Nirmata, a leading provider of the popular Kubernetes management platform, has announced today that the Cloud Native Computing Foundation (CNCF) has accepted the company’s innovative and increasingly popular native Kubernetes policy engine — Kyverno, as a latest Sandbox project.
Kyverno (which means “governance” in Greek) is designed as a Kubernetes policy engine. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies. This allows cluster administrators to use familiar tools such as kubectl, Git, and kustomize to manage policies. Kyverno policies can validate, mutate, and generate Kubernetes resources. Using Kyverno, admins can define policies to ensure that applications deployed in the cluster are compliant and follow security and configuration best practices.
Key features include:
Kyverno runs as a validating and mutating webhook that works with the Kubernetes API server to provide configuration security and block invalid and non-compliant configurations.
Kyverno periodically scans all resources and generates a policy report for each namespace and for cluster-wide resources.
Like Kubernetes, Kyverno policies are stored as YAML or JSON manifests. This enables a “policy-as-code” approach, allowing platform teams to manage Kubernetes policies in the same manner as other Kubernetes resources.
Automated rules for pod controllers
As a Kubernetes policy engine, Kyverno automatically generates rules for pod controllers from pod policies, making it easier to manage Kubernetes policies at scale.
Validation using overlays
To validate configurations, Kyverno allows writing a YAML fragment that is used to match specification of incoming resources. This familiar syntax is similar to Kustomize overlays and easy to learn for any Kubernetes resource.
Flexible patch strategies
To modify resources Kyverno supports RFC 6902 JSON patch, as well as a Strategic Merge Patch used by kubectl and Kustomize.
Dynamic config generation
Kyverno supports flexible triggers to automate dynamic generation of new configuration resources, enabling a number of use cases that previously required manual intervention from operations teams.
Synchronization across namespaces
Kyverno can automatically synchronize configuration changes across namespaces, allowing automated propagation of changes from a common source.
Why are we donating Kyverno to the CNCF?
In order to ensure compliance and apply best practices, Kubernetes policy engines are critical for enterprise Kubernetes management. The complexity and learning-curve of solutions which require a new language and foreign tools has hindered adoption. Kyverno simplifies Kubernetes policy management and allows admins to manage policies and reports as native resources. As part of CNCF, we expect broader adoption of Kyverno and we also believe that it will lead to broader participation from the community.
Will Nirmata continue to support Kyverno?
Yes. Our goal at Nirmata is to accelerate the adoption of Kubernetes by enterprise DevOps teams. With Kyverno, Nirmata has applied that same design principles of simplicity to allow cluster administrators to manage complex configurations across their fleet of clusters. Nirmata will continue to support Kyverno by addressing challenges involved in managing policies and reporting and visualizing violations across clusters.
In addition, Nirmata will also provide enterprise grade support for companies interested in adopting Kyverno and looking for commercial support.
Where can I learn more about Kyverno as a Kubernetes policy engine?
Below are some popular resources to learn more about Kyverno:
- Kyverno website
- Kyverno GitHub page
- Kyverno sample policies
How can I contribute to Kyverno?
- Attend our next community meeting
- Suggest a sample policy
- Help with documentation
- Look for issues marked “good first issue”
What features are planned for Kyverno?
Some major planned major features are:
- Lookup API resources (#1105)
- High availability deployments (#1214)
- Reorganize samples
- Kyverno playground