Using Kyverno policies with ArgoCD

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

IN TODAY'S EDITION

🧠 Use Case
  • Using Kyverno policies with ArgoCD

🚀 Top News

👀 Remote Jobs

📚️ Resources

📢 Reddit Threads

🛠️ TOOL OF THE DAY

soci-snapshotter -  A containerd snapshotter plugin which enables standard OCI images to be lazily loaded without requiring a build-time conversion step.

🧠 USE CASE

Using Kyverno policies with ArgoCD

In an ideal world of Kubernetes, we all wish for guardrails which:

✔️ add-network-policy
✔️ add-networkpolicy-dns
✔️ add-ns-quota
✔️ add-rolebinding
✔️ add-safe-to-evict
disallow-cri-sock-mount
disallow-default-namespace
disallow-empty-ingress-host
disallow-helm-tiller
disallow-latest-tag

and so on…

As Kubernetes deployments grow more complex, keeping things governed and compliant starts to feel like a real challenge.

Kyverno, a Kubernetes-native policy engine, complements ArgoCD, the popular GitOps tool, to enforce policies across your deployment pipelines.

Rather than talking at 10,000 feet, let’s pick a real-world use case of ‘disallowing the latest tag in container images.’

Setting up Kyverno is already well-documented—refer to this guide to know more.

Stage 1: Organize Files and Folders for Policy-as-Code

Organizing files and folders is critical to managing policies effectively in a GitOps workflow.

Use the following structure:

  • manifests/: Contains application resources like Deployments, Services, and ConfigMaps managed by ArgoCD.

  • policies/: Contains Kyverno policies for version-controlled governance, applied during resource creation or updates.

Stage 2: Create a Kyverno Policy to Disallow the Latest Tag

Save the following policy as disallow-latest-tag.yaml:

Apply the policy:

kubectl apply -f disallow-latest-tag.yaml

Stage 3: Configure ArgoCD for Policy Management

To integrate Kyverno policies into your GitOps workflow, create an ArgoCD application for policies:

This ensures policies are deployed automatically and stay in sync with the repository.

Stage 4: Test the Integration
  1. Deploy a non-compliant application (e.g., using nginx:latest) and observe the policy violation.

    Sample Error Message:

Error: Using a mutable image tag e.g. 'latest' is not allowed.
  1. Fix the deployment to use a specific tag (e.g., nginx:1.21.0) and verify successful deployment.

You can replicate the same for other policies.

You may even like:

Looking to promote your company, product, service, or event to 47,000+ TechOps Professionals? Let's work together.