Enable or Disable Kyverno In User Namespaces

At the namespace level, Kyverno is managed via the kyverno label. By default, all user namespaces will have Kyverno security policies enabled, that is, have the kyverno=enabled label. The cluster admin may change the profiles configuration and enable or disable Kyverno security policies in all user namespaces. The admin may also label only specific namespaces manually and set either kyverno=enabled or kyverno=disabled for them. The profiles controller will not change this label if it already exists.

This guide will walk you through enabling or disabling Kyverno at the namespace level.

Important

Kyverno policies will only apply to namespaces that have the kyverno=enabled label. If the label is missing or has any other value, for example kyverno=disabled, Kyverno policies will not apply at all in the corresponding namespaces.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Edit kubeflow/manifests/apps/profiles/upstream/overlays/deploy/namespace-labels.yaml and set the desired value for the kyverno label:

    katib-metricscollector-injection: 'enabled' serving.kubeflow.org/inferenceservice: 'enabled' pipelines.kubeflow.org/enabled: 'true' app.kubernetes.io/part-of: 'kubeflow-profile' kyverno: '<KYVERNO>'

    Replace <KYVERNO> with either enabled or disabled.

  3. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit \ > -am "Update kyverno label across user namespaces"
  4. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/apps/profiles/upstream/overlays/deploy
  5. Update the existing user namespaces with the new value for the kyverno label:

    root@rok-tools:~/ops/deployments# kubectl label --overwrite namespaces \ > -l app.kubernetes.io/part-of=kubeflow-profile kyverno=<KYVERNO>

    Replace <KYVERNO> with either enabled or disabled.

  6. Optional

    If you want to explicitly enable or disable Kyverno security policies for a namespace, label the namespace manually:

    root@rok-tools:~/ops/deployments# kubectl label --overwrite \ > namespaces <NAMESPACE> kyverno=<KYVERNO>

    Replace <NAMESPACE> with the desired namespace, for example, kubeflow-user, and <KYVERNO> with either enabled or disabled.

Verify

  1. List all user namespaces that have Kyverno policies enabled:

    root@rok-tools:~/ops/deployments# kubectl get namespaces \ > -l app.kubernetes.io/part-of=kubeflow-profile,kyverno=enabled NAME STATUS AGE kubeflow-kyverno-enabled Active 1d
  2. List all user namespaces that have Kyverno policies disabled:

    root@rok-tools:~/ops/deployments# kubectl get namespaces \ > -l app.kubernetes.io/part-of=kubeflow-profile,kyverno!=enabled NAME STATUS AGE kubeflow-kyverno-disabled Active 1d

Summary

You have successfully enabled or disabled Kyverno security policies in user namespaces.

What’s Next

Check out the rest of the operations guides related to Kyverno security.