Architecture Decision Record: Policy as Code with Kyverno

Status

[Use the appropriate status to represent this decision record]

• Draft
• Proposed
• Accepted
• Deprecated

Context

Which Kubernetes Policy-as-Code tooling will be used to implement policy management on the cluster? We identified the need for Kubernetes policy management and pod security controls across our clusters.

Decision

Kyverno can be implemented for Kubernetes policy management. Its YAML-based approach aligns with the team's expertise and existing IaC strategy, while its advanced features surpass Gatekeeper's capabilities. This choice accelerates implementation, simplifies maintenance, and reduces training overhead as well.

Decision drivers

• Kubernetes policy management must enforce:

  • Admission controls
  • Validation of resources
  • Mutation of configurations

• The solution must be accessible to the team

• The solution must provide:

  • Robust policy enforcement
  • Minimizing the learning curve
  • Reducing operational complexity

Considered options

1. OPA Gatekeeper

• Strengths:
  • Robust policy enforcement.
  • CNCF graduated project with strong community support.
• Limitations:
  • Requires learning Rego, a domain-specific language.
  • Separate steps for policy and constraint definitions.
  • Limited native resource generation and management capabilities.

2. Kyverno

• Strengths:
  • Policies defined in YAML, aligning with the existing IaC strategy.
  • Advanced features: image verification, resource generation, encryption of sensitive data.
  • Single-step policy definition simplifies management.
  • Native integration with Kubernetes resources.
  • Built-in policy reporting, background scanning, and mutation capabilities.
• Limitations:
  • Smaller community compared to Gatekeeper.
  • Less historical production usage.
  • Fewer pre-existing policy libraries.

Decision Conclusion

Positive

• Productivity boost with familiar YAML syntax.
• Advanced capabilities (e.g., image verification, resource generation).
• Simplified policy lifecycle management.
• Native Kubernetes resource integration.
• Reduced training effort and compatibility with GitOps workflows.
• Comprehensive validation, mutation, and resource generation in a single policy.

Negative

• Smaller community and newer project compared to Gatekeeper.
• Migration effort if existing policies are in place.
• Limited availability of pre-built policy libraries.

References

• Kyverno Official Documentation
• Kyverno vs. OPA Gatekeeper Comparison
• Kyverno Policy Examples
• Kubernetes Admission Controllers
• Kyverno GitHub Repository
• Kyverno Policy Reports
• Kyverno Image Verification
• CNCF Kyverno Project

AI and automation capabilities described in this scenario should be implemented following responsible AI principles, including fairness, reliability, safety, privacy, inclusiveness, transparency, and accountability. Organizations should ensure appropriate governance, monitoring, and human oversight are in place for all AI-powered solutions.