<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Kyverno on Tarragon</title><link>https://tarrragon.github.io/blog/tags/kyverno/</link><description>Recent content in Kyverno on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Mon, 18 May 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/kyverno/index.xml" rel="self" type="application/rss+xml"/><item><title>Kyverno</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/kyverno/</link><pubDate>Mon, 18 May 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/kyverno/</guid><description>&lt;p>Kyverno 是 K8s-native 的 policy engine、CNCF Incubating（2024 升級）、設計 mindset 把 &lt;em>policy 寫成 YAML&lt;/em> 而不是引入新語言（vs &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/opa/" data-link-title="Open Policy Agent (OPA)" data-link-desc="CNCF general-purpose policy engine、Rego Datalog-like 語言、decoupled decision &amp;#43; enforcement、跨 K8s / API / Terraform / SQL 統一 policy">OPA&lt;/a> 的 Rego、&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &amp;#43; Constraint 兩層、Rego policy &amp;#43; Audit &amp;#43; Mutation">Gatekeeper&lt;/a> 也用 Rego）。它的核心不是「更輕量的 OPA」、而是 &lt;em>K8s 專用 policy engine&lt;/em> — 把 Validate / Mutate / Generate / Verify Images / Cleanup 五類動作做成 first-class rule type、跟 K8s admission webhook + GitOps + cosign / Sigstore ecosystem 深度整合。&lt;/p>
&lt;h2 id="服務定位">服務定位&lt;/h2>
&lt;p>Kyverno 的定位是 &lt;em>K8s admission controller-shaped policy engine、policy 用 YAML 表達&lt;/em>。底層是 dynamic admission webhook + background controller、頂層 CRD 包含 &lt;em>ClusterPolicy&lt;/em>（cluster 範圍）/ &lt;em>Policy&lt;/em>（namespace 範圍）/ &lt;em>PolicyException&lt;/em>（明確例外）/ &lt;em>ClusterCleanupPolicy&lt;/em>（過期 resource 清理）/ &lt;em>PolicyReport&lt;/em>（CIS / NIST 等審計輸出）。Nirmata 是 Kyverno 商業版、補 policy library / multi-cluster management / audit dashboard / 24x7 support。&lt;/p>
&lt;p>跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/opa/" data-link-title="Open Policy Agent (OPA)" data-link-desc="CNCF general-purpose policy engine、Rego Datalog-like 語言、decoupled decision &amp;#43; enforcement、跨 K8s / API / Terraform / SQL 統一 policy">OPA&lt;/a> 比、Kyverno 走 &lt;em>narrow + opinionated&lt;/em> — OPA 是 general-purpose policy engine（K8s / API gateway / Terraform / 自家服務都能用、語言是 Rego）、Kyverno &lt;em>K8s-only + YAML&lt;/em>、學習成本對 K8s admin 接近零。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &amp;#43; Constraint 兩層、Rego policy &amp;#43; Audit &amp;#43; Mutation">Gatekeeper&lt;/a> 比、Gatekeeper 也是 K8s admission controller 但底層用 OPA + Rego、ConstraintTemplate / Constraint 兩層 CRD；Kyverno 不用 Rego、policy 就是 YAML rule list。跟 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &amp;#43; Secret &amp;#43; License &amp;#43; SBOM、Apache 2.0、CI 友善">Trivy&lt;/a> 的 misconfig scan 比、Trivy 是 &lt;em>scan static manifest&lt;/em>、Kyverno 是 &lt;em>admission gate + background scan&lt;/em>、定位互補不衝突。&lt;/p></description><content:encoded><![CDATA[<p>Kyverno 是 K8s-native 的 policy engine、CNCF Incubating（2024 升級）、設計 mindset 把 <em>policy 寫成 YAML</em> 而不是引入新語言（vs <a href="/blog/backend/07-security-data-protection/vendors/opa/" data-link-title="Open Policy Agent (OPA)" data-link-desc="CNCF general-purpose policy engine、Rego Datalog-like 語言、decoupled decision &#43; enforcement、跨 K8s / API / Terraform / SQL 統一 policy">OPA</a> 的 Rego、<a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a> 也用 Rego）。它的核心不是「更輕量的 OPA」、而是 <em>K8s 專用 policy engine</em> — 把 Validate / Mutate / Generate / Verify Images / Cleanup 五類動作做成 first-class rule type、跟 K8s admission webhook + GitOps + cosign / Sigstore ecosystem 深度整合。</p>
