Showing results for 
Show  only  | Search instead for 
Did you mean: 

Kubernetes via the Operator with kyverno


We want to instrument Kubernetes via the Operator, but are having some issues. 

We are using Kyverno as a central policy validation engine (OWASP10 Standards) as well as mutating some fields within our deployments. As mutating webhooks are processed in lexical order and kyverno currently does not allow the naming of the generated webhooks to be configured onboarding additional operators with mutating webhooks is currently seen as risky.

The primary blocker for this would be the cosign validation in kyverno, which creates a signed hashsum for the manifest that is created for the pod to be deployed if the image has a valid signature. Any alteration of the pod spec would result in a wrong hashsum and therefore be treated as an invalid signature.

We would love to use the Operator, does anyone know how this can be accompllished or have dealt with Kyverno before?


Featured Posts