to navigate
    to select
    esc to close
    Homelab

    Kyverno

    Kyverno policy engine — admission control, background scanning, and Grafana dashboard integration.

    What is Kyverno?

    Kyverno is a Kubernetes-native policy engine that validates, mutates, and generates resources using policies written as Kubernetes CRDs — no OPA/Rego required. It operates as a validating and mutating admission webhook.

    Why Kyverno?

    Kyverno policies are Kubernetes resources (YAML), so they live in the same GitOps repo and follow the same ArgoCD sync workflow as everything else. The admission controller intercepts every resource creation/update, making it the right place to enforce security standards (e.g., require non-root containers, disallow latest tags) without custom admission webhooks.

    How It's Used Here

    Kyverno runs in HA mode in its own namespace. It integrates with:

    • VMAgent — a ServiceMonitor scrapes Kyverno metrics on port 8000 every 30s
    • Grafana — the Helm chart creates a ConfigMap with the Kyverno dashboard JSON; Grafana's sidecar picks it up automatically

    Source: workloads/security/keyverno.go

    Configuration

    ComponentReplicasCPU LimitMemory Limit
    Admission Controller31000m512Mi
    Background Controller2500m256Mi
    Cleanup Controller2500m256Mi
    Reports Controller2500m256Mi
    SettingValueWhy
    metricsService.port8000VMAgent scrape target
    webhooksCleanup.enabledtrueCleans up webhooks on uninstall
    policyExceptions.enabledtrueAllows per-resource policy exemptions
    imageVerification.enabledfalseNot using Cosign image signing
    grafana.enabledtrueGrafana dashboard ConfigMap
    podSecurityContext.runAsNonRoottrueNon-root containers

    Troubleshooting

    Admission Webhook Timeout

    kubectl get validatingwebhookconfigurations | grep kyverno
kubectl logs -n kyverno -l app.kubernetes.io/name=kyverno-admission-controller

    If the admission controller is down, all resource creates/updates will fail (fail-closed webhook). Restarting the pods usually resolves this.

    Policy Violation Report

    kubectl get policyreport -A
kubectl describe policyreport <name> -n <namespace>
    Edit this page