Kyverno

Security Plane
Policy Control
Source
Open
What is Kyverno?
Kyverno is a unified policy as code tool for securing, automating, and governing infrastructure and applications with YAML- and CEL-based policies. It is designed to fit Kubernetes-native workflows and simplify policy adoption.

Profile

Kyverno is an open-source, Kubernetes-native policy engine that operates as an admission controller to validate, mutate, generate, and verify resources across cloud-native environments. Originally created by Nirmata and contributed to the Cloud Native Computing Foundation in 2020, Kyverno achieved CNCF graduation status in March 2026, marking its recognition as production-ready infrastructure. The tool addresses policy management complexity through declarative YAML-based policies and Common Expression Language (CEL), eliminating the need for specialized policy languages. Organizations including Bloomberg, Coinbase, LinkedIn, and Spotify rely on Kyverno for security enforcement, compliance automation, and governance at scale across their Kubernetes platforms.

Focus

Kyverno solves the fundamental challenge of enforcing consistent security, compliance, and operational standards across Kubernetes clusters without requiring custom development or specialized programming knowledge. Platform engineering teams use Kyverno to establish automated guardrails that prevent misconfigurations from reaching production while maintaining developer agility. The tool addresses ten major use case categories: security and compliance enforcement, governance standardization, resource optimization, cost management, best practices automation, image verification for supply chain security, data protection, multi-tenancy provisioning, operational automation, and policy-driven lifecycle management. By integrating policy enforcement throughout the development lifecycle—from CI/CD pipelines to runtime admission control—Kyverno enables platform teams to implement self-service infrastructure with appropriate safety boundaries.

Background

Nirmata created Kyverno and contributed it to the CNCF as a Sandbox project in November 2020, advancing to Incubating status in July 2022 before achieving graduation in March 2026. The project operates under Apache License 2.0 with vendor-neutral governance structures that include maintainers from multiple organizations. Kyverno has grown from initial contribution to widespread enterprise adoption, with production deployments at Bloomberg, Coinbase, Deutsche Telekom, Groww, LinkedIn, Spotify, Vodafone, and Wayfair. The project maintains active development with regular releases following Kubernetes' N-2 support policy. CNCF governance ensures transparent decision-making, meritocratic contribution processes, and third-party security audits validating production readiness for mission-critical infrastructure.

Main features

Declarative policy validation and mutation

Kyverno validates resource configurations against defined criteria through admission control, either rejecting non-compliant resources or recording violations in policy reports for audit mode operation. Validation rules examine security contexts, resource limits, naming conventions, and compliance requirements before resources persist to the cluster. Mutation capabilities automatically modify resources to ensure compliance, injecting required fields like security contexts, adding labels, enforcing naming standards, or inserting sidecar containers without developer intervention. Mutations occur before validation, creating a coherent enforcement pipeline. Platform teams can implement policies incrementally, first auditing compliance posture before enforcing strict validation, enabling gradual adoption without disrupting existing workloads.

Automated resource generation and synchronization

Generate rules automatically create Kubernetes resources in response to events, supporting multi-tenancy automation by provisioning network policies, RBAC resources, quotas, and limits whenever new namespaces are created. Unlike simple templating, Kyverno maintains synchronization between generated resources and their policy definitions, ensuring that policy changes propagate to existing generated resources automatically. This capability enables dynamic multi-tenant platforms where namespaces receive appropriate security boundaries and resource constraints without manual intervention. Organizations use generation policies to enforce organizational standards like mandatory ConfigMaps, default network policies, or required monitoring sidecars across all workloads, reducing operational overhead while maintaining consistency.

Container image verification and supply chain security

Kyverno verifies container image signatures and attestations stored in OCI registries through integration with Cosign and Notary, preventing deployment of unsigned or improperly attested images. Image verification policies validate cryptographic signatures, inspect in-toto attestations, and parse Software Bill of Materials (SBOM) metadata directly within policy expressions using CEL. The tool supports verification of multiple signatures, certificate-based signing, keyless signing workflows, and custom attestation predicates. Organizations enforce supply chain security by requiring images to be signed by specific authorities, contain valid SBOMs, or meet vulnerability scanning thresholds before deployment, addressing software supply chain attack vectors at the admission control boundary.

Abstract pattern of purple and black halftone dots forming a wave-like shape on a black background.