Kubernetes, as many already know, is a Greek word that means “helmsman” or “pilot” in English — a fitting name for the platform we use to manage containerized workloads and services. Continuing with the Greek theme, Kyverno means to govern, a suitable name for a policy engine. Kyverno is becoming a leader in Kubernetes policy, seeing rapid adoption since its v1.0.0 release in December 2019. Kyverno is designed specifically for Kubernetes, which is likely part of the reason for its popularity.
For a long time, Open Policy Agent, or OPA, was the big name for managing policies in Kubernetes. While it offers great flexibility and control for administrators, it’s also fairly hard to use, particularly for newcomers who aren’t familiar with Rego, the language these policies are written in. Kyverno is easier to use and requires no new language to write policies. And because it focuses on Kubernetes, users can use the tools they’re already familiar with, including kubectl, git, and helm to manage policies. OPA, on the other hand, is not Kubernetes-specific, so you can also use it to enforce policies in microservices, CI/CD pipelines, API gateways, as well as Kubernetes and more.
Fairwinds Insights already includes an integration with OPA, and of course our own open source policy engine for Kubernetes, Polaris. We built Insights using different open source tooling and our own code to create a platform that allows you to use the policy engine that works best for your individual needs at a point in time. Polaris is designed to help platform teams standardize Kubernetes deployments as well as enable development best practices. Think of it as a policy engine with batteries included — it has all these best practices policies built in, which is an excellent way to get started with Kubernetes and ensure you’re not making mistakes that can negatively impact your availability, cost efficiency, and security.
OPA is very powerful but also complicated; it offers a full programming language for writing policies. OPA is often used to implement fine-grained, context-aware access control policies for Kubernetes clusters. You can also write custom policies in Rego that align to your own organization's policies for best practices. And because OPA is a general-purpose policy engine, you can use the same policy language across different parts of your stack, not just Kubernetes, making policy management more streamlined.
Kyverno also enables policy as code, allowing you to manage and validate configurations natively in the Kubernetes environment. Kyverno is tailored to Kubernetes' specific requirements and is optimized for ease of use in Kubernetes. It can also operate as a Kubernetes admission controller, intercepting requests to the Kubernetes API server and possibly modifying, allowing, or denying those requests based on a set of user-defined policies. These policies are expressed in Kubernetes Custom Resource Definitions (CRDs), making them easy to manage using kubectl or other Kubernetes-native tools.
You can more easily write your own custom policies in Kyverno because it uses YAML. YAML is a human-readable data-serialization language commonly used for configuration files and in apps when data is being stored or transmitted, and teams are typically already familiar with it, lowering the barrier to entry for getting started in writing custom policies.
With the new Fairwinds Insights Kyverno integration, folks already using Kyverno can now take all of their findings and push them to Fairwinds Insights. Kyverno spits out a firehose of findings about your cluster. This is great! It identifies a ton of policy violations that you want to know about and explore. However, to see these findings you have to get on the command line. You’ll need to get a cluster policy report and dig through all the findings to uncover the ones that are really meaningful to you. And when you need to manage exceptions, you have to do it in every cluster, because all the findings are stuck in individual clusters.
By adding an integration with Fairwinds Insights, we allow Kyverno users to use our tooling. That means they can connect it to GitHub to open issues in your infrastructure-as-code repos, create tickets in Jira, Work Items in Azure DevOps, and incidents in PagerDuty. You can also send notifications to Slack and feed data into Datadog. In addition, you can create automation rules and resolve Kyverno findings based on patterns and labels. Perhaps best of all, taking advantage of the Kyverno integration allows you to see all your findings and clusters in one place, so you have a single dashboard to get a holistic view into what’s happening in your Kubernetes environment. Insights also allows you to use Kyverno at scale by offering multi-cluster support and providing the monitoring and alerting you need in an enterprise environment.
We’re excited to have this new Kyverno integration available to Fairwinds Insights users. It provides you with a lot of enterprise features on top of Kyverno, so you can make the most of its capabilities and leverage Kyverno at scale. Now, you don’t have to pick a policy engine, you can pick one and switch later or use two or even all three to get the fine-grained policy control you want — using the open source tooling you choose.
If you’re not already using Insights, try our free tier, which is available for environments up to 20 nodes, two clusters, and one repo. You’ll quickly see how easily you can view and take action on your Kyverno findings in Insights. Check it out! And if you have any questions, please reach out or join our Slack Community.