Data Flow: Policy Enforcement
Purpose: For platform engineers, explains how policy enforcement works at resource admission time.
Flow Summary
Components
| Component | Namespace | Role |
|---|---|---|
| Kyverno Engine | kyverno | Evaluates policies against incoming resources |
| Admission Webhook | kyverno | Intercepts API server admission requests |
| ClusterPolicies | cluster-scoped | Define validation, mutation, and generation rules |
Sequence
- User or controller submits a resource to the Kubernetes API server.
- API server sends an admission review request to the Kyverno webhook.
- Kyverno matches the resource against applicable ClusterPolicy rules (by kind, namespace, labels).
- Validate rules: check constraints (e.g.,
disallow-privileged,require-run-as-nonroot). Violations reject the request with an error message. - Mutate rules: patch the resource (e.g., inject default security context, add labels).
- Generate rules: create companion resources (e.g., NetworkPolicy for new namespaces).
- Kyverno returns the admission response (allow + patches, or deny + message).
- Policy Reports are created for audit-mode policies (warn without blocking).
Baseline Policies (17)
Key policies enforced by default:
disallow-privileged— blocks privileged containersrequire-run-as-nonroot— enforces non-root UIDrestrict-volume-types— limits to safe volume typesrestrict-seccomp— requires RuntimeDefault or Localhost seccomp profiledisallow-host-namespaces— prevents hostPID/hostIPC/hostNetworkrestrict-capabilities— drops all, allows only a minimal set
Related
- Logical Diagram — full cluster architecture