Skip to content
Home IaC Security Tools Kyverno
Kyverno

Kyverno

Category: IaC Security
License: Free (Open-Source, Apache 2.0)
GitHub (7400★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 13, 2026
4 min read
Key Takeaways
  • CNCF Incubating policy engine with 7.4k GitHub stars, used by 1,000+ organizations including Adidas, Bloomberg, LinkedIn, Spotify, and the US Department of Defense.
  • Policies defined in standard Kubernetes YAML and CEL—no Rego or custom DSL required; supports validation, mutation, resource generation, and cleanup.
  • Verifies container image signatures via Sigstore Cosign and Notary for supply chain security; background scanning detects drift in existing resources.
  • Extends beyond Kubernetes to validate Terraform plans, Dockerfiles, and HTTP requests as of v1.15+.

Kyverno is a CNCF Incubating Kubernetes policy engine that uses standard YAML and Common Expression Language (CEL) instead of proprietary policy languages. Originally contributed by Nirmata, it has 7.4k GitHub stars, 466 contributors, and is used by over 1,000 organizations in production — including Adidas, Bloomberg, LinkedIn, Spotify, Vodafone, and the US Department of Defense.

The latest release is v1.17.0 (February 2026). Kyverno validates, mutates, generates, and cleans up Kubernetes resources, Terraform plans, Dockerfiles, and HTTP requests.

It also verifies container image signatures using Sigstore Cosign and Notary.

What is Kyverno?

Kyverno runs as a Kubernetes admission controller that intercepts API requests before resources are persisted to etcd. It checks resources against loaded policies and takes action based on the policy type — blocking non-compliant resources, modifying them to meet standards, or allowing them through.

Policies are managed using the same tools and workflows as other Kubernetes resources: kubectl, kustomize, and Git. This design eliminates the need for teams to learn a separate policy language.

Version 1.15+ introduced five new policy types, including ValidatingPolicy and MutatingPolicy that extend Kubernetes’ native ValidatingAdmissionPolicy and MutatingAdmissionPolicy. Kyverno now supports any payload type beyond just Kubernetes resources, including Terraform plans and Dockerfiles.

YAML-Native Policies
Define policies using standard Kubernetes YAML without learning Rego or other DSLs, reducing cognitive overhead
CEL Expression Language
Use Common Expression Language for complex logic, the same language adopted by Kubernetes ValidatingAdmissionPolicy
Resource Generation
Automatically create ConfigMaps, NetworkPolicies, or other resources when workloads are deployed, ensuring consistent configuration

Key Features

FeatureDetails
Policy languageKubernetes YAML and Common Expression Language (CEL)
Policy actionsValidate, mutate, generate, clean up
Payload typesKubernetes resources, Terraform plans, Dockerfiles, HTTP requests, Envoy requests
Image verificationSigstore Cosign, Notary
Scanning modesAdmission control (enforce/audit) and background scanning
CLI toolingPolicy testing, validation, and offline evaluation
CNCF statusIncubating
Adoption1,000+ organizations in production

Policy Types

Kyverno supports validation (enforce or audit mode), mutation (modify resources before admission), generation (create related resources), and cleanup (remove resources based on conditions). This covers use cases from security enforcement to operational automation.

Background Scanning: Beyond admission control, Kyverno continuously scans existing cluster resources to detect policy violations. This capability identifies drift when resources are modified outside normal workflows or when policies are updated after resources already exist.

Image Verification: Built-in support for verifying container image signatures and attestations strengthens supply chain security. Policies can require images to be signed by specific keys or come from trusted registries before allowing deployment.

Policy Reporting: Kyverno generates detailed reports showing which resources violate policies, making compliance auditing straightforward. Reports can be exported for analysis or integrated with monitoring systems.

Kyverno Policy Reporter dashboard showing policy violation summary and compliance status

CLI Tools: The Kyverno CLI allows teams to test policies against resource manifests before applying them to clusters. This offline testing capability helps catch policy errors during development rather than in production.

Kyverno Policy Reporter UI showing policy results and resource compliance details

Policy enforcement workflow

Kyverno installs as a Kubernetes deployment with admission webhook configurations. When enabled, the Kubernetes API server sends admission requests to Kyverno before persisting resources.

Kyverno evaluates the request against all applicable policies in the cluster.

