Skip to content

giantswarm/kyverno-app

Repository files navigation

CircleCI

kyverno

Kyverno is an admission controller offering policy enforcement as a validating or mutating webhook. It audits or enforces policies for cluster resources, and produces reports about the compliance of the cluster.

It is used to enforce Pod Security Standards (PSS) as a replacement for Pod Security Policies (PSPs), as well as many other community-supported policies for various use cases. For more information on the switch from PSP to PSS, see our blog post.

Installing

There are 3 ways to install this app onto a workload cluster.

  1. Using our web interface
  2. Using our API
  3. Directly creating the App custom resource on the management cluster.

Configuring

Kyverno Configurations

Please see the Kyverno docs or the configuration reference in this chart for configurable values.

See our full reference page on how to configure applications for more details.

Development

This repo contains subtrees from giantswarm/kyverno and giantswarm/policy-reporter.

Steps to update Kyverno charts

Note: There is automation in place to update both upstream fork and app charts on a monthly basis. However, you can manually trigger them if needed.

  1. Make sure that giantswarm/kyverno is up to date and has the desired tag.

  2. Trigger the sync-from-upstream action from the main branch.

  3. Review the PR generated by the actions bot.

Credit