How to use Kyverno CLI to validate k8s manifests?

In the previous article, we have seen what is Kyverno, its features, its use-cases and hot it works. In this article we will install kyverno cli in our local machine and explore its usecases.

Install Kyverno CLI

• The Kyverno CLI is designed to validate and test policy behavior to resources prior to adding them to a cluster.
• Used in CI/CD pipelines to validate manifests before they are deployed.
• Can be integrated into precommit hooks

Install Kyverno CLI via Krew

Krew is the plugin manager for kubectl command-line tool. If do not have krew installed already, please follow the instructions --> https://krew.sigs.k8s.io/docs/user-guide/setup/install/

# Install Kyverno CLI using kubectl krew plugin managerkubectl krew install kyverno# test the Kyverno CLIkubectl kyverno version  

Install Kyverno CLI via Brew (MacOS)

# Install Kyverno CLI using brewbrew install kyverno# test the Kyverno CLIkyverno version 

Kyverno CLI Commands

Apply

• Performs a dry run on one or more policies for the given manifest(s)
• Executes mutate policies and shows mutated resource as an output

kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml

Test

• tests policy from a git repo or local directory
• recursively looks for YAML files in a directory and executes tests
• kyverno test definition consists of test name, policies, resources and expected results.

An example test would look like

name: disallow_latest_tagpolicies:  - policy.yamlresources:  - resource.yamlresults:  - policy: disallow-latest-tag    rule: require-image-tag    resource: myapp-pod    kind: Pod    result: pass  - policy: disallow-latest-tag    rule: validate-image-tag    resource: myapp-pod    kind: Pod    result: pass

To Run the test,

kyverno test /path/to/yamls

Validate

• check if a policy is syntactically valid.
• can validate multiple policy resource description files or a folder containing policy resource description files.

kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies

Jp

Kyverno CLI also provides a utility called jp to work with JMESPath and expressions.

$ echo '{"foo": "BAR"}' | kyverno jp 'to_lower(foo)'"bar"

$ cat pod.json{  "apiVersion": "v1",  "kind": "Pod",  "metadata": {    "name": "mypod",    "namespace": "foo"  },  "spec": {    "containers": [      {        "name": "busybox",        "image": "busybox"      }    ]  }}$ kyverno jp -f pod.json 'spec.containers[0].name' -ubusybox

Kyverno precommit hooks

Kyverno can be integrated into precommit hooks to test and validate policies. To setup precommit hook, checkout -> https://github.com/kyverno/pre-commit-hook

.pre-commit-config.yaml

repos:  - repo: https://github.com/kyverno/pre-commit-hook    rev: v1.0.0    hooks:      - id: kyverno-test        args: ["kyverno-policies"]      - id: kyverno-validate        args: ["kyverno-policies"]

If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles.