aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Cloud-Native
  • Programming

Managing Kyverno Policies As OCI Artifacts With OCIRepository Sources

  • aster.cloud
  • September 21, 2022
  • 5 minute read

The Flux team has released a new version of Flux  v0.32 that includes fantastic features. One of them is OCI Repositories feature that allows us to store and distribute a wide variety of sources such as Kubernetes manifests, Kustomize overlays, and Terraform modules as OCI (Open Container Initiative) artifacts. Furthermore, the Flux team got us even more excited because they are planning to verify the authenticity of the OCI artifacts before they get applied into Kubernetes by integrating Cosign, which is one of the most significant projects from the @projectsigstore community that help us to sign and verify OCI images, blobs, etc. please see the  issue to get more details about the plan.

⚠️ Note: You can read the RFC of this feature here.

Today’s blog post is all about a quick tour of this feature and will give you a real-world example of it to show you how you can leverage this feature to manage Kyverno policies as OCI Artifacts. It is worth saying that this topic has been discussed for a while in the Kyverno community, too. There is an ongoing  issue about packaging and distributing Kyverno policies as OCI Artifacts through its CLI. Also, there is a chance to move that logic into Kyverno’s core.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

But for those who might not be familiar enough with OCI artifacts (including me), it’s worth explaining what the OCI Artifacts are before jumping into the details. OCI Artifacts gives you the power of storing and distributing other types of data (nearly anything), such as Kubernetes deployment files,  Helm Charts,  and CNAB, in addition to container images via OCI registries. And today, we’ll be using this feature for Kyverno policies. To be more precise, OCI Artifacts are not a new specification, format, or API. It just utilizes the existent  OCI manifest and  OCI index definitions. Hence, we can quickly start using the same client tooling, such as a crane, skopeo, etc., and distribute them using OCI registries, thanks to the  OCI distribution-spec. Because OCI Artifacts does not change anything related to the specs, it only expands them to give people (artifact authors) power to define their content types. It is more like a generic definition for determining what can be stored in an OCI registry and consumed by clients.

Read More  How To Create A Simple Python Web App Using NGINX, uWSGI, And Flask - Part 03 of 03

The Flux CLI generates a single layer OCI image for storing things. As you can use some other tools to generate an OCI image with multiple layers in it, you can use the Layer Selection feature that Flux provides to select the layers you want to use in the OCI image. If the layer selector matches more than one layer, the first layer matching the specified media type will be used. Note that Flux requires that the OCI layer is compressed in the tar+gzip format.

show me the code gif

Today, we’ll leverage the OCI Repositories feature to apply Kyverno policies stored in an OCI registry into the Kubernetes cluster.

First, we need to install Flux CLI, please see the installation page for more details.

Next, we should have a Kubernetes cluster running. We’ll be using KinD for this purpose.

kind create cluster

Once the cluster has been provisioned successfully, we need to install Flux components into it by simply running the command below:

$ flux bootstrap github <strong>\
</strong>  --owner=developer-guy <strong>\
</strong>  --repository=flux-kyverno-policies <strong>\
</strong>  --path=clusters/local <strong>\
</strong>  --personal

⚠️ Note: Don’t forget to change the values with your own details!

This command will install Flux and create necessary files for us and push them into the repository.

Next, we should install Kyverno by using a GitOps approach with Flux. In order to do that, we use the following resources:

<strong>---</strong>
<strong>apiVersion</strong>: source.toolkit.fluxcd.io/v1beta2
<strong>kind</strong>: GitRepository
<strong>metadata</strong>:
  <strong>name</strong>: kyverno-controller
  <strong>namespace</strong>: flux-system
<strong>spec</strong>:
  <strong>interval</strong>: 30m
  <strong>url</strong>: https://github.com/kyverno/kyverno
  <strong>ignore</strong>: |
<em>    /*
</em><em>    !/config/</em>    
  <strong>ref</strong>:
    <strong>semver</strong>: "1.x"
<strong>---</strong>
<strong>apiVersion</strong>: kustomize.toolkit.fluxcd.io/v1beta2
<strong>kind</strong>: Kustomization
<strong>metadata</strong>:
  <strong>name</strong>: kyverno-controller
  <strong>namespace</strong>: flux-system
<strong>spec</strong>:
  <strong>interval</strong>: 30m
  <strong>sourceRef</strong>:
    <strong>kind</strong>: GitRepository
    <strong>name</strong>: kyverno-controller
  <strong>serviceAccountName</strong>: kustomize-controller
  <strong>path</strong>: ./config/release
  <strong>prune</strong>: <strong>true</strong>
  <strong>wait</strong>: <strong>true</strong>
  <strong>timeout</strong>: 5m

Do not forget to check whether everything works fine before moving into the next steps:

$ flux get kustomizations kyverno-controller
NAME                    REVISION        SUSPENDED       READY   MESSAGE
kyverno-controller      v1.7.3/f2b63ce  False           True    Applied revision: v1.7.3/f2b63ce

Now, we are ready to create an OCI image to store my Kyverno policies.

