Kyverno 1.18: Embrace the Future of Kubernetes Policy Management
Kyverno 1.18 marks a significant evolution in Kubernetes policy management, especially with the planned deprecation of ClusterPolicy resources later this year. This change pushes users toward newer policy types such as ValidatingPolicy, MutatingPolicy, GeneratingPolicy, ImageValidatingPolicy, and DeletingPolicy. These newer types offer enhanced capabilities and align better with Kubernetes' evolving landscape, ensuring your policies remain effective and relevant.
In this release, Kyverno policies can now call external services via HTTP using CEL libraries, but with a twist. The security around these calls has been significantly hardened. By default, unsafe addresses like loopback and metadata services are blocked, and users can configure both allow and block lists for cluster-scoped and namespaced policies. Additionally, HTTP calls from namespaced policies are disabled by default and require explicit enabling through configuration flags. This is a crucial step in preventing SSRF-style abuses, keeping your cluster secure.
As you adopt Kyverno 1.18, remember that the transition from ClusterPolicy to the newer policy types is not just a recommendation; it’s a necessity. The deprecation warning is clear, and ignoring it could lead to complications down the line. Also, be mindful of the configuration parameters like the successEventActions ConfigMap, which allows you to control the verbosity of policy reporting. This release is a step forward, but it requires your attention to detail to leverage its full potential.
Key takeaways
- →Migrate from ClusterPolicy to ValidatingPolicy, MutatingPolicy, and others to stay current.
- →Configure allow and block lists for HTTP calls to enhance security.
- →Explicitly enable HTTP calls from namespaced policies to avoid security risks.
- →Use the successEventActions ConfigMap to manage policy reporting noise.
- →Stay aware of the deprecation timeline to avoid future issues.
Why it matters
In production, transitioning to Kyverno 1.18 ensures that your Kubernetes policies are not only effective but also secure against emerging threats. The hardened HTTP call security is particularly vital for protecting sensitive cluster data.
When NOT to use this
The official docs don't call out specific anti-patterns here. Use your judgment based on your scale and requirements.
Want the complete reference?
Read official docsUnified observability — logs, uptime monitoring, and on-call in one place. Used by 50,000+ engineering teams to ship faster and sleep better.
Try Better Stack free →Mastering EKS Container Network Observability for Inter-AZ Traffic
Understanding inter-AZ and NAT gateway traffic is crucial for optimizing your Kubernetes workloads. With EKS Container Network Observability, you gain pod-level insights into network traffic, enabling better performance tuning and troubleshooting. Dive into how to leverage this powerful feature effectively.
Securing GitHub Actions: Best Practices for Dependency Management
In a world where CI/CD pipelines are critical, securing your GitHub Actions dependencies is non-negotiable. Pinning versions and enforcing strict permissions can prevent vulnerabilities from third-party actions. Let's dive into how to implement these strategies effectively.
Unlocking Performance with Kubernetes Pod-Level Resource Managers
Kubernetes v1.36 introduces Pod-Level Resource Managers, a game changer for performance-sensitive workloads. This feature allows for hybrid resource allocation models, enhancing efficiency without compromising NUMA alignment.
Get the daily digest
One email. 5 articles. Every morning.
No spam. Unsubscribe anytime.