Kyverno

A policy engine natively designed for Kubernetes

To secure and automate Kubernetes configurations

Get Pricing

7 million downloads & counting…

On-demand webinar

Secure self-service provisioning of K8s clusters using Crossplane and Kyverno

Watch now

Case Study

Grofers: Secure provisioning of LoadBalancer Services on Kubernetes using Kyverno

Read blog

Blog Series

Exploring Kyverno, an extensive, Kubernetes-native policy engine

Read more

Why Kyverno

Kyverno policies are Kubernetes resources and there is no new language to learn. Kyverno can block insecure and non-compliant configurations during admission controls, report violations, and automate resource generation using dynamic triggers.

In complex systems, policies drive autonomy and alignment across roles. Kubernetes policies establish a digital contract across developers and operations teams. The Nirmata platform provides a unified Kubernetes management plane, and Kyverno started life as a module in the platform. Kyverno was moved into the Kubernetes control plane once custom resource definitions and admission control webhooks were supported by Kubernetes.

To make it easy to secure and manage any Kubernetes cluster, Nirmata open sourced Kyverno under an Apache v2 license, and donated Kyverno to the CNCF in November of 2020. Nirmata continues to build the community and grow Kyverno by developing new features and capabilities.

 

Benefits of Kyverno

Powerful

Kyverno, a Kubernetes-native policy engine, solves several common problems with managing Kubernetes clusters at scale and enables clear separation of concerns across developers and operators.

Simple

Learning a complex new language is not required. Like native resources, Kyverno policies are declarative and since Kyverno is focused on Kubernetes it leverages Kubernetes patterns and best practices and hence is intuitive to use.

Secure

Kyverno makes Kubernetes secure by default and provides a more flexible alternative for pod security. When applied with other Policy-as-Code best practices,  Kyverno helps enable secure self-service for developers to drive agility and increase productivity.

Nirmata Enterprise Subscription for Kyverno

  • SLA-based production support. Get support from the creators and the maintainers of Kyverno. Our range of support services can help organizations reduce the complexity and empower DevSecOps teams with the ability to scale and adapt their Cloud Native environments and applications while maintaining security, compliance and operational readiness.

  • Training on best practices and policy development, security and compliance. Get hands-on training on how best to leverage Kyverno, and also help to jumpstart policy development for your deployment. 

  • Curated policy Sets. Obtain curated sets of Kubernetes policies for security and best practices compliance, tested with a matrix of supported Kubernetes releases.
Get Pricing

Kyverno Fundamentals Certification

Key Features

Validate

  • Check resource configurations for security and compliance. For example, enforce pod security or ensure cloud-native best practices.

Mutate

  • Modify resources during admission control. For example, add labels or annotations to resources or inject a sidecar.

Generate

  • Create new resources based on resource creation or update. For example, create network policy and resource quotas when a namespace is created.

When it comes to Kyverno vs OPA, Kyverno’s intentionality for Kubernetes and its native resources offer several advantages.

Kyverno vs OPA/Gatekeeper

  • Kyverno

    • Designed for Kubernetes
    • Policies as native resources (YAML)
    • Secure by default
    • Enables Dynamic Configuration (IFTTT for Kubernetes!)
    • Use GitOps and other Kubernetes tools

  • OPA/Gatekeeper

    • General purpose policy engine
    • Policies in Rego – a custom language with a steep learning curve

Kubernetes-Native Policy Management With Kyverno

Deploying Kyverno in production?