Default Kyverno policies for OpenEBS

[kmova]

OpenEBS cStor and Jiva projects involve managing K8s custom resources via the engine operators.

OpenEBS currently uses:

• webhook admission controller for performing custom validations
• PSP for setting some default security policies.

PSP is getting deprecated in the upcoming K8s releases and webhook admission controller has a number of gotchas w.r.t certificate and policy management.

This feature is to track the adoption of Kyverno for performing enforcing security and validation policies.

Kyverno also can be extended for pushing image pull secrets into the pods that are launched by OpenEBS operators.

[RealHarshThakur]

Another policy engine to consider is KubeWarden . There is already a policy hub which has most PSPs implemented. Writing the policy is fairly simple too: https://docs.kubewarden.io/writing-policies/go/04-validation.html

[kmova]

Pushing this from slack thread.

Jim Bugwadia 27 minutes ago @kiranmova - thanks for asking!
Is PSP replacement the only use case? There was a mention of synchronizing secrets as well (https://kyverno.io/policies/other/sync_secrets/?policytypes=generate).
I would suggest list requirements and the key criteria to help decide on the best solution. Some of the relevant items may be:

• CNCF project, OSS license, etc.
• PSP support
• Mutate support
• Validate support
• Generate support
• Ease of use
• Extensibility
• Observability
• HA
• Ability to customize by cluster admins

The last one may be important, as its critical to allow flexibility.

Jim Bugwadia 25 minutes ago
One other thought, the policy engine the end user selects can be different. Kyverno is designed to work with Gatekeeper/OPA, etc. as its possible different admission controllers are used to address different problems.
As an example, here is how Flux2 is using Kyverno to address multi-tenancy:
https://github.com/fluxcd/flux2-multi-tenancy#enforce-tenant-isolation

[Nivedita-coder]

Here is the screenshot of the policies testing.