<h2 id="服務定位">服務定位</h2>
<p>Kyverno 的定位是 <em>K8s admission controller-shaped policy engine、policy 用 YAML 表達</em>。底層是 dynamic admission webhook + background controller、頂層 CRD 包含 <em>ClusterPolicy</em>（cluster 範圍）/ <em>Policy</em>（namespace 範圍）/ <em>PolicyException</em>（明確例外）/ <em>ClusterCleanupPolicy</em>（過期 resource 清理）/ <em>PolicyReport</em>（CIS / NIST 等審計輸出）。Nirmata 是 Kyverno 商業版、補 policy library / multi-cluster management / audit dashboard / 24x7 support。</p>
<p>跟 <a href="/blog/backend/07-security-data-protection/vendors/opa/" data-link-title="Open Policy Agent (OPA)" data-link-desc="CNCF general-purpose policy engine、Rego Datalog-like 語言、decoupled decision &#43; enforcement、跨 K8s / API / Terraform / SQL 統一 policy">OPA</a> 比、Kyverno 走 <em>narrow + opinionated</em> — OPA 是 general-purpose policy engine（K8s / API gateway / Terraform / 自家服務都能用、語言是 Rego）、Kyverno <em>K8s-only + YAML</em>、學習成本對 K8s admin 接近零。跟 <a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a> 比、Gatekeeper 也是 K8s admission controller 但底層用 OPA + Rego、ConstraintTemplate / Constraint 兩層 CRD；Kyverno 不用 Rego、policy 就是 YAML rule list。跟 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> 的 misconfig scan 比、Trivy 是 <em>scan static manifest</em>、Kyverno 是 <em>admission gate + background scan</em>、定位互補不衝突。</p>
<p>關鍵張力：<em>YAML policy 的表達力上限</em> ↔ <em>跨平台統一 policy 的訴求</em>。Kyverno YAML rule 對 90% K8s 場景夠用、但需要跨 K8s / API gateway / Terraform 統一 policy decision 時、Rego 的表達力跟可移植性勝出。要看清楚 policy <em>邊界是否就在 K8s 內</em>。</p>
<h2 id="本章目標">本章目標</h2>
<p>讀完本頁、讀者能判斷：</p>
<ol>
<li>Kyverno 在 K8s 治理 stack 中承擔哪一段（admission gate / mutation / generation / image verify / cleanup）、跟 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> scan / <a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">SBOM Tools</a> / Sigstore cosign 怎麼分工</li>
<li>ClusterPolicy / Policy 的 ownership 設計（platform team 還是 app team 寫、誰 review、PolicyException 怎麼治理）</li>
<li>Validate / Mutate / Generate / Verify Images / Cleanup 五類 rule 的使用邊界跟陷阱</li>
<li>何時用 Kyverno、何時走 OPA / Gatekeeper / K8s native ValidatingAdmissionPolicy 的取捨</li>
</ol>
<h2 id="最短判讀路徑">最短判讀路徑</h2>
<p>判斷 Kyverno deployment 是否健康、最少看四件事：</p>
<ul>
<li><strong>Policy 是否走 GitOps</strong>：ClusterPolicy / Policy 是否在 Git 版控、走 ArgoCD / Flux sync、policy change 是否經 PR review、staging cluster 跑過 audit mode 才 promote 到 enforce</li>
<li><strong>Mode 配置</strong>：每條 policy 是 <em>Audit</em>（只記、不擋）還是 <em>Enforce</em>（擋 admission）、新規則是否先 audit 觀察 24-48hr 再 enforce、Background scan 是否開（補 admission 不到的 historical drift）</li>
<li><strong>Verify Images 啟用度</strong>：production cluster 是否要求 image 必須通過 cosign signature verify、SBOM attestation 是否驗、policy 是否包含 keyless verify（Fulcio + Rekor）</li>
<li><strong>PolicyException 治理</strong>：例外是否走 PR 申請 + 到期日 + owner、跟 <a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">Detection Coverage and Signal Governance</a> 的 exception governance 對齊</li>
</ul>
<p>四件事任一缺失、就是 <a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性</a> 邊界的待補項目。</p>
