Kyverno
What is Kyverno?
KyvernoKyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
Kyverno installs as an admission webhook and runs ClusterPolicy or Policy CRs expressed in YAML with selector, match, validate, mutate, generate and verifyImages rules. Because the policy language matches Kubernetes object structure, teams familiar with manifests can author rules without learning Rego. Kyverno also handles image verification (Cosign/Notation), background scans of existing resources, exception workflows, and generation of dependent objects (NetworkPolicy, RoleBinding) when new namespaces appear. It is commonly used to enforce Pod Security Standards, image-signing, label conventions, and supply-chain attestations, and competes with OPA Gatekeeper for the same admission-policy space.
● Examples
- 01
A Kyverno policy that auto-generates a default-deny NetworkPolicy in every new namespace.
- 02
verifyImages policy requiring all container images to carry a valid Cosign signature.
● Frequently asked questions
What is Kyverno?
Kyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL. It belongs to the Cloud Security category of cybersecurity.
What does Kyverno mean?
Kyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
How does Kyverno work?
Kyverno installs as an admission webhook and runs ClusterPolicy or Policy CRs expressed in YAML with selector, match, validate, mutate, generate and verifyImages rules. Because the policy language matches Kubernetes object structure, teams familiar with manifests can author rules without learning Rego. Kyverno also handles image verification (Cosign/Notation), background scans of existing resources, exception workflows, and generation of dependent objects (NetworkPolicy, RoleBinding) when new namespaces appear. It is commonly used to enforce Pod Security Standards, image-signing, label conventions, and supply-chain attestations, and competes with OPA Gatekeeper for the same admission-policy space.
How do you defend against Kyverno?
Defences for Kyverno typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Kyverno?
Common alternative names include: Kyverno Policy, ClusterPolicy.
● Related terms
- cloud-security№ 757
OPA Gatekeeper
OPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
- cloud-security№ 597
Kubernetes Admission Controller
An admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
- cloud-security№ 838
Pod Security Standards
Pod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
- cloud-security№ 599
Kubernetes Network Policy
Kubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
- cloud-security№ 582
Kata Containers
Kata Containers is an open-source runtime that wraps each container or Kubernetes pod in a lightweight virtual machine to provide hardware-level isolation between workloads.
- cloud-security№ 455
gVisor
gVisor is an open-source application kernel from Google that intercepts container system calls in user space, shrinking the host kernel attack surface exposed to untrusted workloads.