Kyverno

Kyverno is a Kubernetes-native policy management and admission control engine (cloud-native security and governance) that uses Kubernetes resources and declarative configurations to validate, mutate, generate, and verify resource configurations.

• Kubernetes-native policy engine for validating, mutating, and generating resources (policy-as-code, security and governance).
• Admission control and policy enforcement for Kubernetes clusters using Custom Resource Definitions (Kubernetes governance).
• Configuration validation, mutation, and generation driven by YAML-based policies without requiring a separate policy language (configuration management).
• Image verification and supply chain security features using container image signatures (software supply chain security).
• Support for multi-tenancy, namespace-scoped and cluster-scoped policies, and Git-based workflows (platform operations and GitOps).

More About Kyverno

Kyverno is an open-source Kubernetes-native policy engine (cloud-native security and governance) designed to manage and enforce policies for Kubernetes resources using familiar Kubernetes constructs. It operates as an admission controller and background controller to validate, mutate, generate, and verify resource configurations, using policies defined as Kubernetes Custom Resources. This approach aligns policy management with existing Kubernetes workflows and tooling.

Kyverno policies (policy-as-code) are written as YAML resources rather than in a separate domain-specific language. Each policy can contain rules that validate configurations, mutate fields, generate new resources, or verify container images. Validation rules can enforce requirements such as mandatory labels, annotations, or configuration patterns. Mutation rules can add or update fields in incoming resources, while generation rules can create or synchronize related Kubernetes objects.

The project integrates with Kubernetes admission control (Kubernetes governance) by running as a dynamic admission controller webhook. When a resource is created or updated, Kyverno evaluates the resource against configured policies and either allows, denies, or mutates the request. Kyverno can also execute policies in background mode to continuously scan existing resources for compliance, supporting ongoing posture management.

Kyverno includes image verification capabilities (software supply chain security) that validate container image signatures before workloads are admitted to a cluster. Policies can require that images be signed by specified authorities, helping enforce supply chain controls. This function uses standard container registry workflows and integrates with Kubernetes pod admission.

In enterprise environments, Kyverno is used by platform engineering, security, and operations teams (platform operations) to implement cluster-wide and namespace-scoped policies. It supports multi-tenancy by enabling both cluster policies and namespaced policies, allowing centralized governance along with team-specific rules. Kyverno policies can be stored and managed in Git repositories, integrating with GitOps practices and Continuous Integration and Continuous Deployment (CI/CD) pipelines for change control, testing, and promotion across environments.

From an architectural perspective, Kyverno runs in Kubernetes as one or more controller components (Kubernetes controller pattern) and relies on Custom Resource Definitions for policy objects. It interacts with the Kubernetes Application Programming Interface (API) server through admission webhooks and standard controller loops. The project is hosted by the Cloud Native Computing Foundation (open-source foundation), aligning it with other cloud-native projects and interoperability practices focused on Kubernetes-based platforms.

Within a technical directory, Kyverno is categorized under Kubernetes policy engines, admission control, and cloud-native security and governance. It intersects with infrastructure automation, configuration management, compliance, and platform engineering, providing a Policy as Code (PaC) mechanism for managing Kubernetes resource configurations and cluster behavior.