Kyverno

Secure and automate Kubernetes configurations

Kyverno is a policy engine designed for Kubernetes

Download Kyverno

Kyverno policies are Kubernetes resources and there is no new language to learn. Kyverno can block insecure and non-compliant configurations during admission controls, report violations, and automate resource generation using dynamic triggers.

Why Kyverno

In complex systems, policies drive autonomy and alignment across roles. Kubernetes policies establish a digital contract across developers and operations teams. 

The Nirmata platform provides a unified Kubernetes management plane, and Kyverno started life as a module in the platform. Kyverno was moved into the Kubernetes control plane once custom resource definitions and admission control webhooks were supported by Kubernetes.

To make it easy to secure and manage any Kubernetes cluster, Nirmata open sourced Kyverno under an Apache v2 license, and donated Kyverno to the CNCF in November of 2020. Nirmata continues to build the community and grow Kyverno by developing new features and capabilities.

3 million plus downloads

Benefits of Kyverno

Powerful

Kyverno, a Kubernetes-native policy engine, solves several common problems with managing Kubernetes clusters at scale and enables clear separation of concerns across developers and operators.

Simple

Kyverno policies are easy to write and manage, and learning a complex new language is not required. Like native resources, Kyverno policies are declarative and since Kyverno is focused on Kubernetes it leverages Kubernetes patterns and best practices and hence is intuitive to use.

Secure

Kyverno makes Kubernetes secure by default and provides a more flexible alternative for pod security. When applied with other Policy-as-Code best practices,  Kyverno helps enable secure self-service for developers to drive agility and increase productivity.

Key Features

Validate

  • Check resource configurations for security and compliance. For example, enforce pod security or ensure cloud-native best practices.

Mutate

  • Modify resources during admission control. For example, add labels or annotations to resources or inject a sidecar.

Generate

  • Create new resources based on resource creation or update. For example, create network policy and resource quotas when a namespace is created.

When it comes to Kyverno vs OPA, Kyverno’s intentionality for Kubernetes and its native resources offer several advantages.

Kyverno vs OPA/Gatekeeper

  • Kyverno

    • Designed for Kubernetes
    • Policies as native resources (YAML)
    • Secure by default
    • Enables Dynamic Configuration (IFTTT for Kubernetes!)
    • Use GitOps and other Kubernetes tools

  • OPA/Gatekeeper

    • General purpose policy engine
    • Policies in Rego – a custom language with a steep learning curve

When it comes to Kyverno vs OPA, we find Kyverno to be the clear winner.

Deploying Kyverno in production?