<h2 id="日常操作與決策形狀">日常操作與決策形狀</h2>
<p><strong>ClusterPolicy / Policy 結構</strong>：Kyverno policy 是 K8s CRD、結構 <code>spec.rules[]</code> 一條條 rule、每條 rule 有 <code>match</code>（套用對象、kind / namespace / label / name）+ <code>exclude</code>（明確排除）+ rule body（<code>validate</code> / <code>mutate</code> / <code>generate</code> / <code>verifyImages</code> / <code>cleanup</code> 五選一）。ClusterPolicy 套整個 cluster、Policy 套單一 namespace、app team 通常只能改自家 namespace 的 Policy、平台 team 控 ClusterPolicy。</p>
<p><strong>Validate rule</strong>：admission 階段檢查 manifest 是否符合條件、不符合就拒絕。最常見場景 — 禁止 <code>latest</code> tag、要求所有 pod 有 resource limit、禁止 privileged container、要求 specific label。寫法是 <code>validate.pattern</code> 或 <code>validate.deny</code>（後者支援更複雜的 boolean expression）、output 是 admission webhook reject。Validate 是 <em>K8s policy as code</em> 的入門場景、80% 的 ClusterPolicy 都是 Validate rule。</p>
<p><strong>Mutate rule</strong>：admission 階段修改 manifest、把缺的欄位補上或改成符合的值。常見場景 — 自動注入 sidecar（service mesh proxy / log forwarder）、自動加 resource limit default、自動加 label（cost center / owner）、自動把 imagePullPolicy 改成 <code>Always</code>。Mutate 是 OPA / Gatekeeper 做不到的（兩者都偏 Validate-only）、是 Kyverno 的 <em>K8s-specific 強項</em>。陷阱是 mutate 變更後 GitOps diff 會永遠不一致、要在 ArgoCD ignoreDifferences 上對齊。</p>
<p><strong>Generate rule</strong>：cluster event（namespace 建立、resource 變動）觸發、自動建立 <em>關聯 resource</em>。最常見場景 — 新 namespace 自動建 default NetworkPolicy（deny-all egress 起手）、自動建 ResourceQuota / LimitRange、自動 copy ConfigMap / Secret 到新 namespace。Generate 是把 <em>security default</em> 從文件層落到 runtime layer、避免 app team 忘記設 NetworkPolicy 就把整個 cluster 暴露。Generate 也是 OPA / Gatekeeper 做不到、Kyverno 獨有。</p>
<p><strong>Verify Images rule</strong>：admission 階段驗證 container image 的簽章 / SBOM attestation / in-toto provenance。實作底層 <a href="https://docs.sigstore.dev/">Sigstore</a> cosign — keyless 簽章驗 Fulcio CA + Rekor transparency log、key-based 驗 public key、attestation 驗 SLSA provenance / SBOM。production 場景 — internal registry image 必須 cosign 簽 + 來自 trusted CI runner、external image 必須在 allowlist。對應 <a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a> 的 supply chain attack 防禦邊界。</p>
<p><strong>Cleanup policy</strong>：ClusterCleanupPolicy / CleanupPolicy 是 K8s 1.27+ 引入、Kyverno 1.10+ 支援、按 cron 跑、清掉符合條件的 resource。常見場景 — 過 30 天的 completed Job、過 7 天的 failed Pod、ephemeral namespace（PR preview env）超過 TTL 自動刪。Cleanup 補的是 K8s 沒有 <em>resource lifecycle policy</em> 的洞、TTL controller 只覆蓋 Job / Pod 子集。</p>
<p><strong>Background scan</strong>：除了 admission 攔截 <em>新 resource</em>、Kyverno 定期掃描 <em>已存在 resource</em> 是否違反 policy、結果寫入 PolicyReport CRD。意義是補 <em>歷史 drift</em> — policy 是後來加的、已 deploy 的 resource 不會被 admission 攔到、background scan 才會找出來。production 一定要開、不開等於 policy 只防新犯不抓舊案。</p>
<p><strong>ValidatingAdmissionPolicy (VAP) 整合</strong>：K8s 1.30+ 內建 CEL-based admission policy、不需要 admission webhook（VAP 由 kube-apiserver 直接 enforce、延遲低、不會因為 Kyverno pod 掛掉就讓 admission 失敗）。Kyverno 1.11+ 可以從 ClusterPolicy <em>生成</em> VAP、把簡單 Validate rule 卸載給 K8s native engine、複雜 rule（Mutate / Generate / Verify Images）留在 Kyverno。長期趨勢 — K8s native VAP 會吃掉 Kyverno <em>Validate-only</em> 的場景、Mutate / Generate / Verify Images 仍是 Kyverno 護城河。</p>
