"The Kyverno Command Line Interface (CLI) is designed to validate and test policy behaviour to resources prior to adding them to a cluster. The CLI can be used in CI/CD pipelines to assist with the resource authoring process to ensure they conform to standards prior to them being deployed."
You can install and use the kyverno cli using krew, yay or by directly building it from source. But here, we will see how to use kyverno CLI in development mode. Basically the usage remains the same except that here, you've to execute the Go package i.e. cmd/cli/kubectl-kyverno/main.go which essentially calls the kyverno CLI.
Prerequisite
The only pre-requisite is that you need to have Go installed and set-up correctly in your local development workspace. Also, your Go version must be greater than 1.16 thus it is recommended to install the latest release. Here's a great set of resources that can help you set-up Go development in your local environment.
- You can download the latest binary release of Go from here
- https://learn.gopherguides.com/courses/preparing-your-environment-for-go-development
- If you're on a Windows machine, follow this
- If you're on a Mac or Linux machine, follow this
Example
Let's say you've to run the test command to validate the Disallow Latest Tag policy.
To do this using the kyverno CLI, you run:
kyverno test ../policies/best-practices/disallow_latest_tag
But to use the kyverno CLI in the development mode, follow these steps:
- Make sure you've cloned the fork of
kyverno/kyvernoandkyverno/policiesin the same directory. Your workspace should be looking something like this:
/kyverno
api
charts
cmd
definitions
docs...
/policies
best-practices
cert-manager
other
pod-security...
-
cdintokyvernodirectory (which is your local fork ofkyverno/kyverno) - Run the below mentioned command:
go run ./cmd/cli/kubectl-kyverno/main.go test ../policies/best-practices/disallow_latest_tag
- On executing the above command, you'll get an output as follows:
Executing disallow_latest_tag...
applying 1 policy to 1 resource...
│───│─────────────────────│────────────────────│───────────│────────│
│ # │ POLICY │ RULE │ RESOURCE │ RESULT │
│───│─────────────────────│────────────────────│───────────│────────│
│ 1 │ disallow-latest-tag │ require-image-tag │ myapp-pod │ Pass │
│ 2 │ disallow-latest-tag │ validate-image-tag │ myapp-pod │ Pass │
│───│─────────────────────│────────────────────│───────────│────────│
Top comments (0)