Image by Tumisu from Pixabay

Kyverno, an open source CNCF policy engine created by Nirmata, has seen rapid adoption as it helps enterprises ensure the security, compliance, and governance of their Kubernetes clusters and cloud-native infrastructure and applications.  However, using open-source Kyverno in mission-critical environments poses several challenges that can hinder operational efficiency and security. Often platform teams end up spending a lot of time keeping up with various Kyverno releases and are burdened with ensuring Kyverno meets their security and compliance requirements. In the post, we will explore how you can leverage the benefits of open-source without the additional costs and hassle! 

Challenges with Open Source Software

– Frequent Releases: Frequent updates every 2-3 months make it hard for enterprises to keep up with the latest developments.

– Incompatibilities:  Limited Kubernetes version compatibility restricts users from upgrading to the latest versions. Users end up having to deal with Kubernetes compatibility issues during upgrades.

– Lack of Long-term Support: CVEs and critical bug fixes are only available for the latest releases, leaving many users without critical patch upgrades forcing them to move to newer Kyverno releases potentially introducing risk.

– Best-effort SLAs: No guarantees for CVEs or critical fixes, providing uncertainty in security and reliability. Most enterprises have strict SLAs for CVE fixes and not meeting those requirements could result in regulatory non-compliance and fines.

– Community Support: Reliance on community Slack channels and GitHub, which lack the reliability and response times required for enterprise-grade support. While the Kyverno community is known for its fanatical support, there could be times when no one is available to respond to questions and provide support when needed.

Nirmata Enterprise for Kyverno (N4K)

Nirmata Enterprise for Kyverno (N4K) is the enterprise-grade distribution of Kyverno that addresses these challenges. N4K is fully compliant with industry standards: FIPS, NIST, DISA Container Hardened, K8s best practices. It is designed and configured for scale resulting in significantly better API server and etcd performance. N4K includes:

– Nirmata Enterprise For Kyverno: Enterprise-ready distribution of Kyverno with enhanced stability and security. Like Kyverno OSS, N4K container images are cryptographically signed and include SBOMs

– 0-CVE policy: Proactively address new CVEs (critical, high & medium severity) per SLAs designed to meet enterprise requirements

– Secure default configurations: N4K is configured with secure defaults to meet enterprise security standards.

– Scaling improvements: N4K is designed to handle large clusters with the etcd-offload capability which significantly reduces the impact on apiserver and etcd.

– Long-term Support (LTS): Broad Kubernetes Compatibility with 18 months Long Term Support (LTS) for Kyverno and Kubernetes versions.

– nctl: a command-line utility with support for pipeline scanning scanning for Kubernetes manifests, Terraform, and Dockerfiles

– Supply Chain Security Extensions: integrations with Venafi, AWS, or Azure code signing tools (includes one; additional available for purchase)

– Extensive Policy Library: Access to hundreds of curated, tested, and ready-to-use policies for Kubernetes, Terraform, Docker and cloud services.

– Premium Enterprise Support: 24/7 support, office hours, quarterly upgrade planning & support, priority bug fixes, guaranteed SLA, and access to Kyverno experts.

– Training: Optional customizable training programs for policy authors and operators.

CVE comparison of OSS vs Enterprise

One of the most compelling reasons to adopt Nirmata Enterprise for Kyverno is the proactive approach to security vulnerabilities. In the open-source Kyverno, users often face delays in receiving critical updates for CVEs, leaving their systems vulnerable. Here are a few examples:

For example, the last release of Kyverno v1.10 was released in Dec 2023. Since then, several CVEs have been reported in open-source Kyverno but there are no newer patches since the community has moved on to the newer releases of Kyverno (v1.11 & v1.12). These CVE’s may be fixed in the newer versions of Kyverno but they are not necessarily backported to earlier versions.  Most enterprise users of Kyverno, are not ready to upgrade their infrastructure to newer versions of Kyverno unless these versions are completely stable and provide a compelling reason to upgrade.

Scan output for OSS Kyverno v1.10.7 (released Dec 2023) (using Prisma cloud scanner)

Scan results for: image ghcr.io/kyverno/kyverno:v1.10.7 

Vulnerabilities found for image ghcr.io/kyverno/kyverno:v1.10.7: total - 10, critical - 0, high - 0, medium - 9, low - 1
Vulnerability threshold check results: FAIL
Scan failed due to vulnerability policy violations: Fail build on CVE detection, 10 vulnerabilities. Blocking vulnerabilities by severity OR by risk factors. Severity distribution : [low:1 moderate:9]

In contrast, Nirmata Enterprise for Kyverno boasts a 0-CVE policy, meaning that all known vulnerabilities are proactively addressed per SLA. Enterprises using N4K receive immediate patches and updates, ensuring no downtime or exposure to known threats. This proactive approach to security ensures that N4K maintains a record of zero known vulnerabilities, providing unparalleled peace of mind for enterprises.

Scan output for Nirmata Enterprise for Kyverno v1.10 latest (using Prisma cloud scanner)

Scan results for: image ghcr.io/nirmata/kyverno:v1.10.7-n4k.nirmata.13 

Vulnerabilities found for image ghcr.io/nirmata/kyverno:v1.10.7-n4k.nirmata.13: total - 3, critical - 0, high - 0, medium - 1, low - 2
Vulnerability threshold check results: PASS

Kubernetes Version Compatibility

Another significant pain point for users of open-source Kyverno is the limited compatibility with various Kubernetes versions. Open-source Kyverno supports only the two most recent Kubernetes releases, which can create challenges for enterprises that need to upgrade their Kubernetes clusters frequently or maintain legacy systems.

Nirmata Enterprise for Kyverno addresses this with:

Broad Kubernetes Compatibility: N4K provides 18 months of Long Term Support (LTS) for both Kyverno and Kubernetes versions. This ensures that enterprises can upgrade their Kubernetes clusters at their own pace without worrying about compatibility issues.

Seamless Integration: N4K is designed to work seamlessly across different Kubernetes versions, allowing for smoother upgrades and migrations.

This extensive compatibility ensures that enterprises can maintain a stable and secure Kubernetes environment without the pressure to constantly update to the latest versions. Refer to the N4K Release Compatibility Matrix here.

ROI of Using Nirmata Enterprise for Kyverno

Enhanced Security and Compliance

N4K provides immediate access to CVE fixes and updates, ensuring that enterprises stay ahead of security vulnerabilities.

Better Operational Efficiency

Enterprises benefit from a dedicated support team that understands their unique environment, providing timely, expert assistance. Proactive monitoring, alerts, and remediation guidance help maintain a healthy and compliant Kubernetes environment.

Low Total Cost of Ownership (TCO)

N4K allows platform teams to focus on building and supporting their platform rather than dealing with open-source community issues. Robust support and fast resolution of issues minimize downtime, ensuring continuous operation and compliance.

Conclusion

For enterprises adopting Kyverno, Nirmata Enterprise for Kyverno (N4K) offers a compelling solution that enhances security, efficiency, and compliance while reducing the total cost of ownership. 

By addressing the inherent challenges of using open-source Kyverno, N4K ensures that mission-critical environments remain secure, efficient, and operational.