<p><strong>GitOps 整合</strong>：ClusterPolicy / Policy 是普通 K8s CRD、走 ArgoCD / Flux sync 沒任何特殊性。staging cluster 跑 Audit mode 24-48hr 看 PolicyReport 有多少違規 → tune rule 或加 PolicyException → 確認沒誤殺再 promote 到 production cluster 的 Enforce mode。對應 <a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle</a> 的 propose → staging → promote pattern。</p>
<p><strong>Policy Reporter</strong>：OSS dashboard（不是 Kyverno 內建、是社群專案）、把 PolicyReport CRD 視覺化、給 platform team / app team 看 cluster 違規概況。Nirmata 商業版有更完整的 multi-cluster dashboard + 歷史 trend + compliance mapping（CIS / NIST / PCI）。</p>
<h2 id="核心取捨表">核心取捨表</h2>
<table>
  <thead>
      <tr>
          <th>取捨維度</th>
          <th>Kyverno</th>
          <th>OPA + Gatekeeper</th>
          <th>OPA standalone</th>
          <th>Conftest</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Policy 語言</td>
          <td>YAML（patterns / deny / preconditions）</td>
          <td>Rego（DSL、表達力強）</td>
          <td>Rego</td>
          <td>Rego</td>
      </tr>
      <tr>
          <td>覆蓋範圍</td>
          <td>K8s only</td>
          <td>K8s only</td>
          <td>K8s / API / Terraform / 任意 JSON 輸入</td>
          <td>CI-time static file（Terraform / Docker）</td>
      </tr>
      <tr>
          <td>Rule 類型</td>
          <td>Validate / Mutate / Generate / Verify Images / Cleanup</td>
          <td>Validate-only（Mutate 是 experimental）</td>
          <td>由 host application 決定</td>
          <td>Validate（CI-time）</td>
      </tr>
      <tr>
          <td>部署形態</td>
          <td>K8s admission webhook + controller</td>
          <td>K8s admission webhook（Gatekeeper 是 OPA 包）</td>
          <td>sidecar / library / standalone server</td>
          <td>CLI（CI pipeline）</td>
      </tr>
      <tr>
          <td>學習曲線</td>
          <td>緩 — K8s admin 已熟 YAML</td>
          <td>陡 — 要學 Rego</td>
          <td>陡 — 要學 Rego + host integration</td>
          <td>中 — Rego 但範圍小</td>
      </tr>
      <tr>
          <td>Image signature</td>
          <td>內建 Verify Images（cosign + Sigstore）</td>
          <td>需自己接 cosign CLI</td>
          <td>需自己接</td>
          <td>不適用</td>
      </tr>
      <tr>
          <td>Background scan</td>
          <td>內建</td>
          <td>gator audit（弱）</td>
          <td>不適用</td>
          <td>不適用</td>
      </tr>
      <tr>
          <td>跨 platform 一致</td>
          <td>弱 — K8s only</td>
          <td>弱 — K8s only</td>
          <td>強 — 同份 Rego 跑 K8s / API / Terraform</td>
          <td>強 — CI 跑同份 Rego</td>
      </tr>
      <tr>
          <td>適合場景</td>
          <td>K8s-heavy + 想用 YAML + 需 Mutate / Generate / Image</td>
          <td>K8s + 已有 Rego 投資 + Validate-only</td>
          <td>跨 K8s / API / Terraform 統一 policy</td>
          <td>CI-time pre-merge 檢查</td>
      </tr>
      <tr>
          <td>退場成本</td>
          <td>中 — YAML rule 跟 K8s CRD 綁</td>
          <td>中 — Rego 可移植到 OPA standalone</td>
          <td>低 — Rego 跨平台</td>
          <td>低</td>
      </tr>
  </tbody>
</table>
<p>選 Kyverno 的核心訴求：<em>K8s-only 場景 + 不想學 Rego + 需要 Mutate / Generate / Verify Images 的 K8s-specific 能力</em>。團隊已投資 Rego ecosystem、或 policy 邊界跨 K8s + Terraform + API gateway、走 OPA / Gatekeeper 更合適。CI-time pre-merge 檢查走 Conftest 補位。</p>
<h2 id="進階主題">進階主題</h2>
