As Kyverno approaches turning two, we’re marking this significant milestone with exciting news that the project has moved from sandbox to incubating status. Since open sourcing Kyverno, we have worked closely with key maintainers, contributors and partners on its evolution and are thrilled that we have achieved this level of maturity by Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee (TOC).  It wasn’t too long ago that Kyverno surpassed 200 million downloads, achieved over 2.5K GitHub stars, acquired over 100 monthly contributors and saw over 500 Kyverno certifications. And now, Kyverno is now part of a select group of mature CNCF open-source projects such as Argo, Cilium, Crossplane and Falco. This remarkable growth underscores the need for a cloud-native policy management solution designed for Kubernetes, and the value the community places on Kyverno. 

Operating and maintaining Kubernetes is complex, and that complexity compounds with the disparate components that make up the modern cloud applications many enterprises find to be mission critical. This challenge leaves companies struggling to make additions to crucial areas like Kubernetes governance and compliance capabilities which, deployed properly, reduce exposures to policy violations and potential data breaches.  In our latest State of Policy Management Report, 40% of respondents say a lack of budget holds back security policy enforcement rollout. This is followed by other roadblocks such as solution complexity, a lack of skill sets and siloed divisions. 

 

Out of the Sandbox

To address these pain points, our team launched Kyverno into open source with the idea that companies using container management platforms would struggle with security, governance and compliance. The complexity of multi-cloud systems and declarative nature of Kubernetes required the ability to configure the right settings for security, best practices, and standardization. And at the time, we knew we had something special to offer the community that would meet this challenge. Kyverno (which means “govern” in Greek) is a Kubernetes policy engine that runs as an admission controller and can validate, mutate, and generate any configuration data based on customizable policies. While other general purpose policy solutions were retrofitted to Kubernetes, the Nirmata team designed Kyverno for Kubernetes.

When we contributed the project to CNCF, it was our first promising step toward providing security, automation, and enabling collaboration across developers, operators, and security roles through policy management. CNCF has a broad impact on the developers and platform teams everywhere and that’s what we hoped for Kyverno back then. 

Initially, Kyverno was proven out at scale by early adopters like Duke Energy and TriNet, and open-source projects like Flux in today’s distributed, multi-cloud world. Because of their commitment, its traction with enterprises continues to surge across industries like human data science companies, IQVIA, Coinbase, Giant Swarm and others. 

A few other stats that make us proud about Kyverno:

• > 275M image pulls
• > 2.6K GitHub Stars
• > 2.1K pull requests 
• > 1.6K issues closed
• > 100 average active monthly contributors
• 9 maintainers from 7 organizations
• 123 Releases

Kyverno: Into Incubation with a Community of Contributors

To enable the next phase of community-driven innovation, CNCF has accepted Kyverno as an incubating project which is a significant milestone for the project’s technical governance. We want to thank the Kyverno community – from the project maintainers and core contributors to our partners and CNCF for all their support. Your backing and guidance has been invaluable, and we want to recognize everyone’s contribution to this project.

 

What The Community Has to Say

“Having [Kyverno] move through CNCF for OSC [Ohio Supercomputer Center] means we can continue to rely on Kyverno for years to come as we utilize Kubernetes more.” — Trey Dockendorf, HPC Systems Senior Engineer, Ohio Supercomputer Center

“At Deutsche Telekom, we use Kyverno as an integral part of our managed Kubernetes service for internal teams. Kyverno plays a vital role for us in enforcing right separation via flux, enhancing RBAC where simple additive rules were not enough, enforcing security policies like only running non-root pods, and good governance examples (such) as correctly labeling resources in our clusters. We are very happy to see Kyverno graduating from sandbox.”  – Maximilian Rink, Lead K8s Solution Design Engineer, Deutsche Telekom

As Nirmata continues our journey to solve real challenges around policy management and governance in the cloud-native ecosystem together with our ever-growing community, we are incredibly thankful for the work and time dedicated by so many. This milestone is a recognition of the Kyverno open-source community and what it has achieved to advance and grow this project since we launched it. We are excited to see how platform teams across financial services, healthcare, utilities, and telecommunications providers will use Kyverno and apply it to cloud native policies to enforce security, provide guardrails and secure the Kubernetes supply chain. We are looking to this community to help us shape the next year of Kyverno. Join the community!