Kyverno is a Kubernetes-native policy engine designed to enforce security, compliance, and operational excellence within Kubernetes clusters. It enables platform teams to define and execute policies using Kubernetes resources, eliminating the need for new languages or tools.
Key Features:
Validation, Mutation, and Generation: Enforce policies at admission time or via background scans to validate configurations, mutate resources (e.g., adding labels), and generate missing components (e.g., NetworkPolicies).
Image Validation: Verify container image signatures for supply chain security.
Policy-as-Code: Define policies using familiar Kubernetes constructs, enabling seamless integration with existing workflows like kubectl, kustomize, and Git.
Audience & Benefit:
Ideal for platform engineering teams managing Kubernetes clusters. Kyverno helps enforce best practices, reduce operational risks, and ensure compliance without requiring new tooling or processes. It supports use cases such as security hardening, cost optimization, and developer guardrails, all while maintaining compatibility with existing workflows.
Kyverno is a Kubernetes-native policy engine designed for platform engineering teams. It enables security, compliance, automation, and governance through policy-as-code. Kyverno can:
Validate, mutate, generate, and clean up resources using Kubernetes admission controls and background scans.
Verify container image signatures for supply chain security.
Operate with tools you already use β like kubectl, kustomize, and Git.
Non-Goals
Kyverno is only able to impact the policies used by Kubernetes and is not designed to address Kubernetes security flaws that are inherent in its design. For example, it cannot protect against vulnerabilities in the Kubernetes API server (e.g. Billion Laughs YAML deserialization, or a faulty Admission Controller implementation) or underlying infrastructure, and Kyverno's policy enforcement may be bypassed if Kubernetes itself has a security flaw. Kyverno does not enforce security requirements that were not explicitly defined β it enforces only the policies that users define and must be actively maintained like any other security product.
Kyverno does not replace, but works in conjunction with, Kubernetes RBAC: RBAC controls access while Kyverno enforces policy compliance. Cluster admins are expected to use RBAC to manage user and service account authorization, and then leverage Kyverno for additional checks that RBAC cannot perform.
Kyverno also does not replace Kubernetes' built-in policy controls like ValidatingAdmissionPolicies and MutatingAdmissionPolicies, but complements these native controls with additional features such as comprehensive reporting, exception management, and periodic background scanning.
Several capabilities that are out of scope for the core engine are addressed by companion projects in the Kyverno organization: end-to-end testing tooling (Chainsaw), policy violation reporting and UI (Policy Reporter), policy evaluation for non-Kubernetes JSON payloads (Kyverno JSON), and authorization policy for service meshes (Kyverno Envoy Plugin). These are maintained as separate projects with their own release cycles.
π Documentation
Kyverno installation and reference documentation is available at kyverno.io.
