How to Secure Kubernetes Clusters with Kyverno Policies

TL;DR: Securing your Clusters is very important. Kyverno policies can help in securing it. Kyverno can be integrated with Devtron to make your infrastructure secure.

Table of contents
Key Takeaways

1. Kyverno policies provide a declarative way to secure Kubernetes clusters by enforcing rules for configuration, access, and resource management.

2. These policies help ensure compliance, enforce pod security standards, restrict namespace deletions, and more.

3. The traditional CLI approach to applying Kyverno policies works but is error-prone and lacks visibility.

4. Devtron offers a user-friendly GUI to apply and manage Kyverno policies, improving observability and ease of use.

Securing Kubernetes is a top priority for DevOps and platform engineering teams. Whether you’re adopting Kubernetes for the first time or scaling your production clusters, implementing Kyverno policies helps automate the enforcement of security best practices and reduce vulnerabilities.

In this blog, we’ll explore how to apply Kyverno policies: both via CLI and using the Devtron platform.

What are Kyverno Policies?

Kyverno is a policy engine designed specifically for Kubernetes. It allows you to define security, compliance, and operational policies in YAML and apply them directly to your Kubernetes clusters.

A Kyverno policy is a set of rules that validate, mutate, or generate resources. These policies enable you to:

  • Restrict updates or deletions of critical resources
  • Enforce naming conventions
  • Set pod security controls
  • Validate image registries
  • Auto-label namespaces or workloads

Kyverno Policy Features

  • Declarative management using YAML files
  • Context-aware enforcement based on Kubernetes object state
  • Dynamic policy updates as resources change
  • Policy testing before enforcing rules
  • CI/CD integration to shift security left
  • Multi-cluster support
  • Open-source and CNCF-hosted

These features make Kyverno policies highly adaptable to dynamic Kubernetes environments.

Why You Need Kyverno Policies

Enforcing security manually at scale in Kubernetes is risky. Here’s where Kyverno policies come into play:

  • Resource validation: Automatically validate manifests to prevent misconfigurations.
  • Access control: Restrict who can edit or delete specific resources.
  • Pod security enforcement: Ensure containers don’t run as root or use disallowed capabilities.
  • Namespace protection: Prevent accidental deletion of critical namespaces like kube-system.
  • Regulatory compliance: Enforce the presence of specific labels or annotations.

Why Prevent Namespace Deletion Using Kyverno

Certain namespaces in Kubernetes are foundational:

  • default: For user workloads
  • kube-system: Houses core services like kube-dns, kube-proxy
  • kube-public: Readable by unauthenticated users
  • kube-node-lease: Maintains node health via heartbeats

Deleting any of these can lead to:

  • Loss of critical workloads
  • Security gaps
  • Compliance issues
  • Billing inaccuracies in multi-team setups

Kyverno can block deletions with a simple policy.

Traditional Command-line Approach to Applying Kyverno Policies

Step 1: Install Kyverno CRDs

kubectl create -f <https://github.com/kyverno/kyverno/releases/download/v1.8.5/install.yaml>

Step 2: Create a YAML file named prevent-deletion.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-updates-deletes
  annotations:
    policies.kyverno.io/title: Block Updates and Deletes
    policies.kyverno.io/category: Sample
    policies.kyverno.io/subject: RBAC
    policies.kyverno.io/description: >-
      Kubernetes RBAC allows for controls on kinds of resources or those
      with specific names. But it does not have the type of granularity       often required in more complex environments. This policy restricts       updates and deletes to any Service resource that contains the           label `protected=true` unless by a cluster-admin.
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: block-updates-deletes
    match:
      any:
      - resources:
          kinds:
          - Namespace
    validate:
      message: "This resource is protected and changes are not allowed.       Please seek a cluster-admin."
      deny:
        conditions:
          any:
            - key: "{{request.operation || 'BACKGROUND'}}"
              operator: AnyIn
              value:
              - DELETE
              - UPDATE

Step 3: Apply the above-created manifest

kubectl apply -f prevent-deletion.yaml

Step 4: Create a namespace named `demo` to test the policy

kubectl create ns demo
kubectl delete ns demo

CLI Limitations

  • Prone to typos and errors
  • Low observability of applied policies
  • Repetitive troubleshooting
  • Hard to scale across teams and clusters

Adding Kyverno policies through Devtron

Devtron provides a web-based GUI interface to easily view, edit, and debug your policies across clusters and resources. Resource browser in Devtron allows you to view configurations side by side for comparison, and managing multiple security policies is a breeze. Let us see how you can set up policies using the Devtron Platform.

If you haven’t installed Devtron yet, feel free to install it from the documentation.

Step 1: Install CRDs

You can install CRDs via Helm or kubectl directly from Devtron's built-in terminal.

Navigate to:
Clusters → Select Cluster → Terminal

Paste your CRD install command:

kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.8.5/install.yaml
command to apply crds of Kyverno
command to apply crds of Kyverno 

Step 2: Use Resource Browser

Go to Resource Browser → Create Resource, and paste your Kyverno policy YAML. Click Apply.

This visual approach provides:

  • Easier debugging
  • Side-by-side config comparison
  • Faster multi-cluster policy deployment
Section to create resources
Section to create resources 

Paste your Kyverno policy and click on Apply.

Paste your code and apply it
Paste your code and apply it

Once the manifest has been deployed, you can view your policy in the Custom Resource section, as shown below.

view of resources
view of resources

Step 3: Validate Your Policy

Use the in-browser terminal to run:

kubectl get ns
kubectl delete ns <namespace-name>
Output of Kyverno Policy
The output of Kyverno Policy

The policy should block deletion attempts if correctly configured.

Hurray!! We have successfully implemented the Kyverno policies to restrict the deletion of namespaces using Devtron.

Benefits of Using Devtron for Kyverno Policy Management

  • GUI for easy management and observability
  • Resource-level diffs and audit trails
  • No manual kubectl errors
  • Devtron CLI support for advanced automation
💡
Coming soon: Devtron Agentic AI, enabling automated, intelligent policy suggestions and self-healing configurations.

👉 Schedule a demo to see how Devtron simplifies Kubernetes policy management.

Conclusion

In a world where Kubernetes misconfigurations are one of the leading causes of downtime and security breaches, Kyverno policies are essential for preventive security.

  • Secure your clusters
  • Prevent unauthorized changes
  • Enforce governance at scale

If you already use Devtron, make sure to integrate Kyverno today. And get ready for Devtron’s agentic AI, which will redefine how platform teams manage policy automation in Kubernetes.

FAQ

What are Kyverno Policies in Kubernetes?

Kyverno Policies are a set of declarative rules used to validate, mutate, or generate Kubernetes resources. They help enforce best practices, security controls, and compliance in Kubernetes environments.

Why should I use Kyverno instead of OPA Gatekeeper?

Kyverno is Kubernetes-native and uses familiar YAML syntax, making it easier for cluster administrators and developers. It integrates seamlessly into CI/CD workflows and requires less learning curve compared to Rego-based OPA policies.

Can Kyverno block namespace deletion in Kubernetes?

Yes, Kyverno can block the deletion of specific namespaces like kube-system, default, or any custom namespace by applying a validation rule using a ClusterPolicy.

How do I apply Kyverno policies using Devtron?

Devtron allows you to apply Kyverno policies through its GUI-based Resource Browser. You can paste your policy YAML, apply it, and monitor its enforcement visually, no CLI required.

Is Kyverno suitable for multi-cluster environments?

Yes, Kyverno supports multi-cluster policy management, allowing you to apply and enforce consistent policies across all your Kubernetes environments.

Related articles

Related articles