Kyverno

Created by Nirmata

why Kyverno

Kyverno, created by Nirmata is the Kubernetes-native policy engine designed to simplify security, compliance, and automation by letting you manage policies the same way you manage your cluster.

Kubernates Native

Uses YAML & CEL, languages familiar to K8s users
Write & apply policies as CRDs

Easy to Adopt

Quick and easy to get started with
Designed for K8s

Flexible & Powerful

Wide range of use cases
Fits naturally into existing workflows

Trusted & Proven

CNCF incubating project
Widely adopted & used in Production by orgs of all sizes

Kyverno Vs Other policy engines

As the industry's leading policy engine, here's how Kyverno compares with other policy engines.

Feature	Kyverno	Open Policy AgentOPA
Policy Language	Supports YAML & CEL-based policies (languages familiar to K8s users) Rego (new DSL to learn)
Ease of Adoption	Intuitive, no extra learning curve Steeper learning curve due to Rego
Policy Types	Validate, Mutate, Generate, Verify, Delete Validate

Complete Platform Engineering Policy As Code Solution

From policy creation to enforcement, testing to reporting, and everything in between, get comprehensive Kubernetes governance and compliance with Kyverno.

Kubernetes Native

Extends and completes Kubernetes policy types for comprehensive platform engineering capabilities.

Works Everywhere

Executes Kubernetes-style policies on any JSON payload using CLI or SDK for universal compatibility.

Integrated Reporting

OpenReports compatible producers, routers, and dashboards for comprehensive policy compliance visibility.

Exception Management

Timebound and fine-grained exception management decoupled from policies for flexible governance.

Shift-Left Integration

CLI for seamless integrations into CI/CD and Infrastructure as Code (Terraform, etc.) pipelines.

Policy Testing

Comprehensive tooling for declarative unit tests and end-to-end behavioral policy validation.

CEL Performance

Enhanced performance with Common Expression Language for faster policy, evaluation and execution.

Version Control

Full version control integration with GitOps workflows for policy lifecycle management.

Security Policies

Comprehensive security policy templates and best practices for zero-trust architectures.

apiVersion: kyverno.io/v1

kind: ClusterPolicy

metadata:

name: require-labels

spec:

validationFailureAction: Enforce

background: true

rules:

- name: check-for-labels

match:

any:

- resources:

kinds:

- Pod

validate:

message: "Missing required labels"

pattern:

metadata:

labels:

app: "*"

version: "*"

apiVersion: policies.kyverno.io/v1alpha1

kind: ValidatingPolicy

metadata:

name: check-labels

spec:

validationActions:

- Deny

matchConstraints:

resourceRules:

- apiGroups: [""]

apiVersions: [v1]

operations: [CREATE, UPDATE]

resources: [pods]

validations:

- message: "Missing required labels"

expression: >

has(object.metadata.labels.app) &&

has(object.metadata.labels.version)

Unified Policy As Code For Platform Engineers

why Kyverno

Kubernates Native

Easy to Adopt

Flexible & Powerful

Trusted & Proven

Kyverno Vs Other policy engines

Complete Platform Engineering Policy As Code Solution

Kubernetes Native

Works Everywhere

Integrated Reporting

Exception Management

Shift-Left Integration

Policy Testing

CEL Performance

Version Control

Security Policies

Get started with Kyverno

Introducing CEL Polices

CEL Policy Types

ValidatingPolicy

ImageValidatingPolicy

MutatingPolicy

GeneratingPolicy

DeletingPolicy

Validating policy in YAML vs CEL

Trusted By Industry Leaders

Kyverno is a CNCF Incubating Project