Leveling Up Policy Enforcement in Kubernetes: A Look at Kyverno 1.14 and CEL

Recently, Cloud Native Live featured a session diving into the powerful integration of Common Expression Language (CEL) in Kyverno 1. 14. Hosted by Eric Durmishi and presented by Kyverno maintainers Mariam Fahmy and Charles Edward, the session introduced exciting new capabilities that enhance Kyverno’s flexibility and consistency as a policy engine for Kubernetes. At its core, Kyverno is a policy engine for Kubernetes. It enables you to define policies for validating, mutating, generating, or verifying images for resources within your cluster. When an API request, like creating a Pod, is sent to the Kubernetes API server, it passes through several stages, including authentication and authorization. Kyverno integrates as an admission webhook. The API request is forwarded to the Kyverno server, which fetches relevant policies, applies them to the resource, and then either accepts or rejects the request based on whether the resource violates the policy. Kyverno also includes components such as the Reports Controller, which generates policy reports to visualize policy results, and a Cleanup Controller, which manages unused resources based on cleanup policies. Traditionally, Kyverno used a single policy type with different rule types nested within it, such as validate, mutate, generate, and verifyImages. Policies could define rules to match or exclude specific resources. For validation, you could use patterns, deny rules, Pod Security subrules, or assertion trees.