"The Kyverno Command Line Interface (CLI) is designed to validate and test policy behavior to resources prior to adding them to a cluster. The CLI can be used in CI/CD pipelines to assist with the resource authoring process to ensure they conform to standards prior to them being deployed."
You can install and use the kyverno cli using krew, yay or by directly building it from source. But here, we will see how to use kyverno CLI in development mode. Basically the usage remains the same except that here, you've to execute the Go package i.e. cmd/cli/kubectl-kyverno/main.go which essentially calls the kyverno CLI.
Prerequisite
The only pre-requisite is that you need to have Go installed and set-up correctly in your local development workspace. Also, your Go version must be greater than 1.16 thus it is recommended to install the latest release. Here's a great set of resources that can help you set-up Go development in your local environment.
- You can download the latest binary release of Go from here
- https://learn.gopherguides.com/courses/preparing-your-environment-for-go-development
- If you're on a Windows machine, follow this
- If you're on a Mac or Linux machine, follow this
Example
Let's say you've to run the test command to validate the Disallow Latest Tag policy.
To do this using the kyverno CLI, you run:
bashkyverno test ../policies/best-practices/disallow_latest_tag
But to use the kyverno CLI in the development mode, follow these steps:
- Make sure you've cloned the fork of
kyverno/kyvernoandkyverno/policiesin the same directory. Your workspace should be looking something like this:
bash/kyverno api charts cmd definitions docs... /policies best-practices cert-manager other pod-security...
cdintokyvernodirectory (which is your local fork ofkyverno/kyverno)- Run the below mentioned command:
bashgo run ./cmd/cli/kubectl-kyverno/main.go test ../policies/best-practices/disallow_latest_tag
- On executing the above command, you'll get an output as follows:
bashExecuting disallow_latest_tag... applying 1 policy to 1 resource... │───│─────────────────────│────────────────────│───────────│────────│ │ # │ POLICY │ RULE │ RESOURCE │ RESULT │ │───│─────────────────────│────────────────────│───────────│────────│ │ 1 │ disallow-latest-tag │ require-image-tag │ myapp-pod │ Pass │ │ 2 │ disallow-latest-tag │ validate-image-tag │ myapp-pod │ Pass │ │───│─────────────────────│────────────────────│───────────│────────│