Enable or Disable Kyverno In User Namespaces¶
At the namespace level, Kyverno is managed via the kyverno
label. By
default, all user namespaces will have Kyverno security policies enabled, that
is, have the kyverno=enabled
label. The cluster admin may change the
profiles configuration and enable or disable Kyverno security policies in all
user namespaces. The admin may also label only specific namespaces manually and
set either kyverno=enabled
or kyverno=disabled
for them. The profiles
controller will not change this label if it already exists.
This guide will walk you through enabling or disabling Kyverno at the namespace level.
Important
Kyverno policies will only apply to namespaces that have the
kyverno=enabled
label. If the label is missing or has any other value,
for example kyverno=disabled
, Kyverno policies will not apply at all in
the corresponding namespaces.
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing EKF deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsEdit
kubeflow/manifests/apps/profiles/upstream/overlays/deploy/namespace-labels.yaml
and set the desired value for thekyverno
label:katib-metricscollector-injection: 'enabled' serving.kubeflow.org/inferenceservice: 'enabled' pipelines.kubeflow.org/enabled: 'true' app.kubernetes.io/part-of: 'kubeflow-profile' kyverno: '<KYVERNO>'Replace
<KYVERNO>
with eitherenabled
ordisabled
.Commit your changes:
root@rok-tools:~/ops/deployments# git commit \ > -am "Update kyverno label across user namespaces"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/apps/profiles/upstream/overlays/deployUpdate the existing user namespaces with the new value for the
kyverno
label:root@rok-tools:~/ops/deployments# kubectl label --overwrite namespaces \ > -l app.kubernetes.io/part-of=kubeflow-profile kyverno=<KYVERNO>Replace
<KYVERNO>
with eitherenabled
ordisabled
.Optional
If you want to explicitly enable or disable Kyverno security policies for a namespace, label the namespace manually:
root@rok-tools:~/ops/deployments# kubectl label --overwrite \ > namespaces <NAMESPACE> kyverno=<KYVERNO>Replace
<NAMESPACE>
with the desired namespace, for example,kubeflow-user
, and<KYVERNO>
with eitherenabled
ordisabled
.
Verify¶
List all user namespaces that have Kyverno policies enabled:
root@rok-tools:~/ops/deployments# kubectl get namespaces \ > -l app.kubernetes.io/part-of=kubeflow-profile,kyverno=enabled NAME STATUS AGE kubeflow-kyverno-enabled Active 1dList all user namespaces that have Kyverno policies disabled:
root@rok-tools:~/ops/deployments# kubectl get namespaces \ > -l app.kubernetes.io/part-of=kubeflow-profile,kyverno!=enabled NAME STATUS AGE kubeflow-kyverno-disabled Active 1d
Summary¶
You have successfully enabled or disabled Kyverno security policies in user namespaces.
What’s Next¶
Check out the rest of the operations guides related to Kyverno security.