<p><strong>Verify Images 進階 — cosign keyless + SBOM attestation</strong>：production-grade image trust 不只驗 signature、要驗 <em>who signed it from where with what build process</em>。keyless 模式驗 Fulcio CA-issued 短期憑證 + Rekor transparency log entry、確認簽章來自 trusted CI runner 的 OIDC identity（例如 <code>https://github.com/myorg/myrepo/.github/workflows/release.yaml@refs/tags/v*</code>）。SBOM attestation 用 <code>verifyImages.attestations</code> 驗 in-toto envelope、確認 image 帶 SLSA provenance + SBOM（<a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">CycloneDX / SPDX</a>）。對應 <a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/xz-backdoor-2024-open-source-supply-chain/" data-link-title="7.R7.2.4 XZ Backdoor 2024：開源供應鏈長期滲透" data-link-desc="開源維護鏈遭滲透後，為何會直接影響廣泛 Linux 發行流程">XZ Backdoor 2024</a> 的 lesson：maintainer takeover 也能簽 image、要靠 build provenance attestation 看出 build process 跟過去不一致。</p>
<p><strong>Mutate policy 跟 GitOps 的張力</strong>：Mutate 自動補欄位、ArgoCD / Flux 會永遠看到 live state 跟 Git state diff。處理方式有三 — <em>ignoreDifferences</em> on specific fields（ArgoCD <code>spec.ignoreDifferences</code>、Flux <code>spec.patches</code>）、<em>把 mutate 改成 validate + 在 PR template 補預設</em>（成本高但 GitOps diff 乾淨）、<em>Mutate at create only</em>（用 <code>mutate.mutateExistingOnPolicyUpdate: false</code>、只在 admission 動、不重複 mutate existing resource）。</p>
<p><strong>Generate policy 跟 multi-tenant security default</strong>：新 namespace 一建立、Generate rule 自動建 default-deny NetworkPolicy + ResourceQuota + LimitRange + 必要 RoleBinding。意義是 <em>security default 從 README 落到 runtime</em>、app team 開新 namespace 不會忘記設安全邊界。陷阱是 generated resource 的 ownership — 預設 Kyverno owns、app team 修改會被 reconcile 回去；要讓 app team 改、用 <code>synchronize: false</code>。</p>
<p><strong>Nirmata Enterprise</strong>：商業版補三件事 — <em>Policy Library</em>（CIS / NIST / PCI / SOC 2 預製 policy pack）、<em>Multi-cluster Management</em>（中央 console 推 policy 到多 cluster + audit dashboard + drift detection）、<em>Policy Reporter Plus</em>（trend + compliance mapping + JIRA / Slack integration）。對大企業多 cluster + 合規驅動的場景值得評估、中小 deployment OSS Kyverno + 社群 Policy Reporter 夠用。</p>
<p><strong>PolicyException 治理</strong>：Kyverno 1.9+ 引入 PolicyException CRD、讓特定 resource 明確繞過特定 policy、避免「app team 為了 deploy 直接把 policy 改寬」。Exception 走 PR + 到期日 + owner、跟 <a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">Detection Coverage and Signal Governance</a> 的 exception lifecycle 對齊 — 例外不是黑箱、是 <em>暫時性、有 owner、有 review 日期</em>。</p>
<h2 id="排錯與失敗快速判讀">排錯與失敗快速判讀</h2>
<ul>
<li><strong>Policy 改了沒生效</strong>：admission webhook 沒 ready、或 policy 寫在錯的 namespace（Policy CRD 是 namespace-scoped、放錯 namespace 不會作用）— <code>kubectl get clusterpolicies</code> 看 ready 狀態、<code>kubectl describe</code> 看 events</li>
<li><strong>Admission 卡住 / Pod 起不來</strong>：Kyverno webhook 掛掉、failurePolicy 設 <code>Fail</code> 結果整個 cluster 不能 deploy — production 對 critical workload 設 <code>failurePolicy: Ignore</code> + 監控 Kyverno controller availability、不要讓 policy engine 變成 cluster-wide SPOF</li>
<li><strong>Mutate 後 ArgoCD 永遠 OutOfSync</strong>：mutate 改的欄位沒在 ArgoCD <code>ignoreDifferences</code> 排除 — 對應加 <code>spec.ignoreDifferences[*].jsonPointers</code> 或 <code>.jqPathExpressions</code>、不然每次 sync 都跳 diff</li>
<li><strong>Verify Images 全部失敗</strong>：cluster 沒對外網路、Fulcio / Rekor 拉不到、或 image 真的沒簽 — 先 audit mode 跑 + 看 PolicyReport 統計 unsigned image 比例、確認預期路徑（內部 image 簽 / 外部 image allowlist）後才 enforce</li>
