IT Get in touch

Kyverno: Kubernetes-native policy engine

Kyverno (May 2019) by Nirmata: Kubernetes-native policy engine based on YAML (not Rego like OPA). Validation, mutation, generation, image verification. Low-barrier alternative to OPA Gatekeeper.

Open SourceCybersecurity
Open SourceCybersecurity KyvernoNirmataKubernetesPolicyCNCFSecurityOpen Source
CyberScan

CyberScan

Platform for automated vulnerability assessment, threat intelligence and continuous security posture management.

Discover →

Policy without learning Rego

OPA/Gatekeeper requires mastery of Rego, a declarative Datalog-inspired language with significant learning curve. Many Kubernetes teams want policy as YAML, with native K8s semantics rather than a language to learn from scratch.

The release

Kyverno is published by Nirmata (Sanjay Ramanathan, Jim Bugwadia) in May 2019. Apache 2.0 licence. Written in Go.

Philosophy

  • Policies as YAML CRDs
  • K8s semanticsmatch, resources, kind
  • Familiar to those who know RBAC, NetworkPolicy, etc.
  • Validating, Mutating, Generating admission controller + policy reporter
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata: { name: require-labels }
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-team-label
      match:
        resources:
          kinds: [Pod, Deployment]
      validate:
        message: "label 'team' is required"
        pattern:
          metadata:
            labels:
              team: "?*"

Features

  • Validation — block or warn on non-compliant resources
  • Mutation — automatically adds/modifies fields (e.g. sidecar injection, default resource limits)
  • Generation — creates derived resources (NetworkPolicy for every Namespace)
  • Image verificationCosign/Sigstore integration for container signature verification
  • Cleanup policies — expired resource deletion
  • Policy Reports — cluster compliance inventory
  • Policy exceptions — explicit exceptions for legacy resources
  • ValidatingAdmissionPolicy integration (K8s 1.30+ native CEL)

Kyverno vs OPA Gatekeeper

KyvernoOPA Gatekeeper
LanguageK8s-native YAMLRego
Learning curveLowHigh
Generation/MutationYesNo (validate only)
Non-K8s use caseNoYes (Terraform, API, etc.)
PerformanceExcellentExcellent

Curated policy packs

  • Kyverno Policies — official repo with 100+ ready policies (PodSecurity, best practices, compliance)
  • PSP replacement — policies replicating deprecated Pod Security Policy (K8s 1.25+)
  • PCI DSS, CIS, NSA/CISA — compliance baseline

In the Italian context

Kyverno is widely adopted in:

  • Banks for compliance baseline policies (resources, images, secrets)
  • Digital PA — constraints on namespaces, mandatory labels
  • MSPs — default policies on client clusters
  • Healthcare — sensitive data regulation compliance
  • Platform engineering teams as Gatekeeper alternative

Often combined with Cosign/Sigstore for container image signature verification in regulated environments.

References: Kyverno (May 2019). Nirmata (Sanjay Ramanathan, Jim Bugwadia). Apache 2.0 licence. Written in Go. K8s-native YAML policies. Validation, Mutation, Generation. Cosign integration.

Need support? Under attack? Service Status
Need support? Under attack? Service Status