The CNCF Technical Oversight Committee (TOC) has voted to accept Kyverno as a CNCF incubating project.
Kyverno is a policy engine designed for Kubernetes. Policies provide security and automation and simplify managing Kubernetes configurations across developers, operators, and security teams. Kyverno policies are Kubernetes custom resources that do not require learning a new language and work well with cloud native tooling and practices.
Kyverno was accepted as a CNCF Sandbox project in November 2020. Since joining CNCF, the project has seen 856% growth in committers and 5X growth in GitHub stars. Kyverno has had more than 100 releases and continues to add new features driven by the community.
“As Kubernetes adoption grows, policies have become critical to ensure security, governance, and compliance,” said Jim Bugwadia, co-creator of Kyverno. “Organizations across financial services, healthcare, utilities, and telecommunications providers are using Kyverno to leverage Kubernetes native policies that enforce security, provide guardrails, and help secure the Kubernetes supply chain.”
“Kyverno was designed to work with tools you already use like kubectl, kustomize, and Git, meaning it integrates seamlessly with Kubernetes and the broader community,” said Davanum Srinivas, project TOC sponsor. “I am looking forward to seeing exciting new features and even more collaboration with the cloud native ecosystem.”
- Admission Controller Webhook: processes admission requests from the Kubernetes API server and applies configured policies. Webhook configurations and certificates are automatically managed.
- Generate Controller: schedules the creation and updates of new Kubernetes resources based on various triggers.
- Policy Controller: manages background scans and triggers policy report updates on changes.
- Command Line Interface (CLI): used for static analysis of resource manifests in CI/CD pipelines and testing and validating policies before they are applied to clusters.
- Policy Reporter: provides a graphical user interface (GUI) for policy reports and sends notifications to various upstream systems.
- Policy Library: provides 180 ready-to-use policies, including popular ecosystem tools and platforms.
- > 276M image pulls
- > 2.6K GitHub Stars
- > 2.1K pull requests
- > 1.6K issues closed
- > 100 active monthly contributors
- 9 maintainers from 7 organizations
- 123 Releases
“Kubernetes policy management is important for the security of Kubernetes clusters and workloads,” said Chris Aniszczyk, CTO of CNCF. “In cloud native environments, enforcing policies in continuous delivery pipelines helps improve the security of the software supply chain. We’re excited to see the Kyverno project take this next step in maturity and make an impact on improving the security of the Kubernetes ecosystem.”
Kyverno has a robust community-driven roadmap. The recent 1.7 release delivered the ability to mutate and generate existing resources via policies and enhanced integration with Sigstore and in-toto for software supply chain security. The team uses the Kyverno Design Proposal process to determine the most important features for the project. Next, it plans to add features like YAML signing and verification, OpenTelemetry support, idempotent auto-generated pod controller policies, enhanced integrations for pod security standards, OCI-based policy bundles, in-cluster API calls, and more. To learn more about Kyverno, join the next community meeting (https://kyverno.io/community/) or say hello on the Slack channel at https://slack.k8s.io/#kyverno.
As a CNCF-hosted project, Kyverno joins 36 other incubating technologies as part of a neutral foundation aligned with its technical interests and the Linux Foundation, which provides governance, marketing support, and community outreach. For more information on maturity requirements for each level, please visit the CNCF Graduation Criteria.