What is kyverno
Last updated: April 1, 2026
Key Facts
- Kyverno is a Cloud Native Computing Foundation (CNCF) project written in Go
- It uses YAML-based policies instead of complex domain-specific languages
- Kyverno operates as a Kubernetes webhook for policy enforcement at admission time
- Policies can validate, mutate, and generate resources to enforce security and compliance standards
- It supports image verification, network policies, resource quotas, and audit logging
What is Kyverno
Kyverno is an open-source policy management platform designed specifically for Kubernetes clusters. It functions as a policy engine that enforces security, compliance, and operational best practices by controlling what resources can be deployed and how they must be configured. Kyverno integrates natively with Kubernetes, using standard Kubernetes Custom Resource Definitions (CRDs) for policy definitions.
Core Functionality
Kyverno operates through three primary mechanisms: validation, mutation, and generation of Kubernetes resources. Validation policies block resources that violate specified rules. Mutation policies automatically modify resources to meet requirements (e.g., adding security labels). Generation policies automatically create complementary resources when new resources are deployed, such as generating network policies alongside new deployments.
Policy Definition and Management
Unlike traditional policy frameworks that require specialized languages, Kyverno uses standard YAML syntax for defining policies, making it accessible to Kubernetes administrators. Policies are declarative and readable, reducing complexity and maintenance overhead. Organizations can define policies around image registries, resource requests/limits, pod security standards, network policies, and compliance requirements.
Security and Compliance Use Cases
Kyverno enforces security policies such as image verification to ensure only signed images run, pod security standards to prevent privileged containers, and network segmentation through automatic network policy generation. It supports audit logging and policy exception management, allowing organizations to track policy violations and define approved exceptions. This makes Kyverno valuable for meeting compliance requirements (PCI-DSS, SOC2, etc.) and maintaining consistent security posture across clusters.
Architecture and Integration
Kyverno operates as a ValidatingWebhook and MutatingWebhook in Kubernetes clusters, intercepting resource creation and modification requests. It evaluates policies before resources are persisted, ensuring real-time enforcement. Kyverno supports policy reports, metrics export, and integration with other tools in the Kubernetes ecosystem, making it a component of comprehensive security and compliance strategies.
Related Questions
How does Kyverno differ from OPA/Rego?
Kyverno uses YAML syntax and Kubernetes-native concepts, while OPA uses the Rego policy language. Kyverno is simpler for Kubernetes-specific use cases but less flexible for complex policies; OPA is more powerful but steeper learning curve.
Can Kyverno enforce image signing policies?
Yes, Kyverno can verify image signatures using tools like cosign. It can block unsigned or untrusted images from running in the cluster, enforcing container image security standards.
Is Kyverno part of CNCF?
Yes, Kyverno is a Cloud Native Computing Foundation (CNCF) project, indicating community backing and governance. It graduated from sandbox status in the Kubernetes ecosystem.
More What Is in Daily Life
Also in Daily Life
More "What Is" Questions
Trending on WhatAnswers
Browse by Topic
Browse by Question Type
Sources
- Wikipedia - KubernetesCC-BY-SA-4.0
- Kyverno Official DocumentationApache-2.0
- CNCF - Kyverno ProjectPublic Domain