Running Kyverno is essential for enforcing Kubernetes governance and security policies. But is your Kyverno setup secure, scalable, and resilient? With the latest enhancement in Nirmata Control Hub, you no longer have to guess.

We’re excited to introduce the Kyverno Health Check—a new capability that provides a clear, actionable view of Kyverno’s configuration in your clusters. Whether you’re a platform engineer managing dozens of clusters or a security lead enforcing policy compliance, this feature helps to ensure that Kyverno is running optimally at all times.

Why Kyverno Health Matters

Kyverno by Nirmata enforces critical security, compliance, and operational policies in Kubernetes. But like any controller, its own configuration can impact its effectiveness.

A misconfigured or unhealthy Kyverno deployment can:

• Allow lateral network traffic to Kyverno pods.
• Fail under load without proper resource settings.
• Go unnoticed during outages due to missing observability.
• Or worse, be wide open to privilege escalation or cluster-admin bindings.

Kyverno Health Check ensures none of this happens by continuously and vigilantly evaluating your deployments for best practices and known risks.

What’s New: Kyverno Health Check

With this enhancement, Control Hub now evaluates Kyverno across four key categories:

1. Security
   1. Checks for wildcard permissions, cluster-admin bindings, and network policies
2. Availability
   1. Checks for resource configurations, pod disruption budgets, and runtime stability of Kyverno.
3. Scalability
   1. Checks for HPA configuration and etcd offload for policy reports.
4. Observability
   1. Checks the health of Kyverno controllers and identifies misconfigured liveness and readiness probes.

Each category is scored and flagged as:

• Healthy
• Warning
• Critical

These results are aggregated into a Kyverno Health Grade (A to F), allowing you to view the overall state of Kyverno at a glance and drill down to address the areas that matter most.

Real Example: NetworkPolicy for Kyverno

In many clusters, Kyverno is deployed without a NetworkPolicy, allowing any pod to communicate with the Kyverno webhook.

That’s a risk.

Nirmata Control Hub detects this and gives you:

• A diagnostic message explaining the issue
• A convenient link to the recommended NetworkPolicy
• The context of which components are affected

You or your team can apply the fix, rescan, and watch your health grade improve.

Getting Started

Kyverno Health Check is available for all clusters where:

• You’re running Kyverno Operator version 0.8.0+
• The cluster is registered in Nirmata Control Hub

To try it:

1. Go to Control Hub → Select Cluster → Health tab
2. Review your health score and categories
3. Expand sections to view recommendations
4. Apply fixes and monitor improvements

Why Kyverno Health Check Matters

At Nirmata, policy enforcement is only as strong as the engine behind it. This enhancement makes it easy to keep your Kyverno deployment aligned with best practices, without relying on tribal knowledge or manually reviewing YAML files. DevOps teams will save time, prevent tribal errors, and experience more successful Kyverno ops.

So go ahead. Get a health check for your policy engine. Fix what’s critical. And rest easy knowing Kyverno is ready to do its job!

Try it now in the Nirmata Control Hub with a 15-day free trial.

Want help reviewing your Kyverno setup? Request a demo.