Kyverno Policy Integration
This section documents how Kyverno is integrated into the kubriX platform, how policies are configured and managed, and how teams can extend or override policy behavior for their own environments.
High-Level Overview
Kyverno is a Kubernetes-native policy engine used by the kubriX platform to enforce baseline configurations, best practices, and tenant-level controls.
The platform provides a set of pre-packaged policies (security, best-practices, vault integration) and allows teams to define and include their own policies via the Helm chart.
Configuration via values.yaml
Kyverno behavior is controlled through the kyvernoPolicies block in the platform Helm values:
kyvernoPolicies:
createDenyAllAllowCoreDNSNetworkPolicy:
enabled: false
excludeNamespaces:
- kube-system
- kyverno
dnsPort: 53
createResourceQuotaAndLimitrange:
enabled: false
validateKargoProjectName:
enabled: false
createKubevirtRolebinding:
enabled: false
createExcludeFromBackupLabel:
enabled: false
createCustomPolicies:
enabled: false
createVaultSecretStore:
enabled: false
excludeNamespaces:
- kube-system
- kyverno
mountPath: "{{ .Values.destinationClusterName }}"
vaultURL: "https://fqdn"
Each toggle enables or disables a specific group of policies during Helm deployment.
Directory Structure for Policies
All policies are defined in the custompolicies/ directory within the Kyverno chart:
charts/kyverno/custompolicies/
├── best-practices/
│ └── disallow-latest-tag.yaml
├── restricted/
│ └── ...
├── customer/
│ └── your-team-policy.yaml
best-practices/: Platform-maintained best-practice policiesrestricted/: Platform-enforced security and isolation rulescustomer/: Folder for custom/team-specific policies
Applying Custom Policies
To enable custom policy injection from the chart:
-
Set the following flag in
values.yaml:kyvernoPolicies:
createCustomPolicies:
enabled: true -
Add your
.yamlpolicy files to the directory:charts/kyverno/custompolicies/customer/ -
On Helm deploy, all
.yamlfiles fromcustompolicies/**/*will be rendered and applied:{{ if .Values.kyvernoPolicies.createCustomPolicies.enabled }}
{{ range $path, $_ := .Files.Glob "custompolicies/**/*.yaml" }}
{{ $.Files.Get $path }}
---
{{ end }}
{{ end }}
Key Features
| Feature | Description |
|---|---|
| Policy Bundling | Platform delivers curated policy sets (restricted, best-practices) |
| Customization | Teams can extend or override policy behavior in the customer/ folder |
| Vault Integration | Inject SecretStore CRs into namespaces with Vault config |
| DNS-aware NetworkPolicy | Optional deny-all policy with CoreDNS exceptions |
| Kargo Validation | Optional policy to validate naming of KargoProject resources |
| Resource Limits | Optionally apply ResourceQuota and LimitRange per namespace |
Best Practices
- Always validate your policies with
kyverno validatebefore applying. - Avoid duplicating platform policies unless customization is required.
- If applying deny-all network policies, test ingress/egress in isolated namespaces first.
Troubleshooting
- Policy not applied? Make sure
createCustomPolicies.enabledis set totrueand files are placed in the correct subfolder. - Vault integration fails? Ensure namespaces are not excluded and
vaultURLis correct.
Additional Notes
- These policies are rendered and applied as part of the platform Helm release.
- All policies are namespace-aware and can be scoped or excluded based on
excludeNamespaces.
For more information, visit kyverno.io or contact the kubriX platform team.