An Interest In:
Web News this Week
- April 26, 2024
- April 25, 2024
- April 24, 2024
- April 23, 2024
- April 22, 2024
- April 21, 2024
- April 20, 2024
How to use Kyverno CLI to validate k8s manifests?
In the previous article, we have seen what is Kyverno, its features, its use-cases and hot it works. In this article we will install kyverno cli in our local machine and explore its usecases.
Install Kyverno CLI
- The Kyverno CLI is designed to validate and test policy behavior to resources prior to adding them to a cluster.
- Used in CI/CD pipelines to validate manifests before they are deployed.
- Can be integrated into precommit hooks
Install Kyverno CLI via Krew
Krew is the plugin manager for kubectl command-line tool. If do not have krew installed already, please follow the instructions --> https://krew.sigs.k8s.io/docs/user-guide/setup/install/
# Install Kyverno CLI using kubectl krew plugin managerkubectl krew install kyverno# test the Kyverno CLIkubectl kyverno version
Install Kyverno CLI via Brew (MacOS)
# Install Kyverno CLI using brewbrew install kyverno# test the Kyverno CLIkyverno version
Kyverno CLI Commands
Apply
- Performs a dry run on one or more policies for the given manifest(s)
- Executes mutate policies and shows mutated resource as an output
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
Test
- tests policy from a git repo or local directory
- recursively looks for YAML files in a directory and executes tests
- kyverno test definition consists of test name, policies, resources and expected results.
An example test would look like
name: disallow_latest_tagpolicies: - policy.yamlresources: - resource.yamlresults: - policy: disallow-latest-tag rule: require-image-tag resource: myapp-pod kind: Pod result: pass - policy: disallow-latest-tag rule: validate-image-tag resource: myapp-pod kind: Pod result: pass
To Run the test,
kyverno test /path/to/yamls
Validate
- check if a policy is syntactically valid.
- can validate multiple policy resource description files or a folder containing policy resource description files.
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies
Jp
Kyverno CLI also provides a utility called jp
to work with JMESPath and expressions.
$ echo '{"foo": "BAR"}' | kyverno jp 'to_lower(foo)'"bar"
$ cat pod.json{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "mypod", "namespace": "foo" }, "spec": { "containers": [ { "name": "busybox", "image": "busybox" } ] }}$ kyverno jp -f pod.json 'spec.containers[0].name' -ubusybox
Kyverno precommit hooks
Kyverno can be integrated into precommit hooks to test and validate policies. To setup precommit hook, checkout -> https://github.com/kyverno/pre-commit-hook
.pre-commit-config.yaml
repos: - repo: https://github.com/kyverno/pre-commit-hook rev: v1.0.0 hooks: - id: kyverno-test args: ["kyverno-policies"] - id: kyverno-validate args: ["kyverno-policies"]
If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles.
Original Link: https://dev.to/kcdchennai/how-to-use-kyverno-cli-to-validate-k8s-manifests-3865
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To