<li><strong>Background scan 跑爆 controller</strong>：cluster 太大、scan interval 太短 — 調整 <code>backgroundScan: false</code> for 高頻變動 policy、或拉長 scan interval、或 Nirmata 用分散式 scan</li>
<li><strong>PolicyException 變成漏洞</strong>：例外沒到期日、owner 離職、規則永久繞過 — Exception CRD 補 metadata（owner / expiry / ticket）+ 定期 audit 過期 Exception</li>
<li><strong>VAP migration 不一致</strong>：Kyverno 生成的 VAP 跟原 ClusterPolicy 行為有差（CEL 不支援部分 Kyverno feature）— 對 critical rule 保留 Kyverno 不 migrate、只把簡單 Validate 卸載</li>
</ul>
<h2 id="何時改走其他服務">何時改走其他服務</h2>
<table>
  <thead>
      <tr>
          <th>需求形狀</th>
          <th>改走</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>跨 K8s + API gateway + Terraform 統一 policy</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/opa/" data-link-title="Open Policy Agent (OPA)" data-link-desc="CNCF general-purpose policy engine、Rego Datalog-like 語言、decoupled decision &#43; enforcement、跨 K8s / API / Terraform / SQL 統一 policy">OPA standalone</a></td>
      </tr>
      <tr>
          <td>K8s only 但團隊已投資 Rego</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a></td>
      </tr>
      <tr>
          <td>CI-time pre-merge 檢查 Terraform / Dockerfile</td>
          <td>Conftest（OPA 系列、CLI-based）</td>
      </tr>
      <tr>
          <td>Image 漏洞 / misconfig scan（scan, not gate）</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> / <a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a></td>
      </tr>
      <tr>
          <td>SBOM 生成 / 管理</td>
          <td><a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">SBOM Tools</a></td>
      </tr>
      <tr>
          <td>Image signing pipeline</td>
          <td>Sigstore cosign（CI 簽、Kyverno 驗）</td>
      </tr>
      <tr>
          <td>K8s 1.30+ 簡單 Validate-only 場景</td>
          <td>K8s native ValidatingAdmissionPolicy（CEL、kube-apiserver 內建）</td>
      </tr>
  </tbody>
</table>
<h2 id="不在本頁內的主題">不在本頁內的主題</h2>
<ul>
<li>Kyverno policy 完整 YAML reference、JMESPath 進階用法</li>
<li>Sigstore cosign CLI 操作、Fulcio / Rekor 部署</li>
<li>Nirmata Enterprise 詳細功能跟 pricing</li>
<li>K8s ValidatingAdmissionPolicy CEL 語法 reference</li>
<li>跟 service mesh（Istio / Linkerd）整合的 sidecar injection 細節</li>
</ul>
<h2 id="案例回寫">案例回寫</h2>
<table>
  <thead>
      <tr>
          <th>案例</th>
          <th>跟 Kyverno 的關係（對照啟示）</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/solarwinds-2020-sunburst/" data-link-title="7.R7.2.1 SolarWinds 2020：更新鏈被濫用" data-link-desc="合法更新流程遭植入後，攻擊者如何長期潛伏與橫向擴散">SolarWinds 2020 Sunburst</a></td>
          <td>Kyverno Verify Images policy 強制 production cluster 只 deploy 已 cosign 簽章 + Rekor transparency log entry 的 image、未簽 / 來源異常 image 在 admission 階段擋掉</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/log4shell-cve-2021-44228-component-chain/" data-link-title="7.R7.2.7 Log4Shell 2021：共用元件風險與修補鏈" data-link-desc="共用元件漏洞如何同步影響多服務，並迫使團隊建立依賴治理 workflow">Log4Shell CVE-2021-44228</a></td>
          <td>Kyverno admission policy 配 <a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a> scan 結果 — image 帶 vulnerability label 超過閾值就擋 deploy、補 CI scan 沒攔到的舊 image</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/red-team/cases/supply-chain/xz-backdoor-2024-open-source-supply-chain/" data-link-title="7.R7.2.4 XZ Backdoor 2024：開源供應鏈長期滲透" data-link-desc="開源維護鏈遭滲透後，為何會直接影響廣泛 Linux 發行流程">XZ Backdoor 2024</a></td>
