iam-veeramalla/k8s-kyverno-argocd iam-veeramalla/k8s-kyverno-argocd

  • Stars
    star
    145
  • Rank 245,921 (Top 5 %)
  • Language
  • Created about 1 year ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
iam-veeramalla/k8s-kyverno-argocd
github

iam-veeramalla

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Demo repository to enforce automated k8s cluster security using kyverno policy generator and argocd

Enforce Automated k8s cluster security using kyverno policy generator and argocd

In this project we will learn how to enforce policies, governence and compliance on your kubernetes cluster. Whether your kubernetes cluster is on AWS, Azure, GCP or on-premises, this project will work without any additional changes.

To explain the project with examples, using this configuration you can

  1. Generate -> For example, Create a default network policy whenever a namespace is created.
  2. Validate -> For example, Block users from using latest tag in the deployment or pod resources.
  3. Mutate -> For example, Attach pod security policy for a pod that is created without any pod security policy configuration.
  4. Verify Images -> For example, Verify if the Images used in the pod resources are properly signed and verified images.

High Level Design

On a very high level, A DevOps Engineer will write the required Kyverno Policy custom resource and commits it to a Git repository. Argo CD which is pre configured with auto-sync to watch for resources in the git repo, deploys the Kyverno Policies on to the Kubernetes cluster.

Screenshot 2023-02-19 at 12 40 48 PM

Installation

To setup this project you need to install Argo CD controller and Kyverno controller, Assuming you have Kubernetes installed.

Installation of both Kyverno and Argo CD are pretty straight forward as both of them support Helm charts and also provide a consolidated installation yaml files.

Kyverno

There are two easy ways to install kyverno:

  1. Using Helm
  2. Using the kubernetes manifest files

Using Helm

Add helm repo for kyverno

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update

Install kyverno in HA mode

 helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=3

(or)

Install kyverno in Standalone mode

helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=1

Install a specific version of kyverno

helm search repo kyverno -l | head -n 10

helm install kyverno kyverno/kyverno -n kyverno --create-namespace --version 2.6.5

Using Kubernetes manifest yaml files

kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.8.5/install.yaml

Argo CD

There are three ways to install Argo CD

  1. kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml
  2. Helm Charts, Follow the link
  3. Using the Argo CD Operator, Follow the link

Demystifying Kyverno & Kyverno Policies

Kyverno is a policy engine designed for Kubernetes

A Kyverno policy is a collection of rules. Each rule consists of a match declaration, an optional exclude declaration, and one of a validate, mutate, generate, or verifyImages declaration. Each rule can contain only a single validate, mutate, generate, or verifyImages child declaration.

image

Policies can be defined as cluster-wide resources (using the kind ClusterPolicy) or namespaced resources (using the kind Policy.) As expected, namespaced policies will only apply to resources within the namespace in which they are defined while cluster-wide policies are applied to matching resources across all namespaces. Otherwise, there is no difference between the two types.

Additional policy types include PolicyException and (Cluster)CleanupPolicy which are separate resources and described further in the documentation.

Architecture

image

More Repositories

1

aws-devops-zero-to-hero

AWS zero to hero repo for devops engineers to learn AWS in 30 Days. This repo includes projects, presentations, interview questions and real time examples.
Python
4,817
star
2

Jenkins-Zero-To-Hero

Install Jenkins, configure Docker as slave, set up cicd, deploy applications to k8s using Argo CD in GitOps way.
Python
4,623
star
3

Docker-Zero-to-Hero

Repo to learn Docker with examples. Contributions are most welcome.
2,436
star
4

python-for-devops

Learn Python from DevOps Engineer point of you.
Python
1,786
star
5

Azure-zero-to-hero

Repository to learn Azure from Zero. This repository covers the complete Azure fundamentals required for a DevOps Engineer.
HCL
1,646
star
6

terraform-zero-to-hero

Master Terraform in 7 days using this Zero to Hero course.
HCL
1,581
star
7

Kubernetes-Zero-to-Hero

Creating this repo with an intent to make Kubernetes easy for begineers. This is a work-in-progress repo.
1,028
star
8

prometheus-Grafana-Zero-to-Hero

[WIP]: Repo for learning how monitor your kubernetes clusters using prometheus and visualize using grafana
799
star
9

GitHub-Actions-Zero-to-Hero

Repository to kick start your journey with GitHub Actions
Python
777
star
10

shell-scripting-projects

Projects on shell scripting. Goal is to simulate real time projects as much as posible.
Shell
591
star
11

devops-interview-preparation-guide

Share your interview questions and help others. Let's build this interview preparation guide together.
446
star
12

cicd-end-to-end

Using this repo for an End to End CICD Demo
Python
337
star
13

write_your_first_terraform_project

helps you learn terraform and write your first project
HCL
320
star
14

devops-project-ideas

Real-time project ideas for devops engineers.
216
star
15

Golang-Zero-to-Hero

Learn golang with practical approach. TODO repo - work in progress
183
star
16

sandbox

Just a sandbox
105
star
17

k8s-crossplane-argocd

Demonstrate GitOpsification of Cloud Infrastructure using Crossplane and Argo CD
98
star
18

argocd-hub-spoke-demo

Deploy resources to multiple kubernetes clusters using Argo CD.
96
star
19

design_diagrams

flowcharts, workflows and diagrams
83
star
20

cicd-demo-golang

Sample golang application to demonstrate CICD
Go
66
star
21

cis-istio-integration

Integration of F5 CIS Ingress Controller with Istio Service Mesh for Kubernetes and Openshift
Makefile
63
star
22

terraform-eks

A sample repository to create EKS with VPC on AWS using Terraform.
HCL
50
star
23

argo-perf-test

Repo for testing Argo CD Performance(This can be very vague)
46
star
24

officeassistant

Office Management Assistant During Covid19
JavaScript
31
star
25

cicd-demo-manifests-repo

Repo for CICD demo app kubernetes manifests
9
star
26

abhishek-shell-example-project

Shell scripting example project
7
star
27

AWS

AWS Lambda functions for Cloud-admins
Python
3
star
28

demo-repo

This repo is created for a demo
2
star
29

keycloak-stuff

Keycloak Installation and Configuration on K8s and OpenShift Container Platforms. Describes on how OpenShiftv4 Idp can be used as broker for openshift-gitops.
Go
1
star