Chainguard Container for kyverno

Kyverno is a policy engine that allows you to write policies as Kubernetes resources and manage them with familiar tools

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/kyverno:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

Chainguard's kyverno Container Image is comparable to the official kyverno image. However, the Chainguard image contains only the minimum set of tools and dependencies needed to function. Additionally, it uses a different entrypoint, /usr/bin/kyverno, compared to upstream's entrypoint of /ko-app/kyverno.

Getting Started

Chainguard's kyverno Container Image can be deployed using the official Kyverno Helm chart.

Installation with Helm

The recommended way to install Kyverno with Chainguard images is to use a values.yaml file with the official Helm chart:

1. Create a values.yaml file with the following content:

admissionController:
  container:
    image:
      registry: cgr.dev
      repository: ORGANIZATION/kyverno-admission
      tag: latest
  initContainer:
    image:
      registry: cgr.dev
      repository: ORGANIZATION/kyverno-init
      tag: latest

backgroundController:
  container:
    image:
      registry: cgr.dev
      repository: ORGANIZATION/kyverno-background
      tag: latest

cleanupController:
  container:
    image:
      registry: cgr.dev
      repository: ORGANIZATION/kyverno-cleanup
      tag: latest

reportsController:
  container:
    image:
      registry: cgr.dev
      repository: ORGANIZATION/kyverno-reports
      tag: latest

Be sure to replace ORGANIZATION with the name used for your organization's private repository within the Chainguard registry.

2. Install Kyverno using the Helm chart with your values file:

# Add the Kyverno Helm repository
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update

# Install Kyverno with Chainguard images
helm install kyverno kyverno/kyverno \
  --namespace kyverno \
  --create-namespace \
  --values values.yaml

Verifying the Installation

After installing Kyverno, you can verify it is functioning correctly by creating a simple policy. You can test a validation policy that requires specific labels on Pods:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: check-for-labels
      match:
        any:
        - resources:
            kinds:
              - Pod
            namespaces:
              - default
      validate:
        message: "The label 'app.kubernetes.io/name' is required."
        pattern:
          metadata:
            labels:
              app.kubernetes.io/name: "?*"

After applying this policy, try to create a Pod without the required label and verify it is rejected.

Documentation and Resources

For complete documentation and more examples, please refer to the following resources:

• Kyverno Official Documentation
• Kyverno GitHub Repository
• Kyverno Policy Examples

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.