kiosk VS Kyverno

Kiosk

Have a look at https://github.com/loft-sh/kiosk and maybe the paid version https://loft.sh/

As for the open source projects, maybe you would find Kiosk for allowing self-service namespace creation, namespace templates and cross-namespace resource limits and quotas.

# Install kiosk with helm v3 ❯ kubectl create namespace kiosk helm install kiosk --repo https://charts.devspace.sh/ kiosk --namespace kiosk --atomic namespace/kiosk created NAME: kiosk ... Learn more about using kiosk here: https://github.com/loft-sh/kiosk#getting-started #verify ❯ kubectl get pod -n kiosk NAME READY STATUS RESTARTS AGE kiosk-66dbfcf6db-5rfx2 1/1 Running 0 2m18s

Kubernetes was designed as a single-tenant platform. Sharing clusters, though, offers greater flexibility, simplifies infrastructure, and improves cost-efficiency. Therefore, it makes sense to use a multi-tenant system. To keep tenants separate and prevent compromised tenants from affecting others, you can use role-based access control (RBAC) or namespaces. Tools that assist with multi-tenancy in Kubernetes include kiosk and loft.

For simple environments I'm using klum, for bigger environments I'm using OIDC with Keycloak. Beside that kiosk also looks interesting.

https://github.com/loft-sh/kiosk (from makers of loft)

Anyway, I haven’t checked for sure as I’m away from laptop but it should be possible to use something like Kyverno to block that operation. We had to do similar in the past to hotfix a bug in our CLI tool. I wrote a blog post about it that might give you an idea: https://www.giantswarm.io/blog/restricting-cluster-admin-permissions

Cosign is used for signing containers through a variety of different methods. It has strong integration with other open source tools, such as Kyverno.

cosign: https://docs.sigstore.dev/cosign/overview/ kyverno: https://kyverno.io/

Kyverno - Kubernetes Native Policy Management

You could use a policy tool like kyverno or OPA.

Kyverno is present in the management cluster;

You do still have to create a policy for every namespace, but don't have to worry about labeling individual pods. We're starting to move to Helm/kustomize for our namespaces to deploy default things like network policies to each one, and we're also starting to use kyverno more, which I think is a little more purpose built for this type of thing than metacontroller is.

I knew it was unsupported so about 6 months ago I had started an effort to switch to Kyverno, which is far better and actually supported. The version of Kyverno I was using had a v1beta1 AdmissionController. Fortunately that was in a helm chart so easily caught by pluto before my upgrade.

Kyverno Kyverno is a policy engine designed for Kubernetes, Kyverno policies can validate, mutate, and generate Kubernetes resources plus ensure OCI image supply chain security.