This fall, I received the opportunity to work as an LFX mentee with the Kyverno Organization.

Kyverno is a policy engine designed for Kubernetes. Kyverno is a CNCF incubating project. You can read more about Kyverno at https://kyverno.io/.

Acknowledgment

I want to express gratitude toward my mentor Shuting Zhao, senior software engineer at Nirmata for constantly guiding me throughout the mentorship program and always being supportive throughout the mentorship program.

I would also like to thank the entire Kyverno community and the Kubernetes #sig-api-machinery community for being supportive throughout the mentorship program.

Thanks to Linux Foundation and Cloud Native Computing Foundation for offering such mentorship programs and giving us the opportunity to work with open-source projects under guided mentorship.

Let's Begin

A little bit about myself, I am a pre-final year student pursuing Computer Science Engineering. I am an open-source enthusiast and love working with open-source projects. I have previously worked with open-source projects like Checkstyle, PMD, and XWiki and am still contributing to these projects. I was also a GSOC'22 contributor with the Checkstyle Organization.

What is LFX Mentorship?

The LFX mentorship is a remote learning opportunity for the open-source contributors who will be working for 12 weeks under the guidance of mentors who are maintainers and developers of the particular project and they help the mentees to contribute to the community and project.

This mentorship program is organized thrice a year i.e. Spring, Summer, and Fall months. The CNCF maintains a repository with all the information you need including the participating projects and the required skills.

Application Process

All the projects with their respective organizations are listed on the mentorship page. Kyverno in particular caught my attention as it falls in the category of Kubernetes Security and Compliance and the technical skills required were closely related to what I worked with in the past.

The application process is quite simple, firstly you have to create an account on the mentorship page which requires you to add information about yourself, your skill set, and Demographics (optional).

I had to submit 2 documents to the LFX Mentorship platform:

• Resume

• Cover Letter

I made sure that I mentioned my technical competency with the required skills (Go, Kubernetes) and also mentioned my past experience with both technologies. Alongside I mentioned my passion for open source and my previous experience with the same.

This will create a differentiating factor as according to the current mentorship rules:

Should not be a prior participant (maintainer, contributor, etc.) involved with the project for which they want to be a mentee.

Finally, I was selected for the project CNCF - Kyverno: More support for subresources

Project: More support for subresources

Problem Statement

Kyverno lacks the ability to operate on some important subresources like /scale and /status in areas such as validation and mutation.

Upstream Issues:

• [BUG] Scaling Deployment passing through validation

• Support mutations against /status subresources

• [Feature] Support for /eviction subresource for Pod in validation/mutation/generation policies

The Solution

To add support for subresources to Kyverno, at every step at which the kind was referred, it had to be made sure that support for subresources was present. This required tracking the usages of the kind throughout the validation and mutation logic and making changes accordingly.

But this only sums up one part of the problem, another major issue was correctly identifying subresources and updating the ValidatingWebhookConfiguration and MutatingWebhookConfiguration to match on subresources too.

The process followed to solve the above-mentioned problem was:

1. Parsing policy properly to identify the groupVersion and kind specified in the policy.

2. Validating that Kind specified in the policy is present among server resources.

3. Again, while updating the webhook, parse the kind in the policy and search for the group version and kind among server resources.

4. Finally, update the webhook.

Alongside CLI support was also added for testing policies referring to subresources. An example of using scale subresource with kyverno test command can be found at https://github.com/kyverno/kyverno/tree/main/test/cli/test/scale-subresource.

My approach toward the solution

Following a systematic approach always helps, even if things appear very simple. I used to detail the task at hand every week from the simplest task to the toughest.

Alongside the task, I mentioned my queries regarding it and the current progress. I also used to add links to the documentation and resources I had to go through in the current week.

Another important aspect of solving any problem is communication, may it be with your team or with your mentor. I had a weekly meeting with my mentor where I used to discuss the problem and plan for the tasks for the next week and discuss my doubts regarding the implementation.

Code Implementation

There are a lot of details that aren't mentioned in the solution, the actual implementation for both validation and mutating policies along with CLI support can be found at:

• feat: add support for subresources to validating and mutating policies

• fix: Add subresources support to policy exceptions

• fix: Add group to subresources declaration in value.yaml file for CLI

• fix: Configure webhook to add ephemeralcontainers for policies matching on Pod

• fix: policy match Kind case-senstive

• fix: Don't check for subresource existence when it is the trigger.

• fix: Support subresources as the trigger in generate rules

The issue for documentation changes is present at:

[1.9] Add documentation about specifying subresources in policy

It also contains the actual changes for documentation.

---

I am grateful to the entire Kyverno community for helping me to complete my LFX Mentorship successfully. Working with Kyverno enhanced my thinking as a programmer and taught me a lot of aspects of software development.

I look forward to contributing to the organization in the future too. Hope you will learn something from my experience. You can connect with me on LinkedIn, Twitter, and GitHub.