KKP 2.28 introduces a new feature to integrate Kyverno. Kyverno is a cloud-native policy engine originally built for Kubernetes.
Overview
The Kyverno Policies feature enables enforcement of custom policies on user clusters. Both admins and project owners can create reusable policy templates to define security, compliance, and configuration rules.
Once templates are created, they can be applied to user clusters by creating policy bindings. These bindings link the templates to user clusters and ensure that the defined policies are enforced.
This feature provides a flexible and scalable way to manage cluster-level security and governance using Kyverno.
Enabling Kyverno
You need to enable Kyverno Policy Management when creating the cluster. You can do this in the cluster creation step, under the Specification section.
You can also enable or disable it after creation from the Edit Cluster dialog.
Policy Templates Admin View
Admins can manage global policy templates directly from the Kyverno Policies page in the Admin Panel.
From this page, Admins can create new policy templates.
From the same dialog, you can select specific clusters or projects using label selectors.
Inside the PolicySpec is the policy specification of the Kyverno policy we want to apply to the cluster. The structure of this spec should follow the rules defined in the Kyverno Writing Policies Docs.
Policy Templates Project View
Project owners can also manage policies in their own projects from the Kyverno Policies page within their project.
From this page, project owners can manage policy templates within their scope the same way admins do, but limited to their own project. They can also view any available global scope templates and make copies of them.
Policy Binding
Admins and project owners can add and delete policies on user clusters from the user cluster detail page.
This page displays a list of all applied policies. You can also create a policy binding from a template.
You can choose a template from the list of all available templates. Note that templates already applied will not be available.