Scaling Kyverno

Scaling considerations for a Kyverno installation.

Scaling Kyverno

Kyverno supports scaling in multiple dimensions, both vertical as well as horizontal. It is important to understand when to scale, how to scale, and what the effects of that scaling will have on its operation. See the sections below to understand these topics better.

Because Kyverno is an admission controller with many capabilities and due to the variability with respect to environment type, size, and composition of Kubernetes clusters, the amount of processing performed by Kyverno can vary greatly. Sizing a Kyverno installation based solely upon Node or Pod count is often not appropriate to accurately predict the amount of resources it will require.

For example, a large production cluster hosting 60,000 Pods yet with no Kyverno policies installed which match on Pod has no bearing on the resources required by Kyverno. Because webhooks are dynamically managed by Kyverno according to the policies installed in the cluster, no policies which match on Pod results in no information about Pods being sent by the API server to Kyverno and, therefore, reduced processing load.

However, any policies which match on a wildcard ("*") will result in Kyverno being forced to process every operation (CREATE, UPDATE, DELETE, and CONNECT) on every resource in the cluster. Even if the policy logic itself is simple, only a single, simple policy written in such a manner and installed in a large cluster can and will have significant impact on the resources required by Kyverno.

Vertical Scale

Vertical scaling refers to increasing the resources allocated to existing Pods, which amounts to resource requests and limits.

We recommend conducting tests in your own environment to determine real-world utilization in order to best set resource requests and limits, but as a best practice we also recommend not setting CPU limits.

Horizontal Scale

Horizontal scaling refers to increasing the number of replicas of a given controller. Kyverno supports multiple replicas for each of its controllers, but the effect of multiple replicas is handled differently according to the controller. See the high availability section for more details.

Scale Testing

Testing was performed using KinD on an Ubuntu 20.04 system with an AMD EPYC 7502P 32-core processor @ 2.5GHz (max 3.35GHz) and 256GB of RAM.

Admission Controller

The following table shows the resource consumption (memory and CPU) and latency as a result of increased virtual users and iterations defined in k6. k6 is an open-source load testing tool for performance testing. k6 has multiple executors, the most popular of which is the shared-iterations executor. This executor creates a number of concurrent connections called virtual users. The total number of iterations is then distributed among these virtual users.

The test was conducted where we installed Kyverno policies to enforce the Kubernetes pod security standards using 17 policies. Subsequently, we developed a compatible Pod test to measure how long Kyverno takes to admit the admission request. For more details on these tests, refer to the load testing documentation here.

replicas# policiesRule TypeModeSubjectVirtual Users/IterationsLatency (avg/max)Memory (max)CPU (max)
117ValidateEnforcePods100/1,00042.89ms / 155.77ms115Mi211m
117ValidateEnforcePods200/5,00073.37ms / 432.37ms136Mi1148m
117ValidateEnforcePods500/10,000210.56ms / 1.54s315Mi1470m
317ValidateEnforcePods100/1,00031.06ms / 111.42ms110Mi96m
317ValidateEnforcePods200/5,00056.56ms / 248.38ms116Mi315m
317ValidateEnforcePods500/10,000136.77ms / 666.04ms167Mi524m

Reports Controller

The following table shows the resource consumption (memory and CPU) and objects sizes in etcd of increased workloads. The test was conducted where we installed Kyverno policies to audit the Kubernetes pod security standards using 17 policies. Subsequently, we created workloads and scheduled them on the fake KWOK nodes to measure total size of policy reports in etcd. KWOK is a toolkit that enables setting up a cluster of thousands of Nodes in seconds. For more details on these tests, refer to the testing documentation for the report controller.

# policyreportstotal etcd sizeCPU (max)memory (max)
1270134 MB575m91Mi
2470223 MB1389m101Mi
3770280 MB1238m107Mi
4970334 MB1174m114Mi
7370467 MB1749m144Mi
9770552 MB1859m160Mi
10010552 MB1859m138Mi

AdmissionReview Reference

API requests, operations, and activities which match corresponding Kyverno rules result in an AdmissionReview request getting sent to admission controllers like Kyverno. The number and frequency of these requests may vary greatly depending on the amount and type of activity in the cluster. The following table below is provided to give a sense of how many minimum AdmissionReview requests may result from common operations. These figures only refer to the minimum number and, in actuality, the final count will almost certainly be greater but varies depending on things like finalizers and other controllers in the cluster.

OperationResourceConfigARs
CREATEPod1
DELETEPod3
CREATEDeploymentreplicas=13
UPDATEDeploymentChange image8
DELETEDeploymentreplicas=17
CREATEDeploymentreplicas=24
UPDATEDeploymentChange image13
DELETEDeploymentreplicas=210
CREATEJobrestartPolicy=Never, backoffLimit=43
DELETEJob4
CREATECronJobschedule="*/1 * * * *"4 (3 per invocation)
DELETECronJobschedule="*/1 * * * *", 2 completed9
CREATEConfigMap1
EDITConfigMap1
DELETEConfigMap1

These figures were captured using K3d v5.4.9 on Kubernetes v1.26.2 and Kyverno 1.10.0-alpha.2 with a 3-replica admission controller. When testing against KinD, there may be one less DELETE AdmissionReview for Pod-related operations.