- TechOps Examples
- Posts
- Using Kyverno policies with ArgoCD
Using Kyverno policies with ArgoCD
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.
Before we begin... a big thank you to today's sponsor.
VMs. Kubernetes. PaaS. You can DO anything.
Try DIGITAL OCEAN — Free $200 credit.
Simple, scalable, affordable cloud computing - Always know what you'll pay with monthly caps and flat pricing.
IN TODAY'S EDITION
🧠 Use Case
Using Kyverno policies with ArgoCD
🚀 Top News
👀 Remote Jobs
Canonical is hiring a Cloud Solutions Architect
Remote Location: Worldwide
KloudMate is hiring a DevOps and Cloud Engineer
Remote Location: India
📚️ Resources
📢 Reddit Threads
Unlock Windsurf Editor, by Codeium.
Introducing the Windsurf Editor, the first agentic IDE. All the features you know and love from Codeium’s extensions plus new capabilities such as Cascade that act as collaborative AI agents, combining the best of copilot and agent systems. This flow state of working with AI creates a step-change in AI capability that results in truly magical moments.
🛠️ TOOL OF THE DAY
soci-snapshotter - A containerd snapshotter plugin which enables standard OCI images to be lazily loaded without requiring a build-time conversion step.
🧠 USE CASE
Using Kyverno policies with ArgoCD
In an ideal world of Kubernetes, we all wish for guardrails which:
✔️ add-network-policy
✔️ add-networkpolicy-dns
✔️ add-ns-quota
✔️ add-rolebinding
✔️ add-safe-to-evict
❌ disallow-cri-sock-mount
❌ disallow-default-namespace
❌ disallow-empty-ingress-host
❌ disallow-helm-tiller
❌ disallow-latest-tag
and so on…
As Kubernetes deployments grow more complex, keeping things governed and compliant starts to feel like a real challenge.
Kyverno, a Kubernetes-native policy engine, complements ArgoCD, the popular GitOps tool, to enforce policies across your deployment pipelines.
Rather than talking at 10,000 feet, let’s pick a real-world use case of ‘disallowing the latest tag in container images.’
Setting up Kyverno is already well-documented—refer to this guide to know more.
Stage 1: Organize Files and Folders for Policy-as-Code
Organizing files and folders is critical to managing policies effectively in a GitOps workflow.
Use the following structure:
manifests/: Contains application resources like Deployments, Services, and ConfigMaps managed by ArgoCD.
policies/: Contains Kyverno policies for version-controlled governance, applied during resource creation or updates.
Stage 2: Create a Kyverno Policy to Disallow the Latest Tag
Save the following policy as disallow-latest-tag.yaml
:
Apply the policy:
kubectl apply -f disallow-latest-tag.yaml
Stage 3: Configure ArgoCD for Policy Management
To integrate Kyverno policies into your GitOps workflow, create an ArgoCD application for policies:
This ensures policies are deployed automatically and stay in sync with the repository.
Stage 4: Test the Integration
Deploy a non-compliant application (e.g., using
nginx:latest
) and observe the policy violation.Sample Error Message:
Error: Using a mutable image tag e.g. 'latest' is not allowed.
Fix the deployment to use a specific tag (e.g.,
nginx:1.21.0
) and verify successful deployment.
You can replicate the same for other policies.
You may even like: