Running Kyverno is essential for enforcing Kubernetes governance and security policies. But is your Kyverno setup secure, scalable, and resilient? With the latest enhancement in Nirmata Control Hub, you no longer have to guess.
We’re excited to introduce the Kyverno Health Check – a new capability that provides a clear, actionable view of Kyverno’s configuration in your clusters. Whether you’re a platform engineer managing dozens of clusters or a security lead enforcing policy compliance, this feature helps to ensure that Kyverno is running optimally at all times.
Why Kyverno Health Matters
Kyverno by Nirmata enforces critical security, compliance, and operational policies in Kubernetes. But like any controller, its effectiveness depends on its own configuration and health.
A misconfigured or unhealthy Kyverno deployment can:
- Allow lateral network traffic to Kyverno pods.
- Fail under load due to insufficient resource settings
- Go unnoticed during outages due to missing observability.
- Or worse, be vulnerable to privilege escalation or unauthorized cluster-admin bindings
Kyverno Health Check ensures none of this happens by continuously and vigilantly evaluating your deployments for best practices and known risks.
What’s New: Kyverno Health Check
The new Kyverno Health Check feature in Nirmata Control Hub evaluates Kyverno deployments based on four critical categories:
- Security
- Detects wildcard permissions, cluster-admin bindings, and missing NetworkPolicies
- Availability
- Checks for resource configurations, pod disruption budgets, and runtime stability of Kyverno.
- Scalability
- Checks for HPA configuration and etcd offload for policy reports.
- Observability
- Checks the health of Kyverno controllers and identifies misconfigured liveness and readiness probes.
Each category is scored and flagged as:
- Healthy
- Warning
- Critical
These results are aggregated into a Kyverno Health Grade (A to F), allowing you to view the overall state of Kyverno at a glance and drill down to address the areas that matter most.
Real Example: NetworkPolicy for Kyverno
In many clusters, Kyverno components may restart frequently or be terminated due to out-of-memory (OOM) conditions. These issues often go unnoticed until policy failures occur.
That’s a risk.
Nirmata Control Hub detects this and gives you:
- A diagnostic message highlighting restarts or OOM kills in Kyverno pods
- Context on which components are impacted and how frequently
- Clear recommendations to adjust resource limits or investigate crash causes
You or your team can apply the fix, rescan the cluster, and watch your health grade improve.
Getting Started
Kyverno Health Check is available for all clusters where:
- You’re running Kyverno Operator version 0.8.0+
- The cluster is registered in Nirmata Control Hub
To try it:
- Go to Control Hub → Select Cluster → Health tab
- Review your health score and categories
- Expand sections to view recommendations
- Apply fixes and monitor improvements
Why Kyverno Health Check Matters
At Nirmata, we believe policy enforcement is only as strong as the engine driving it. This feature helps your DevOps and security teams:
- Eliminate configuration drift and human errors
- Avoid relying on tribal knowledge or manual YAML reviews
- Maintain best practices continuously across clusters
So go ahead—run a health check on your Kyverno setup. Fix what’s critical. Rest easy knowing your policy engine is running strong.
Want help reviewing your Kyverno setup? Request a demo.
