are described in the . The kyverno:admission-controller role is used by Kyverno to configure webhooks. It is important to limit Kyverno to the required permissions and audit changes in the RBAC roles and role bindings.
Kyverno does not exempt any Namespaces by default. It allows configuration of exempt Namespaces via a .
Kyverno rules are Kubernetes resources written in YAML and managed by an OpenAPIv3 schema. This approach makes it easy to understand policy definitions and to apply policy-as-code best practices, like code reviews, to Kyverno policies. The provides a test command for executing unit tests as part of a continuous delivery pipeline.
Kyverno rules are Kubernetes resources written in YAML and managed by an OpenAPIv3 schema. This approach makes it easy to understand policy definitions and to apply policy-as-code best practices, like code reviews, to Kyverno policies. The provides a test command for executing unit tests as part of a continuous delivery pipeline.
Kyverno rules are Kubernetes resources written in YAML and managed by an OpenAPIv3 schema. This approach makes it easy to understand policy definitions and to apply policy-as-code best practices, like code reviews, to Kyverno policies. The provides a test command for executing unit tests as part of a continuous delivery pipeline.
The Kyverno contains policies to restrict container privileges and restrict access to host resources. The Pod Security Standards and best practices policies are highly recommended.
The Kyverno contains policies to restrict container privileges and restrict access to host resources. The Pod Security Standards and best practices policies are highly recommended.
See for details on securing networking communications for Kyverno.