Kubernetes策略即代码:Kyverno实践指南

📅 2026/7/18 1:42:40
Kubernetes策略即代码:Kyverno实践指南
1. 为什么需要策略即代码在Kubernetes集群规模扩大后单纯依靠人工检查配置的方式会变得力不从心。想象一下当你有上百个团队在同一个集群中部署应用时如何确保每个Pod都设置了资源限制如何防止某个团队意外部署了root权限的容器这就是策略即代码Policy as Code要解决的问题。Kyverno这个名字来源于希腊语kyverno意为治理。它作为Kubernetes原生的策略引擎允许你像管理应用代码一样管理集群策略。与传统的准入控制器不同Kyverno策略本身就是Kubernetes资源使用YAML编写完全融入Kubernetes生态。提示策略即代码的核心价值在于将策略定义、执行和审计都纳入版本控制系统实现策略的声明式管理和自动化验证。2. Kyverno的核心工作机制2.1 动态准入控制原理Kyverno作为动态准入控制器Dynamic Admission Controller运行它会拦截所有发往Kubernetes API Server的请求。当用户创建或更新资源时Kyverno会根据已注册的策略进行验证或变更。整个过程分为三个关键阶段匹配阶段策略中定义的match字段确定该策略适用于哪些资源验证/变更阶段根据策略类型执行相应操作执行阶段允许、拒绝请求或修改资源定义这种机制使得策略执行对用户完全透明开发者无需额外操作就能自动符合规范。2.2 策略类型详解Kyverno支持三种基本策略类型Validate验证策略apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-labels spec: validationFailureAction: enforce rules: - name: check-for-labels match: resources: kinds: - Pod validate: message: All pods must have app and tier labels pattern: metadata: labels: app: ?* tier: ?*Mutate变更策略apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-safe-to-evict spec: rules: - name: annotate-pods match: resources: kinds: - Pod mutate: patchStrategicMerge: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: trueGenerate生成策略apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: generate-networkpolicy spec: rules: - name: default-deny match: resources: kinds: - Namespace selector: matchLabels: security-level: high generate: kind: NetworkPolicy name: default-deny namespace: {{request.object.metadata.name}} data: spec: podSelector: {} policyTypes: - Ingress - Egress3. 生产环境部署实践3.1 Helm安装最佳实践推荐使用Helm 3进行安装以下命令会创建kyverno命名空间并部署所有必要组件helm repo add kyverno https://kyverno.github.io/kyverno/ helm repo update helm install kyverno kyverno/kyverno -n kyverno --create-namespace \ --set replicaCount3 \ --set podAnnotations.cluster-autoscaler\.kubernetes\.io/safe-to-evicttrue关键配置参数说明replicaCount: 根据集群规模设置生产环境建议≥3podDisruptionBudget: 确保至少2个Pod始终可用resources.limits: 根据策略复杂度调整默认500m CPU/1Gi内存可能不足3.2 策略组织方案随着策略数量增加推荐采用以下目录结构管理策略YAMLpolicies/ ├── base/ │ ├── mandatory/ │ │ ├── require-resource-limits.yaml │ │ └── prohibit-host-path.yaml │ └── recommended/ │ ├── check-image-registry.yaml │ └── require-pod-disruption-budget.yaml ├── overlays/ │ └── production/ │ ├── kustomization.yaml │ └── stricter-resource-limits.yaml └── tests/ ├── test-require-labels.yaml └── test-mutate-annotations.yaml使用Kustomize进行环境差异化配置例如在production环境中启用更严格的资源限制策略。4. 高级策略模式解析4.1 上下文感知策略Kyverno可以基于集群状态动态决策。以下策略会检查新Pod是否来自受信任的镜像仓库同时验证镜像签名apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-image-source spec: validationFailureAction: enforce background: false rules: - name: verify-image-registry context: - name: trustedRegistries configMap: name: trusted-registries namespace: kyverno preconditions: - key: {{ request.operation }} operator: Equals value: CREATE match: resources: kinds: - Pod validate: message: Only images from trusted registries are allowed pattern: spec: containers: - image: {{ trustedRegistries.data.registries }}/*4.2 策略豁免机制某些系统组件可能需要豁免特定策略。