          <td>Kyverno Verify Images + SBOM attestation 補位 — maintainer takeover 也能簽 image、但缺乏 SLSA build provenance attestation 會被 Kyverno admission 擋住</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性 (section)</a></td>
          <td>Kyverno 是 <em>K8s admission gate</em> 的 K8s-specific 落實工具、跟 CI-time SBOM 生成 + cosign 簽章 + Rekor transparency log 組成 supply chain trust chain 的 runtime enforcement 段</td>
      </tr>
      <tr>
          <td><a href="/blog/backend/07-security-data-protection/blue-team/detection-engineering-lifecycle/" data-link-title="7.B5 Detection Engineering Lifecycle" data-link-desc="把偵測規則視為可維護資產，建立從來源、測試、調校到退場的完整生命週期">Detection Engineering Lifecycle (section)</a></td>
          <td>ClusterPolicy / Policy 走 propose → staging audit mode → tune → promote enforce mode 的工程 lifecycle、PolicyException 是 lifecycle 一部分、不是黑箱繞過</td>
      </tr>
  </tbody>
</table>
<h2 id="下一步路由">下一步路由</h2>
<ul>
<li>上游：<a href="/blog/backend/07-security-data-protection/supply-chain-integrity-and-artifact-trust/" data-link-title="7.12 供應鏈完整性與 Artifact 信任" data-link-desc="定義 build provenance、artifact 信任與交付鏈風險問題">7.12 供應鏈完整性</a>、<a href="/blog/backend/07-security-data-protection/detection-coverage-and-signal-governance/" data-link-title="7.13 偵測覆蓋率與訊號治理" data-link-desc="定義偵測覆蓋、訊號品質與誤報成本的治理問題">Detection Coverage and Signal Governance</a></li>
<li>平行：<a href="/blog/backend/07-security-data-protection/vendors/opa/" data-link-title="Open Policy Agent (OPA)" data-link-desc="CNCF general-purpose policy engine、Rego Datalog-like 語言、decoupled decision &#43; enforcement、跨 K8s / API / Terraform / SQL 統一 policy">OPA</a>、<a href="/blog/backend/07-security-data-protection/vendors/gatekeeper/" data-link-title="OPA Gatekeeper" data-link-desc="OPA 官方 K8s admission controller、ConstraintTemplate &#43; Constraint 兩層、Rego policy &#43; Audit &#43; Mutation">Gatekeeper</a></li>
<li>下游：<a href="/blog/backend/07-security-data-protection/vendors/trivy/" data-link-title="Trivy" data-link-desc="Aqua Security 開源 all-in-one scanner：Container / Filesystem / K8s / IaC &#43; Secret &#43; License &#43; SBOM、Apache 2.0、CI 友善">Trivy</a>（scan + label）、<a href="/blog/backend/07-security-data-protection/vendors/snyk/" data-link-title="Snyk" data-link-desc="跨 SCM 多模組 application security platform：Open Source (SCA) &#43; Code (SAST) &#43; Container &#43; IaC &#43; Cloud (CSPM)、Reachability analysis">Snyk</a>（vuln 資訊源）、<a href="/blog/backend/07-security-data-protection/vendors/syft-grype/" data-link-title="Syft &#43; Grype" data-link-desc="Anchore 開源姐妹工具：Syft 產 SBOM (CycloneDX / SPDX) &#43; Grype scan 漏洞、Unix philosophy、cosign attestation 整合">SBOM Tools</a>（attestation 來源）</li>
<li>跨類：Sigstore cosign（CI 簽、Kyverno 驗）、ArgoCD / Flux（GitOps sync policy 本身）</li>
<li>跨模組：<a href="/blog/backend/08-incident-response/vendors/" data-link-title="事故處理 Vendor 清單" data-link-desc="規劃 on-call、incident response、status page 與 postmortem 工具的服務頁撰寫順序與判準">8 事故處理 vendor 清單</a>（policy violation → IR routing）</li>
<li>官方：<a href="https://kyverno.io/docs/">Kyverno Documentation</a>、<a href="https://docs.sigstore.dev/">Sigstore Documentation</a></li>
</ul>
]]></content:encoded></item></channel></rss>