⚠️  You can find all the code examples in GitHub.

In order to do that, we will clone our repository that holds the Kyverno policies and create an OCI artifact to store them.

⚠️ We are expecting that some other team like DevSecOps will be responsible for maintaining and publishing the policies to our registry.

$ git clone https://github.com/developer-guy/my-kyverno-policies.git
$ cd my-kyverno-policies
$ flux push artifact oci://ghcr.io/developer-guy/policies:v1.0.0 <strong>\
</strong>  --path="." <strong>\
</strong>  --source="<strong>$(</strong>git config --get remote.origin.url<strong>)</strong>" <strong>\
</strong>  --revision="<strong>$(</strong>git branch --show-current<strong>)</strong>/<strong>$(</strong>git rev-parse HEAD<strong>)</strong>"
► pushing artifact to ghcr.io/developer-guy/policies:v1.0.0
✔ artifact successfully pushed to ghcr.io/developer-guy/policies@sha256:56e853e3c5c02139c840b7f5c89a02f63ede8dc498ed3925a52360032aa49e60

⚠️ Note: Don’t forget to change the values with your own details!

Last but not least, we need to create an OCIRepository resource that points to my OCI artifact:

<strong>---</strong>
<strong>apiVersion</strong>: source.toolkit.fluxcd.io/v1beta2
<strong>kind</strong>: OCIRepository
<strong>metadata</strong>:
  <strong>name</strong>: kyverno-policies
  <strong>namespace</strong>: flux-system
<strong>spec</strong>:
  <strong>interval</strong>: 5m
  <strong>url</strong>: oci://ghcr.io/developer-guy/policies
  <strong>ref</strong>:
    <strong>semver</strong>: "v1.x"
  <strong>secretRef</strong>:
    <strong>name</strong>: ghcr-auth
<strong>---</strong>
<strong>apiVersion</strong>: kustomize.toolkit.fluxcd.io/v1beta2
<strong>kind</strong>: Kustomization
<strong>metadata</strong>:
  <strong>name</strong>: kyverno-policies
  <strong>namespace</strong>: flux-system
<strong>spec</strong>:
  <strong>sourceRef</strong>:
    <strong>kind</strong>: OCIRepository
    <strong>name</strong>: kyverno-policies
  <strong>interval</strong>: 60m
  <strong>retryInterval</strong>: 5m
  <strong>path</strong>: ./
  <strong>prune</strong>: <strong>true</strong>
  <strong>wait</strong>: <strong>true</strong>
  <strong>timeout</strong>: 2m
  <strong>dependsOn</strong>:
    - <strong>name</strong>: kyverno-controller
  <strong>patches</strong>: <em># enforce all policies</em>
    - <strong>patch</strong>: |
<em>        - op: replace
</em><em>          path: /spec/validationFailureAction
</em><em>          value: enforce</em>        
      <strong>target</strong>:
        <strong>kind</strong>: ClusterPolicy

I’d like to highlight some key points about the resources above. Here in OCIRepository resource, we are using SemVer to select the policies that we want to apply. .spec.ref is an optional field to specify the OCI reference to resolve and watch for changes. If not specified, the latest version of the repository will be used. You can reach out to the complete list of references supported in Flux, here is the link for you.

Read More  Multi-Cloud Architecture: Pros And Cons

Also, in the Kustomization resource, we are using .spec.patches to apply patches to the policies that we want to enforce. We are using op: replace to replace the existing value of the field with the new one. path is the path to the field that we want to replace. value is the value of the field that we want to replace. To get more detail about the Patches, please see the link.

Last but not least, we are specifying an explicit dependencies for the Kustomization resource by using dependsOn keyword that ensures the Kyverno deployment is ready before applying the policies. This is important because Kyverno needs to be installed before applying the policies. Otherwise, the policies won’t be used because CRD (Custom Resource Definitions) won’t exist until Kyverno works. You can learn more about the dependencies of Kustomization resource, here.