For validation policies, Kyverno checks if the resource matches defined criteria. In enforce mode, non-compliant resources are rejected with an error message explaining the violation.

In audit mode, resources are allowed but violations are recorded in policy reports.

Mutation policies modify resources before admission. For example, a policy might add security contexts to pods missing them, inject sidecar containers, or set resource limits.

These modifications occur transparently and the modified resource is what gets persisted.

Generation policies trigger after a resource is created. If a new namespace is created, Kyverno can automatically generate default NetworkPolicies, LimitRanges, or RBAC roles for that namespace. This automation ensures consistent security posture without manual intervention.

Getting Started

1
Install via Helm — Deploy Kyverno using the official Helm chart. It installs as a Kubernetes deployment with admission webhook configurations.
2
Apply policies — Start with policies from the Kyverno policy library or write your own in YAML. Use audit mode first to see what would be blocked without actually enforcing.
3
Test offline — Use the Kyverno CLI to validate policies against resource manifests before applying them to clusters. This catches policy errors during development.
4
Switch to enforce — Once policies are tested, change from audit to enforce mode. Non-compliant resources will be rejected with an error message explaining the violation.

When to Use Kyverno

Strengths:

  • No new language to learn—uses familiar Kubernetes YAML and CEL
  • Comprehensive policy actions including generation and cleanup
  • Active CNCF community with vibrant ecosystem
  • Native Kubernetes integration without external dependencies
  • Strong image signature verification for supply chain security
  • Policy testing and validation through CLI tools

Limitations:

  • Limited to Kubernetes environments (not a general-purpose policy engine)
  • Complex policies may become verbose in YAML compared to purpose-built DSLs
  • Admission webhook latency can impact cluster performance at scale
  • Requires careful policy ordering when multiple policies affect the same resources
  • Background scanning can be resource-intensive on large clusters
Best for
Platform engineering teams managing Kubernetes clusters who want policy enforcement without learning Rego. Ideal for organizations seeking a unified tool for validation, mutation, generation, and compliance reporting.

For a broader view of Kubernetes security strategy, see our cloud infrastructure security guide. Kyverno works well alongside other IaC security tools in a defense-in-depth strategy.

Teams often combine Kyverno with runtime security tools like Falco for behavioral monitoring, and container scanners for vulnerability detection. Recent integrations with Istio enable centralized application authorization, extending Kyverno’s reach beyond admission control to runtime request authorization.

Frequently Asked Questions

What is Kyverno?
Kyverno is a CNCF policy engine designed for Kubernetes that uses native YAML and Common Expression Language (CEL) instead of complex domain-specific languages. It validates, mutates, generates, and cleans up Kubernetes resources to enforce security, compliance, and automation policies.
How does Kyverno compare to OPA Gatekeeper?
While OPA Gatekeeper uses the Rego language for policies, Kyverno uses Kubernetes-native YAML and CEL, making it easier for platform engineers familiar with Kubernetes. Kyverno also provides resource generation and cleanup capabilities that OPA doesn’t offer out-of-the-box.
Can Kyverno verify container image signatures?
Yes, Kyverno includes built-in support for verifying container image signatures and attestations for supply chain security. It can enforce policies requiring signed images from trusted registries before allowing deployment.
Is Kyverno production-ready?
Yes, Kyverno is a CNCF Incubating project used in production by over 1,000 organizations including Adidas, Bloomberg, LinkedIn, Spotify, Vodafone, and the US Department of Defense. It supports both admission control and background scanning.
How we review tools Suggest an edit

Other IaC Security Tools

Sysdig Secure
Sysdig Secure

Runtime-first cloud security

Orca Security
Orca Security

Patented SideScanning technology

Wiz
Wiz

Leader in agentless CNAPP

Checkov
Checkov

1,000+ Policies for Terraform, CloudFormation & K8s

Conftest
Conftest

Policy-as-Code Testing

Falco
Falco

Cloud-native runtime security

See all IaC Security tools

Complement with SCA

Pair IaC scanning with dependency analysis for broader coverage.

Syft
Syft

SBOM generation tool

Anchore
Anchore

SBOM-First Container Security Platform

See all SCA tools

Learn More

CSPM vs CNAPP Terraform Security Scanning What is CNAPP? What is IaC Security?

Explore all IaC Security guides and tools