Using Kyverno policies with ArgoCD

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

IN TODAY'S EDITION

🧠 Use Case

• Using Kyverno policies with ArgoCD

🚀 Top News

• ALERT DevOps Folks: Check What You Build - 1000s Download Malicious NPM Libraries Impersonating Legitimate Tools

👀 Remote Jobs

• Canonical is hiring a Cloud Solutions Architect

  Remote Location: Worldwide

• KloudMate is hiring a DevOps and Cloud Engineer

  Remote Location: India

📚️ Resources

• The Differences Between HTTPS, SSL, and TLS…in a comic!

• Improve Microservices With These New Load Balancing Strategies

• Advanced End-to-End DevSecOps Kubernetes Three-Tier Project using AWS EKS, ArgoCD, Prometheus, Grafana, and Jenkins

📢 Reddit Threads

• Kubernetes Podcast from Google: Top 10 episodes of 2024

• I Followed the Official AWS Amplify Guide and was Charged $1,100

🛠️ TOOL OF THE DAY

soci-snapshotter -  A containerd snapshotter plugin which enables standard OCI images to be lazily loaded without requiring a build-time conversion step.

🧠 USE CASE

Using Kyverno policies with ArgoCD

In an ideal world of Kubernetes, we all wish for guardrails which:

✔️ add-network-policy
✔️ add-networkpolicy-dns
✔️ add-ns-quota
✔️ add-rolebinding
✔️ add-safe-to-evict
❌ disallow-cri-sock-mount
❌ disallow-default-namespace
❌ disallow-empty-ingress-host
❌ disallow-helm-tiller
❌ disallow-latest-tag

and so on…

As Kubernetes deployments grow more complex, keeping things governed and compliant starts to feel like a real challenge.

Kyverno, a Kubernetes-native policy engine, complements ArgoCD, the popular GitOps tool, to enforce policies across your deployment pipelines.

Rather than talking at 10,000 feet, let’s pick a real-world use case of ‘disallowing the latest tag in container images.’

Setting up Kyverno is already well-documented—refer to this guide to know more.

Stage 1: Organize Files and Folders for Policy-as-Code

Organizing files and folders is critical to managing policies effectively in a GitOps workflow.

Use the following structure:

• manifests/: Contains application resources like Deployments, Services, and ConfigMaps managed by ArgoCD.

• policies/: Contains Kyverno policies for version-controlled governance, applied during resource creation or updates.

Stage 2: Create a Kyverno Policy to Disallow the Latest Tag

Save the following policy as disallow-latest-tag.yaml:

Apply the policy:

kubectl apply -f disallow-latest-tag.yaml

Stage 3: Configure ArgoCD for Policy Management

To integrate Kyverno policies into your GitOps workflow, create an ArgoCD application for policies:

This ensures policies are deployed automatically and stay in sync with the repository.

Stage 4: Test the Integration

1. Deploy a non-compliant application (e.g., using nginx:latest) and observe the policy violation.

   Sample Error Message:

Error: Using a mutable image tag e.g. 'latest' is not allowed.

2. Fix the deployment to use a specific tag (e.g., nginx:1.21.0) and verify successful deployment.

You can replicate the same for other policies.

Find a dozen-plus kyverno policy script examples here.

You may even like:

When Policy as Code Implementation Fails  

Looking to promote your company, product, service, or event to 47,000+ TechOps Professionals? Let's work together.