iam-veeramalla/k8s-kyverno-argocd iam-veeramalla/k8s-kyverno-argocd

  • Stars
    star
    187
  • Rank 206,464 (Top 5 %)
  • Language
  • Created almost 2 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
iam-veeramalla/k8s-kyverno-argocd
github

iam-veeramalla

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Demo repository to enforce automated k8s cluster security using kyverno policy generator and argocd

Enforce Automated k8s cluster security using kyverno policy generator and argocd

In this project we will learn how to enforce policies, governence and compliance on your kubernetes cluster. Whether your kubernetes cluster is on AWS, Azure, GCP or on-premises, this project will work without any additional changes.

To explain the project with examples, using this configuration you can

  1. Generate -> For example, Create a default network policy whenever a namespace is created.
  2. Validate -> For example, Block users from using latest tag in the deployment or pod resources.
  3. Mutate -> For example, Attach pod security policy for a pod that is created without any pod security policy configuration.
  4. Verify Images -> For example, Verify if the Images used in the pod resources are properly signed and verified images.

High Level Design

On a very high level, A DevOps Engineer will write the required Kyverno Policy custom resource and commits it to a Git repository. Argo CD which is pre configured with auto-sync to watch for resources in the git repo, deploys the Kyverno Policies on to the Kubernetes cluster.

Screenshot 2023-02-19 at 12 40 48 PM

Installation

To setup this project you need to install Argo CD controller and Kyverno controller, Assuming you have Kubernetes installed.

Installation of both Kyverno and Argo CD are pretty straight forward as both of them support Helm charts and also provide a consolidated installation yaml files.

Kyverno

There are two easy ways to install kyverno:

  1. Using Helm
  2. Using the kubernetes manifest files

Using Helm

Add helm repo for kyverno

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update

Install kyverno in HA mode

 helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=3

(or)

Install kyverno in Standalone mode

helm install kyverno kyverno/kyverno -n kyverno --create-namespace --set replicaCount=1

Install a specific version of kyverno

helm search repo kyverno -l | head -n 10

helm install kyverno kyverno/kyverno -n kyverno --create-namespace --version 2.6.5

Using Kubernetes manifest yaml files

kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.8.5/install.yaml

Argo CD

There are three ways to install Argo CD

  1. kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml
  2. Helm Charts, Follow the link
  3. Using the Argo CD Operator, Follow the link

Demystifying Kyverno & Kyverno Policies

Kyverno is a policy engine designed for Kubernetes

A Kyverno policy is a collection of rules. Each rule consists of a match declaration, an optional exclude declaration, and one of a validate, mutate, generate, or verifyImages declaration. Each rule can contain only a single validate, mutate, generate, or verifyImages child declaration.

image

Policies can be defined as cluster-wide resources (using the kind ClusterPolicy) or namespaced resources (using the kind Policy.) As expected, namespaced policies will only apply to resources within the namespace in which they are defined while cluster-wide policies are applied to matching resources across all namespaces. Otherwise, there is no difference between the two types.

Additional policy types include PolicyException and (Cluster)CleanupPolicy which are separate resources and described further in the documentation.

Architecture

image

More Repositories

1

aws-devops-zero-to-hero

AWS zero to hero repo for devops engineers to learn AWS in 30 Days. This repo includes projects, presentations, interview questions and real time examples.
Python
6,563
star
2

Jenkins-Zero-To-Hero

Install Jenkins, configure Docker as slave, set up cicd, deploy applications to k8s using Argo CD in GitOps way.
Python
6,209
star
3

Docker-Zero-to-Hero

Repo to learn Docker with examples. Contributions are most welcome.
3,629
star
4

python-for-devops

Learn Python from DevOps Engineer point of you.
Python
2,600
star
5

Azure-zero-to-hero

Repository to learn Azure from Zero. This repository covers the complete Azure fundamentals required for a DevOps Engineer.
HCL
2,543
star
6

terraform-zero-to-hero

Master Terraform in 7 days using this Zero to Hero course.
HCL
2,268
star
7

Kubernetes-Zero-to-Hero

Creating this repo with an intent to make Kubernetes easy for begineers. This is a work-in-progress repo.
1,479
star
8

observability-zero-to-hero

[WIP]: Repo for learning observability
JavaScript
1,239
star
9

GitHub-Actions-Zero-to-Hero

Repository to kick start your journey with GitHub Actions
Python
1,135
star
10

shell-scripting-projects

Projects on shell scripting. Goal is to simulate real time projects as much as posible.
Shell
834
star
11

devops-interview-preparation-guide

Share your interview questions and help others. Let's build this interview preparation guide together.
636
star
12

ansible-zero-to-hero

Repository to learn Ansible from Zero. This repository covers the complete Ansible fundamentals along with examples required for a DevOps Engineer.
HTML
510
star
13

cicd-end-to-end

Using this repo for an End to End CICD Demo
Python
480
star
14

write_your_first_terraform_project

helps you learn terraform and write your first project
HCL
471
star
15

kubernetes-troubleshooting-zero-to-hero

Learn how to troubleshoot the most common Kubernetes Issues
Dockerfile
418
star
16

devops-project-ideas

Real-time project ideas for devops engineers.
279
star
17

terraform-eks

A sample repository to create EKS with VPC on AWS using Terraform.
HCL
261
star
18

Golang-Zero-to-Hero

Learn golang with practical approach. TODO repo - work in progress
234
star
19

go-web-app-devops

Complete DevOps implmentation for a go web app
HTML
165
star
20

argocd-hub-spoke-demo

Deploy resources to multiple kubernetes clusters using Argo CD.
150
star
21

sandbox

Just a sandbox
145
star
22

istio-guide

Repository to learn Istio from Zero. This repository covers the complete Istio fundamentals required for a DevOps Engineer.
133
star
23

k8s-crossplane-argocd

Demonstrate GitOpsification of Cloud Infrastructure using Crossplane and Argo CD
124
star
24

go-web-app

This is a simple website written in Golang. It uses the `net/http` package to serve HTTP requests.
HTML
120
star
25

design_diagrams

flowcharts, workflows and diagrams
114
star
26

cicd-demo-golang

Sample golang application to demonstrate CICD
Go
79
star
27

cis-istio-integration

Integration of F5 CIS Ingress Controller with Istio Service Mesh for Kubernetes and Openshift
Makefile
77
star
28

argo-perf-test

Repo for testing Argo CD Performance(This can be very vague)
58
star
29

MERN-docker-compose

This repo helps you understand how to containerize a mern stack app and deploy using docker-compose
JavaScript
54
star
30

officeassistant

Office Management Assistant During Covid19
JavaScript
40
star
31

dummy-role

A dummy ansible role for demo
HTML
26
star
32

cicd-demo-manifests-repo

Repo for CICD demo app kubernetes manifests
9
star
33

abhishek-shell-example-project

Shell scripting example project
7
star
34

AWS

AWS Lambda functions for Cloud-admins
Python
3
star
35

demo-repo

This repo is created for a demo
2
star
36

keycloak-stuff

Keycloak Installation and Configuration on K8s and OpenShift Container Platforms. Describes on how OpenShiftv4 Idp can be used as broker for openshift-gitops.
Go
1
star