DEV Community

Cover image for How to use Kyverno CLI to validate k8s manifests?
Suresh Kumar for Kubernetes Community Days Chennai

Posted on • Originally published at sureshdsk.dev

How to use Kyverno CLI to validate k8s manifests?

In the previous article, we have seen what is Kyverno, its features, its use-cases and hot it works. In this article we will install kyverno cli in our local machine and explore its usecases.

Install Kyverno CLI

  • The Kyverno CLI is designed to validate and test policy behavior to resources prior to adding them to a cluster.
  • Used in CI/CD pipelines to validate manifests before they are deployed.
  • Can be integrated into precommit hooks

Install Kyverno CLI via Krew

Krew is the plugin manager for kubectl command-line tool. If do not have krew installed already, please follow the instructions --> https://krew.sigs.k8s.io/docs/user-guide/setup/install/

# Install Kyverno CLI using kubectl krew plugin manager
kubectl krew install kyverno

# test the Kyverno CLI
kubectl kyverno version  
Enter fullscreen mode Exit fullscreen mode

Install Kyverno CLI via Brew (MacOS)

# Install Kyverno CLI using brew
brew install kyverno

# test the Kyverno CLI
kyverno version 
Enter fullscreen mode Exit fullscreen mode

Kyverno CLI Commands

Apply

  • Performs a dry run on one or more policies for the given manifest(s)
  • Executes mutate policies and shows mutated resource as an output
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
Enter fullscreen mode Exit fullscreen mode

Test

  • tests policy from a git repo or local directory
  • recursively looks for YAML files in a directory and executes tests
  • kyverno test definition consists of test name, policies, resources and expected results.

An example test would look like

name: disallow_latest_tag
policies:
  - policy.yaml
resources:
  - resource.yaml
results:
  - policy: disallow-latest-tag
    rule: require-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass
  - policy: disallow-latest-tag
    rule: validate-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass

Enter fullscreen mode Exit fullscreen mode

To Run the test,

kyverno test /path/to/yamls
Enter fullscreen mode Exit fullscreen mode

Validate

  • check if a policy is syntactically valid.
  • can validate multiple policy resource description files or a folder containing policy resource description files.
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies

Enter fullscreen mode Exit fullscreen mode

Jp

Kyverno CLI also provides a utility called jp to work with JMESPath and expressions.

$ echo '{"foo": "BAR"}' | kyverno jp 'to_lower(foo)'
"bar"
Enter fullscreen mode Exit fullscreen mode
$ cat pod.json
{
  "apiVersion": "v1",
  "kind": "Pod",
  "metadata": {
    "name": "mypod",
    "namespace": "foo"
  },
  "spec": {
    "containers": [
      {
        "name": "busybox",
        "image": "busybox"
      }
    ]
  }
}

$ kyverno jp -f pod.json 'spec.containers[0].name' -u
busybox
Enter fullscreen mode Exit fullscreen mode

Kyverno precommit hooks

Kyverno can be integrated into precommit hooks to test and validate policies. To setup precommit hook, checkout -> https://github.com/kyverno/pre-commit-hook

.pre-commit-config.yaml

repos:
  - repo: https://github.com/kyverno/pre-commit-hook
    rev: v1.0.0
    hooks:
      - id: kyverno-test
        args: ["kyverno-policies"]
      - id: kyverno-validate
        args: ["kyverno-policies"]
Enter fullscreen mode Exit fullscreen mode

If you like this article, subscribe to the newsletter and Connect with me on twitter to get updates on my future articles. βœ…

Top comments (0)