Image by Onur Ömer Yavuz from Pixabay
A few weeks ago we announced that Kyverno, a new CNCF project for Kubernetes native policy management created by Nirmata, had crossed 1 million downloads. Today, Kyverno topped 2 million downloads! I want to take this opportunity to share my thoughts on what’s driving Kyverno’s rapid adoption in the Kubernetes community.
What is Kyverno
Kyverno is a Kubernetes configuration management tool that uses policies to check for required security and best practices settings, change settings, and even generate new Kubernetes resources.
Kyverno runs as an admission controller in Kubernetes clusters. The Kubernetes control-plane consists of services which share a common declarative API model, and all operations are triggered by API changes. This provides Kyverno with visibility across any change in Kubernetes clusters.
Kyverno uses Kubernetes API changes as triggers to enforce policies defined by administrators. Kyverno can block API requests, can allow them to proceed with changes, and can use requests as triggers to make other changes and automate the creation of new configurations.
Kyverno focuses on Kubernetes and hence fits in naturally with the Kubernetes declarative management approach. A large part of Kyverno’s appeal is its simplicity and ease-of-use for Kubernetes administrators along with a great developer experience across the continuous delivery pipeline.
Why we built Kyverno
The Nirmata team’s background is in building centralized management planes for complex mission critical systems in domains like telephony and networking. As software has become mission critical to every enterprise, Nirmata mission is to enable the automated management of cloud native applications in an infrastructure agnostic manner. To achieve this, policy based management is critical for achieving autonomy across roles while keeping alignment to organizational goals and standards.
Kyverno started life as a module in Nirmata, an enterprise Kubernetes management plane built for DevSecOps teams. As Kubernetes matured into an extensible platform with features like Custom Resource Definitions and Admission Controller Webhooks, the Nirmata team recognized the opportunity to rewrite the Nirmata policy engine as a Kubernetes controller and move its powerful capabilities to run in-cluster as an admissions controller.
This architecture allows Nirmata to operate as an “out-of-band” management plane, where developers and other users can freely interact with Kubernetes clusters using native tools like Kubectl and Kustomize, and operator defined policies can be centrally managed and propagated across fleets of clusters.
What Kyverno does
Kubernetes’ declarative configuration management is powerful, but complex. Kubernetes has an API-centric architecture, and all operations flow through the API server. Kyverno runs inside the Kubernetes control plane and installs itself as an admission controller that received requests from the API server, and can block or change information in the API requests based on configured policies. Kyverno can also use request data to trigger new API operations. This vantage point, gives Kyverno the ability to enforce policies and automate generation of configurations based on user or system actions.
Since Kyverno is designed for Kubernetes, its policies are Kubernetes resources and can be managed using familiar Kubernetes tools like kubectl and kustomize. This means cluster administrators can now easily set policies for security and best practices compliance and prevent common misconfigurations, without learning a complex new language. In addition, administrators can trigger fine-grained configuration changes based on user requests to automate otherwise complex interactions across operator and developer concerns.
What are our plans
Our plan is simple:
- Grow the Kyverno community and adoption
- Enable multi-cluster and enterprise workflows
- Continue expansion of the use cases for Kyverno
Grow the Kyverno community
While the fast adoption to date is humbling, we are just getting started! The Kyverno community of adopters and contributors is growing rapidly, and we will continue working with everyone to add features and grow the use cases Kyverno addresses. Our goal is to make Kyverno the de facto policy engine for Kubernetes and have Kyverno installed in the majority of production Kubernetes clusters. We love working with the community, and will continue to strive to make Kyverno better and available to everyone as an open source CNCF project that is fully functional and works well with the CNCF ecosystem.
Enable multi-cluster and enterprise workflows
While Kyverno is already powerful and easy to use, enterprises need additional integrations and tools, and workflows, to manage policies across multiple clusters. This is what our cloud based Kubernetes management platform does. Nirmata provides enterprise Kubernetes users a set of capabilities for collaboration, security, and seamless integrations to provide IT Ops and developer autonomy and alignment.
Here are some sample screenshots for policy as code management in Nirmata. Policy Groups allow GitOps style workflows to deploy and operate policy settings across multiple clusters:
Nirmata aggregates policy results and trends and provides scorecards at the cluster and workload levels, to allow teams to understand and fix violations:
Continue expansion of use cases
Due to its powerful declarative model and extensible architecture, Kubernetes is rapidly becoming the control plane of everything! Projects like Cluster API and CDK8s use Kubernetes to manage infrastructure and even cloud services. And, modern applications that run as Kubernetes workloads are leveraging the power of Kubernetes APIs for advanced security, runtime controls, and powerful service orchestration.
Since Kyverno is built for Kubernetes, we see a huge opportunity to offer more advanced capabilities and make Kyverno a policy based decision engine for Kubernetes workloads and the next generation of infrastructure as code solutions.
Kyverno reached 1 million downloads in 3 months, and the next million in a little over three weeks!
While we are taking a moment to acknowledge this milestone, we are fully focused on what’s next and the exciting road ahead. We are grateful to our Kyverno community and Nirmata’s enterprise customers who inspire us each day to build great software that will help power the next generation of innovation.
If you like our mission, come join the team as we are growing across all functions. Its a great time to build!