Remediation in nctl

The remediate command can be used to show any possible fixes for any Kubernetes resources, if they have a violation against the best practices policies. When applied, the output will show the remediated yaml.

Note: Currently, in-built remediations are available for Pod Security Standards (Baseline and Restricted). We are constantly adding remediations for more standards.

Get Remediations Locally

Use the nctl remediate command to view the remediation suggestions locally. The CLI uses kyverno’s mutate capability to provide necessary remediations.

There are two ways to reference the mutate policy.

• As an annotation in the validate policy: Use the policies.nirmata.io/remediation annotation to reference the Git location of the mutate policy.
• Local file reference: Use the --mutate-policies flag to reference local files. This is useful when running the command locally on your system, or if you are authoring a new mutate policy that has not been checked into Git yet.

Note: If both annotation and --mutate-policies flag is provided, then the CLI flag takes precedence.

CLI Usage

nctl remediate -r <resource.yaml> -p <validate-policy> -m <mutate-policy>

• -r refers to the resource YAML file or a directory containing multiple resource YAML files.
• -p refers to a Kyverno validate policy file or a directory containing multiple validate policies.
• -m refers to a Kyverno mutate policy file or a direcroy containing multiple mutate policies.

Note: In order to associate a mutate policy with a given Kyverno validate policy, the name of the mutate policy must be of the form remediate-{validate-policy}. Example, if the name of the validate policy is disallow-latest-tag, then the name of the mutate policy must be remediate-disallow-latest-tag.

Annotation Usage

Refer to this guide

Command Reference

• nctl remediate - Remediate resources for policy violations