ValidatingPolicy¶
A Kyverno ValidatingPolicy is a custom Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.
Resource Scope¶
A Kyverno ValidatingPolicy is a cluster-wide resource.
API Group and Kind¶
A ValidatingPolicy belongs to the policies.kyverno.io/v1alpha1 group and can only be of kind ValidatingPolicy.
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: demo
spec:
# if something fails the request will be denied
failurePolicy: Fail
evaluation:
mode: Envoy
variables:
# `force_authorized` references the 'x-force-authorized' header
# from the envoy check request (or '' if not present)
- name: force_authorized
expression: object.attributes.request.http.headers[?"x-force-authorized"].orValue("")
# `allowed` will be `true` if `variables.force_authorized` has the
# value 'enabled' or 'true'
- name: allowed
expression: variables.force_authorized in ["enabled", "true"]
validations:
# make an authorisation decision based on the value of `variables.allowed`
- expression: >
!variables.allowed
? envoy.Denied(403).Response()
: envoy.Allowed().Response()
Envoy External Authorization¶
The Kyverno Authz Server implements the Envoy External Authorization API.
A Kyverno ValidatingPolicy analyses an Envoy CheckRequest and can make a decision by returning a CheckResponse.
CEL language¶
A ValidatingPolicy uses the CEL language to process the CheckRequest sent by Envoy.
CEL is an expression language that’s fast, portable, and safe to execute in performance-critical applications.
Policy structure¶
A Kyverno ValidatingPolicy is made of:
- An evaluation mode
- A failure policy
- Match conditions if needed
- Eventually some variables
- The validation rules