How to develop Kyverno CLI locally?

"The Kyverno Command Line Interface (CLI) is designed to validate and test policy behaviour to resources prior to adding them to a cluster. The CLI can be used in CI/CD pipelines to assist with the resource authoring process to ensure they conform to standards prior to them being deployed."

You can install and use the kyverno cli using krew, yay or by directly building it from source. But here, we will see how to use kyverno CLI in development mode. Basically the usage remains the same except that here, you've to execute the Go package i.e. cmd/cli/kubectl-kyverno/main.go which essentially calls the kyverno CLI.

Prerequisite

The only pre-requisite is that you need to have Go installed and set-up correctly in your local development workspace. Also, your Go version must be greater than 1.16 thus it is recommended to install the latest release. Here's a great set of resources that can help you set-up Go development in your local environment.

• You can download the latest binary release of Go from here
• https://learn.gopherguides.com/courses/preparing-your-environment-for-go-development
• If you're on a Windows machine, follow this
• If you're on a Mac or Linux machine, follow this

Example

Let's say you've to run the test command to validate the Disallow Latest Tag policy.
To do this using the kyverno CLI, you run:

kyverno test ../policies/best-practices/disallow_latest_tag

But to use the kyverno CLI in the development mode, follow these steps:

1. Make sure you've cloned the fork of kyverno/kyverno and kyverno/policies in the same directory. Your workspace should be looking something like this:

/kyverno
    api
    charts
    cmd
    definitions
    docs...

/policies
    best-practices
    cert-manager
    other
    pod-security...

1. cd into kyverno directory (which is your local fork of kyverno/kyverno)
2. Run the below mentioned command:

go run ./cmd/cli/kubectl-kyverno/main.go test ../policies/best-practices/disallow_latest_tag

1. On executing the above command, you'll get an output as follows:

Executing disallow_latest_tag...
applying 1 policy to 1 resource... 
│───│─────────────────────│────────────────────│───────────│────────│
│ # │ POLICY              │ RULE               │ RESOURCE  │ RESULT │
│───│─────────────────────│────────────────────│───────────│────────│
│ 1 │ disallow-latest-tag │ require-image-tag  │ myapp-pod │ Pass   │
│ 2 │ disallow-latest-tag │ validate-image-tag │ myapp-pod │ Pass   │
│───│─────────────────────│────────────────────│───────────│────────│