Policies¶
A Kyverno AuthorizationPolicy is a custom Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.
Resource Scope¶
A Kyverno AuthorizationPolicy is a cluster-wide resource.
API Group and Kind¶
An AuthorizationPolicy belongs to the envoy.kyverno.io/v1alpha1 group and can only be of kind AuthorizationPolicy.
apiVersion: envoy.kyverno.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: demo
spec:
# if something fails the request will be denied
failurePolicy: Fail
variables:
# `force_authorized` references the 'x-force-authorized' header
# from the envoy check request (or '' if not present)
- name: force_authorized
expression: object.attributes.request.http.headers[?"x-force-authorized"].orValue("")
# `allowed` will be `true` if `variables.force_authorized` has the
# value 'enabled' or 'true'
- name: allowed
expression: variables.force_authorized in ["enabled", "true"]
deny:
# make an authorisation decision based on the value of `variables.allowed`
- match: >
!variables.allowed
response: >
envoy.Denied(403).Response()
allow:
- response: >
envoy.Allowed().Response()
Envoy External Authorization¶
The Kyverno Authz Server implements the Envoy External Authorization API.
A Kyverno AuthorizationPolicy analyses an Envoy CheckRequest and can make a decision by returning an OkResponse or DeniedResponse.
CEL language¶
An AuthorizationPolicy uses the CEL language to process the CheckRequest sent by Envoy.
CEL is an expression language that’s fast, portable, and safe to execute in performance-critical applications.
Policy structure¶
A Kyverno AuthorizationPolicy is made of:
- A failure policy
- Match conditions if needed
- Eventually some variables
- The authorization rules