Managing Kubernetes Policy Exceptions with Kyverno and Nirmata

Managing Kubernetes Policy Exceptions with Kyverno and Nirmata


In the fast-paced world of cloud-native applications and infrastructure management, adhering to policies and governance is a necessity. However, rigid enforcement of policies can sometimes collide with the dynamic and evolving nature of modern IT environments. To address this challenge, Nirmata, has introduced a seamless policy exception management workflow that empowers users while maintaining control and security.

In this blog post, we will talk about how Nirmata Policy Manager streamlines policy exception management for enterprise DevSecOps teams. It is powered by Kyverno, a popular CNCF policy engine created by Nirmata.

Understanding Policy Exceptions

Before delving into the Nirmata Policy Manager (NPM) details, let’s clarify what policy exceptions are and why they matter. Policies are a set of rules that define how resources should be configured and behave in a cloud-native environment. These policies ensure compliance, security, and efficiency. However, there are instances when adhering to policies might not be possible, or may hinder operational needs, requiring temporary deviations.

Kyverno introduced Policy Exceptions in its 1.9 release and has excellent documentation on the what, why, and how of policy exceptions. Read the complete documentation here.

Policy Exception Management Workflows

A structured workflow for policy exceptions is crucial for efficient exception management within organizations. Without it, manual exception handling can become cumbersome and disorganized as it requires editing the policy or creating multiple variations of the same policy. Granting users unrestricted exception creation can compromise security and governance by leading to arbitrary exceptions. Additionally, the absence of an audit trail makes it challenging to track exception justifications. By adopting a workflow, organizations can centralize exception requests, ensuring only valid cases are approved, preserving policy integrity, establishing accountability, and strengthening security.

Here’s how Nirmata’s seamless workflow for policy exceptions unfolds:

pe workflow

Policy Exception Workflow in NPM

Policy Violation Detection & Assignment

The journey begins when certain Kubernetes configurations violate established policies. Nirmata, powered by Kyverno, instantly detects these violations, and the admin can view them in the Policy Reports dashboard. The admin will then assign different namespaces or violations to users (usually developers) responsible for fixing the violations. The assigned users take necessary steps to remediate the policy violations.

Requesting a Policy Exception

To address the violations assigned to developers, troubleshooting and debugging issues becomes imperative. This often entails bypassing certain existing policies and rules, without which the overall progress will be delayed, and quite frankly, frustrating.

With these considerations in mind, NPM allows developers to request policy exceptions. Once approved, these exceptions empower developers to expediently address issues, minimizing obstructions. It is important to note that these exceptions are time-bound, which is necessary to ensure the overall security posture of the Kubernetes cluster. When submitting a request for a new Policy Exception, developers are required to specify the desired duration for which the exception should remain in effect.

Administrator Review and Approval

Once a developer requests a Policy Exception, NPM notifies the admin about this new request in the system. The admin reviews the request, considering factors such as the reason for the exception, duration of the exception, its potential impact, and the validity of the user’s justification. It is up-to the administrators to make a fair decision on whether the exception should be allowed or not in the system. Whatever the outcome, the developer gets notified of the result.

If the admin chooses to approve the policy exception request, a new PolicyException resource gets created in the cluster. This enables temporarily bypassing the policies and rules specified in the PolicyException spec. Note that developers do not have access to this newly created PolicyException resource, thus preserving the exception integrity.

Monitoring and Auditing

Transparency and accountability are key. Throughout the entire process, Nirmata keeps a comprehensive record of all exception requests, approvals, rejections, and related information. This audit trail is invaluable for compliance reporting and continuous improvement.

Continuous Improvement

The workflow that we saw above isn’t just about granting exceptions – it is a dynamic process aimed at learning and enhancing. When certain policies consistently result in exceptions, it serves as an indicator that either those policies require re-evaluation to align more effectively with the changing environment’s demands, or it is necessary to revisit the root cause of misconfigured resources and address the issue at its origin. This could mean refining policies themselves or providing additional training to those crafting the resource specifications.


Nirmata’s aim is to make policy management feasible and accessible to everyone, ensuring that policies are not rigid barriers, but adaptive tools. By combining user empowerment, administrative oversight, and the power of Kyverno, Nirmata ensures that policy exceptions are both justifiable and transparent.

Nirmata continues to lead the charge in delivering policy management solutions that resonate with real-world challenges. In a landscape that demands both flexibility and control, Nirmata’s workflow strikes an elegant balance that benefits both users and organizations.

Next Steps

At Nirmata, our ongoing commitment revolves around minimizing the barriers between platform engineers, security teams, and developers. We achieve this through the implementation of secure self-service workflows, with clear separation of concerns, that enable autonomy with alignment. We are exploring further enhancements such as policy exception extension requests and automatic renewal of exceptions. We appreciate your valuable feedback and suggestions on this workflow that we have built.

Ready to experience the benefits? You can now sign-up for a 15-day free trial of the Nirmata Policy Manager here (no credit card required).

Mitigating the Latest Kubernetes NGINX Ingress Controller CVEs
Nirmata Policy Manager Empowers Platform Engineering Teams To Deliver Secure and Compliant Kubernetes Governance
No Comments

Sorry, the comment form is closed at this time.