Now, we can apply these manifests by committing and pushing them to the repository and letting Flux take care of the rest but still, one little step left that we need to do, which is authentication.

⚠️  Don’t forget, the authentication part is only needed when the OCI artifact is not publicly accessible. If your image has publicy available, you can skip that part.

You might notice a secretRef section in the OCIRepository resource. We should create this secret because Flux should be able to pull my container image. To do that, we should follow the documentation.

$ flux create secret oci ghcr-auth <strong>\
</strong>  --url=ghcr.io <strong>\
</strong>  --username=developer-guy <strong>\
</strong>  --password=${GITHUB_PAT}
► oci secret 'ghcr-auth' created in 'flux-system' namespace

Once everything is completed, you should be able to see the following output:

$ kubectl get clusterpolicies
NAME                 BACKGROUND   ACTION    READY
require-base-image   true         enforce   true

This is what we expected to happen, whee!🕺🏻

Read More  Global CIO Report Reveals The Challenges Organizations Face As Cloud Complexity Rises

This is an exciting policy, though, if you want to learn more about it, I wrote a  blog post that explains what the base image concept refers to and how we can enforce policies related to them.

As you can see, this feature is quite promising and easy to use. I hope you enjoyed it, and please stay tuned because there are more features on the way you don’t want to miss.

Thanks for reading.

 

 

Project post originally published on the Flux blog
Source CNCF


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • CNCF
  • Flux  v0.32
  • Kyverno
  • OCI
You May Also Like
View Post
  • Cloud-Native
  • Multi-Cloud

Oracle Expands Multicloud Capabilities with AWS, Google Cloud, and Microsoft Azure

  • September 11, 2024
Cloud computing concept image double exposure Digitally Enhanced Smart City Concept with Cloud Computing
View Post
  • Cloud-Native
  • Computing
  • Hybrid Cloud
  • Multi-Cloud
  • Public Cloud

Make Your Business Resilient By Integrating These Best Practices Into Your Cloud Architecture

  • July 29, 2024
Huawei Cloud Cairo Region Goes Live
View Post
  • Cloud-Native
  • Computing
  • Platforms

Huawei Cloud Goes Live in Egypt

  • May 24, 2024
View Post
  • Cloud-Native
  • Computing
  • Engineering

10 Cloud Development Gotchas To Watch Out For

  • March 29, 2024
Storage Ceph
View Post
  • Cloud-Native
  • Data

The Growth Of IBM Storage Ceph – The Ideal Foundation For A Modern Data Lakehouse

  • January 30, 2024
Clouds
View Post
  • Cloud-Native
  • Platforms
  • Software Engineering

Microsoft Releases Azure Migrate Assessment Tool For .NET Application

  • January 14, 2024
View Post
  • Cloud-Native
  • Engineering
  • Platforms

Top Highlights From AWS Worldwide Public Sector Partners At Re:Invent 2023

  • December 27, 2023
View Post
  • Cloud-Native
  • Computing

Supercharging IBM’s Cloud-Native AI Supercomputer

  • December 24, 2023

Stay Connected!
LATEST
  • 1
    Pure Accelerate 2025: All the news and updates live from Las Vegas
    • June 18, 2025
  • 2
    ‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management
    • June 18, 2025
  • What is cloud bursting?
    • June 18, 2025
  • 4
    There’s a ‘cloud reset’ underway, and VMware Cloud Foundation 9.0 is a chance for Broadcom to pounce on it
    • June 17, 2025
  • What is confidential computing?
    • June 17, 2025
  • Oracle adds xAI Grok models to OCI
    • June 17, 2025
  • Fine-tune your storage-as-a-service approach
    • June 16, 2025
  • 8
    Advanced audio dialog and generation with Gemini 2.5
    • June 15, 2025
  • 9
    A Father’s Day Gift for Every Pop and Papa
    • June 13, 2025
  • 10
    Global cloud spending might be booming, but AWS is trailing Microsoft and Google
    • June 13, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Google Cloud, Cloudflare struck by widespread outages
    • June 12, 2025
  • What is PC as a service (PCaaS)?
    • June 12, 2025
  • 3
    Crayon targets mid-market gains with expanded Google Cloud partnership
    • June 10, 2025
  • By the numbers: Use AI to fill the IT skills gap
    • June 11, 2025
  • 5
    Apple services deliver powerful features and intelligent updates to users this autumn
    • June 11, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.