Kyverno enforces configuration best practices for clusters. These configurations are applied while creating the cluster as an add-on feature. The deployment of Kyverno needs certain configurations such as:
- You need to deploy Kyverno in HA (High Availability) mode for production clusters and set the appropriate resource limits.
- You must configure network policies for ingress and egress traffic.
- You must set Kubernetes API rate limits, if Kyverno is deployed in provider-managed clusters.
You can create Kyverno configuration from:
- Create Kyverno Configuration from Settings
- Create Kyverno Configuration from Cluster Type
- Create Kyverno Configuration from Clusters
Create Kyverno Configuration from Settings
To create Kyverno configuration from Settings:
- Go to Menu>Settings>Kyverno Configurations. Click on the Add Kyverno Configuration button. The new Kyverno Configuration page opens.
- In the Name field, enter the name for the Kyverno configuration.
- From the Excluded Namespaces drop-down list, select the namespaces that need to be excluded from the Kyverno configuration. The default options are kyverno and kube-system.
- Under the Network Policy section, select the Enable Network Policy checkbox and drop your network policy for the Kyverno configuration.
- Under the HA Mode section, select the High Availability Mode checkbox, This will configure three replicas and create a PodDistruptionBudget for the Kyverno.
- Under the Resources section:
a. Configure the Resource Requests by selecting the respective key and value from the drop-down list. By default, the available keys are cpu and memory. Click +Add Item to add a new resource request.
b. Set the Resource Limits by selecting the respective key and value from the drop-down list. By default, the available keys are cpu and memory. Click +Add Item to add a new resource limit.
- Click on the Add button. The new Kyverno configuration is created. You can view it in the Kyverno Configurations page.
Create Kyverno Configuration from Cluster Type
To create Kyverno configuration from Cluster Type:
- Go to Menu>Clusters>Cluster Types.
- Click on the +Add Cluster Type button.
- Click on any type of cluster, either Nirmata Managed Clusters or Cloud Provider Managed Clusters or Existing CLusters.
- Add the required details for creating the cluster type. For information on how to create the cluster type, see Cluster Types .
- Click Add-ons. By default the Kyverno add-on catalog is selected.
- From the Select Kyverno Configuration drop-down list, select the configuration that you have created and click on the Create button.
Alternatively, for the existing cluster types, in the Cluster Types page:
a. Click on the existing Cluster Type.
b. Click on the Add-on button.
c. If you have the pre-configured Kyverno add-on, click on the edit symbol on the right corner and select the required add-on and click the Save button.
d. If you do not have the Kyverno add-on, then click on the add symbol on the right corner and add the required add-on and click on the Add button.
Click Create. After you create the Kyverno configuration, in the Add Cluster page for the existing clusters, the configured kyverno shows up. You can change this configuration during cluster creation by selecting a different configuration from the drop-down list. For information on how to add a cluster, see Create Provider Manager Clusters .
Create Kyverno Configuration from Clusters
To create Kyverno configuration for the existing cluster for which kyverno has not been configured:
- Go to Menu>Clusters. The clusters page is displayed.
- Click on the existing cluster. The cluster panel with the complete details of the cluster along with the configured Kyverno information is displayed.
- Click on the Add-ons button. The available add-ons for the cluster are displayed.
- If you don’t have an existing Kyverno configuration, click on the Kyverno tile. The Select Kyverno Config and Install Kyverno window opens.
- Select the default Kyverno configuration or the customized configuration that you have created from the drop-down list and click Add. This will take a few minutes and a success message on the successful deployment of Kyverno is displayed.
NOTE: If the Kyverno deployment fails due to Kyverno misconfiguration, use the correct configuration and redeploy Kyverno.