Kyverno提供两种豁免方式资源级别豁免apiVersion: kyverno.io/v1 kind: PolicyException metadata: name: kube-system-exception namespace: kube-system spec: exceptions: - policyName: require-resource-limits ruleNames: - check-resources resourceNames: - kube-apiserver - kube-controller-manager条件豁免apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: allow-privileged-if-approved spec: validationFailureAction: audit rules: - name: check-privileged exclude: resources: annotations: security.kyverno.io/privileged: approved match: resources: kinds: - Pod validate: message: Privileged pods require security approval pattern: spec: containers: - securityContext: privileged: false5. 策略测试与验证5.1 单元测试框架Kyverno CLI提供了测试框架可以像测试代码一样测试策略。测试用例示例name: test-require-labels policies: - ../../base/mandatory/require-labels.yaml resources: - name: bad-pod resource: | apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: - name: nginx image: nginx:latest - name: good-pod resource: | apiVersion: v1 kind: Pod metadata: name: nginx labels: app: web tier: frontend spec: containers: - name: nginx image: nginx:latest results: - policy: require-labels rule: check-for-labels resource: bad-pod kind: Pod result: fail - policy: require-labels rule: check-for-labels resource: good-pod kind: Pod result: pass运行测试kyverno test ./policies/tests/5.2 生产环境渐进式推广为避免策略突然启用导致业务中断推荐采用分阶段推广方案Audit模式运行validationFailureAction: audit监控违反策略的资源但不阻止使用kyverno policy-reporter生成合规报告命名空间逐步启用apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: rollout-policy spec: validationFailureAction: enforce rules: - name: rollout-rule match: resources: namespaces: - stage-1 - stage-2最终全局强制执行6. 性能优化与问题排查6.1 大规模集群优化当集群规模超过1000节点时需特别注意策略匹配优化避免使用宽泛的match条件优先使用namespaceSelector而非全局匹配将频繁变更的策略与稳定策略分离缓存配置调整# values.yaml config: resourceFilters: - [Event,*,*] - [*,kube-system,*] - [*,kube-public,*] webhooks: namespaceSelector: matchExpressions: - key: kyverno.io/enable operator: In values: [true]6.2 常见问题排查问题现象策略变更未生效检查Kyverno Pod日志kubectl logs -n kyverno -l appkyverno --tail100验证策略是否已注册kubectl get clusterpolicy检查资源是否匹配策略条件kubectl get resource -o yaml | grep kyverno问题现象API请求延迟增加调整Kyverno资源限制resources: limits: cpu: 2000m memory: 2Gi启用指标监控helm upgrade kyverno kyverno/kyverno -n kyverno \ --set metrics.serviceMonitor.enabledtrue7. 安全加固实践7.1 策略签名验证确保策略定义未被篡改apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: verify-policy-signature spec: validationFailureAction: enforce rules: - name: verify-policy match: resources: kinds: - ClusterPolicy validate: message: Only signed policies from DevOps team are allowed pattern: metadata: annotations: cosign.sigstore.dev/signature: *7.2 关键防护策略示例禁止特权容器apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: block-privileged spec: validationFailureAction: enforce rules: - name: block-privileged-containers match: resources: kinds: - Pod validate: message: Privileged mode is not allowed pattern: spec: containers: - (securityContext): (privileged): false强制Pod安全标准apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: pss-restricted spec: validationFailureAction: enforce background: true rules: - name: restricted match: resources: kinds: - Pod validate: podSecurity: level: restricted version: latest在实施这些策略时建议先从audit模式开始逐步观察策略影响范围。对于已经存在的违规资源可以使用Kyverno CLI的apply命令进行批量修复kyverno apply ./policies/ --resourcedeployments.yaml