IT Get in touch

Kyverno: Kubernetes-native policy engine

Kyverno (May 2019) by Nirmata (CNCF incubating 2022, graduated March 2026): Kubernetes-native policy engine based on YAML (not Rego like OPA). Validation, mutation, generation, image verification. Low-barrier alternative to OPA Gatekeeper.

Open SourceCyber Security
Open SourceCyber Security KyvernoNirmataKubernetesPolicyCNCFSecurityOpen Source
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Policy without learning Rego

OPA/Gatekeeper requires mastery of Rego, a declarative Datalog-inspired language with significant learning curve. Many Kubernetes teams want policy as YAML, with native K8s semantics rather than a language to learn from scratch.

The release

Kyverno is published by Nirmata (Sanjay Ramanathan, Jim Bugwadia) in May 2019. Apache 2.0 licence. Written in Go. Donated to CNCF on 10 November 2020 (sandbox), incubating on 13 July 2022, graduated on 16 March 2026.

Philosophy

  • Policies as YAML CRDs
  • K8s semanticsmatch, resources, kind
  • Familiar to those who know RBAC, NetworkPolicy, etc.
  • Validating, Mutating, Generating admission controller + policy reporter
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata: { name: require-labels }
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-team-label
      match:
        resources:
          kinds: [Pod, Deployment]
      validate:
        message: "label 'team' is required"
        pattern:
          metadata:
            labels:
              team: "?*"

Features

  • Validation — block or warn on non-compliant resources
  • Mutation — automatically adds/modifies fields (e.g. sidecar injection, default resource limits)
  • Generation — creates derived resources (NetworkPolicy for every Namespace)
  • Image verificationCosign/Sigstore integration for container signature verification
  • Cleanup policies — expired resource deletion
  • Policy Reports — cluster compliance inventory
  • Policy exceptions — explicit exceptions for legacy resources
  • ValidatingAdmissionPolicy integration (K8s 1.30+ native CEL)

Kyverno vs OPA Gatekeeper

KyvernoOPA Gatekeeper
LanguageK8s-native YAMLRego
Learning curveLowHigh
Generation/MutationYesNo (validate only)
Non-K8s use caseNoYes (Terraform, API, etc.)
PerformanceExcellentExcellent

Curated policy packs

  • Kyverno Policies — official repo with 100+ ready policies (PodSecurity, best practices, compliance)
  • PSP replacement — policies replicating deprecated Pod Security Policy (K8s 1.25+)
  • PCI DSS, CIS, NSA/CISA — compliance baseline

In the Italian context

Kyverno is widely adopted in:

  • Banks for compliance baseline policies (resources, images, secrets)
  • Digital PA — constraints on namespaces, mandatory labels
  • MSPs — default policies on client clusters
  • Healthcare — sensitive data regulation compliance
  • Platform engineering teams as Gatekeeper alternative

Often combined with Cosign/Sigstore for container image signature verification in regulated environments.

References: Kyverno (May 2019). Nirmata (Sanjay Ramanathan, Jim Bugwadia). Apache 2.0 licence. Written in Go. CNCF sandbox (10 November 2020), incubating (13 July 2022), graduated (16 March 2026). K8s-native YAML policies. Validation, Mutation, Generation. Cosign integration.

Need support? Under attack? Service Status
Need support? Under attack? Service Status