PostProcessor
The inline.nyl.io/v1/PostProcessor resource can be used to configure post-processing steps for all Kubernetes
resources defined in the same Manifest as the PostProcessor. This resource does
not accept a metadata field.
Prerequisites
- You need the
kyvernoCLI installed
API Spec
apiVersion: inline.nyl.io/v1
kind: PostProcessor
spec:
kyverno:
# A list of files that each contain a Kyverno policy resource, usually a `ClusterPolicy`. The paths are first
# considered relative to the manifest that this resource is defined in, and will then be searched in the project
# search path.
policyFiles:
- path/to/policy.yaml
# A mapping of policy names (what you would give as a filename) and a YAML document that represents the Kyverno
# policy resource (usually a `ClusterPolicy`).
inlinePolicies:
my-policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-pod-security-context
spec: {} # ...
Example
If you're deploying to hardened RKE2, your pods must have a specific securityContext configuration in order to be
allowed by the PodSecurityPolicy. The application's Helm charts that you deploy may have options to inject the
required options, but if they are not you're usually out of luck unless you fork the Helm chart, or materialize
the resources and edit them in your project.
With the Nyl PostProcessor, you can apply Kyverno policies to validate or mutate the resources in a
manifest.
---
apiVersion: inline.nyl.io/v1
kind: PostProcessor
spec:
kyverno:
policyFiles:
- ./policies/security-profile.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: forgejo
---
apiVersion: inline.nyl.io/v1
kind: HelmChart
metadata:
name: forgejo
namespace: forgejo
spec:
chart:
repository: oci://code.forgejo.org/forgejo-helm # https://artifacthub.io/packages/helm/forgejo-helm/forgejo
name: forgejo
version: "10.0.1"
values: {}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: enforce-security-context
spec:
validationFailureAction: enforce
rules:
- name: mutate-pod-security-context
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge: &podSpec
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: &containers
- (name): "*"
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
initContainers: *containers
- name: mutate-deployment-security-context
match:
resources:
kinds:
- Deployment
mutate:
patchStrategicMerge:
spec:
template: *podSpec
Running nyl template forgejo.yaml will use the kyverno CLI to apply the policy to the manifests generated by
the Helm chart. Note that the post processing happens at the very end after all other Kubernetes manifests have
been generated.