Why Open Source?
While exploring CNCF Projects in early 2025, I stumbled upon Kyverno and its community impressed me. The mentors and community members encouraged me to become a part of LFX Mentorship and motivated me to help new people start their open source journey. What started as a curiosity quickly became a meaningful journey into open source contribution.
What is Kyverno?
Kyverno is a cloud-native policy engine that runs in a Kubernetes cluster. It enforces best practices for security and compliance for platforms and applications through policies as code. Kyverno operates as a dynamic admission controller to mutate, validate, or generate resources based on policy rules.
Introduction to LFX Mentorship
The LFX mentorship is a 12-week long program that provides mentees with guidance and support to get involved in open source projects. The project maintainers provide students with the opportunity to learn while gaining real-world experience by contributing to community-driven projects. The program runs three times a year during Spring, Summer and Fall.
Selection process and onboarding
Once I learnt about the LFX mentorship, I applied through the official process. After a few weeks of contributing, I got familiar with Kyverno’s codebase, community, and maintainers. I realised Kyverno’s project was the best fit for me.
The application process started as I created a mentee profile and answered some basic questions about my background, my motivation to apply, and approach to the project. I submitted a cover letter to highlight my motivation, how I could contribute to the community, and my problem-solving approaches. I also included references to my previous contributions to Kyverno.
My mentorship work
Once I was selected for Kyverno’s Project in the mentorship program, my work started with kickoff calls with my mentors Shuting Zhao, Mariam Fahmy, and Yugandhar Reddy Suthari. We had weekly calls to track progress, plan next steps, and review my work.
We initially focused on the onboarding process, understanding the problem statement, researching the affected codebase, and devising a Kyverno Design Proposal, a solution approach for my project’s problem statement. Once we finalized the plan, I started with the implementation.
Problem statement
Kyverno offers a Command Line Interface (CLI) that validates and tests policies against resources before applying them to a cluster. When we use the Kyverno CLI apply command, resources can be provided via file manifests, stdin, or present in a cluster via the –cluster flag.
When implementing the policy on the resources present in the cluster using “kubectl apply policy.yaml –cluster”, the results were generated right away within 1-2 seconds. However, when the number of resources (up to 3000+) was validated against the policy, the execution time of the apply command was around 10-15 minutes.
Analysis and solution
I happened to identify three major bottlenecks:
1. Sequential Resource Loading: The CLI generates a gvkMap of all the resources to be fetched from the cluster. Each GVK is fetched using a dynamic client sequentially, causing higher execution time for large clusters.
2. Redundant Namespace Fetching: The policy application logic dynamically fetches namespace resources from the cluster redundantly, adding 200+ ms overhead time for every API call.
3. Eager Discovery Restmapper: The policy processing logic rebuilds a RestMapper for each resource, triggering the GetAPIGroupResource method, adding another 200+ ms overhead time for each discovery process.
Across 3000+ resources in a cluster, these bottlenecks compounded into ~15 minutes of overhead.
For each of the bottlenecks identified, I designed the following solutions –1. Concurrent Resource Loader: I added a concurrent resource loader strategy with a worker pool. Each worker takes GVK from gvkMap and parallely loads resources using dynamic client. The concurrency or number of workers and resources fetched in an API call are configurable with –concurrent and –batch-size flags. I also added –show-performance flag to expose performance metrics.
2. Namespace Caching: I added a namespace cache to store namespace resources to avoid redundant API calls for enforcing the policy on each retrieved resource.
3. Deferred RestMapper Discovery: I added a deferred RestMapper that uses a lazy-loading approach for discovering resources in the cluster only when necessary.
Results and impact
With strategies like the concurrent resource loader, namespace cache and deferred RestMapper:
- Execution time reduction: I was able to cut down the 15 minutes of execution time of Kyverno apply command when applying policy on 3000+ resources to just 1-2 seconds, improving command execution time for large clusters by 99%.
- Concurrent Resource Loader efficiency: The concurrent resource loader was able to load resources from clusters up to 80% more efficiently than sequential resource loaders for 3000+ resources.
- Enhanced user experience: These enhancements allow users to perform policy validation on resources in a large cluster with much faster and smoother experiences.
- Configurable performance tuning: The –show-performance flag support allows users to set up optimal workers and batch-size for resources to fine-tune the performance of policy validation for production-grade clusters.
Reflections and key learnings
This mentorship experience changed my perspective about open source and contribution. The friendly Kyverno community members and the weekly calls with such positive feedback from mentors created a supportive learning environment for me. This experience helped me understand that open source is not merely about commits and PRs but also about fostering collaboration and sharing ideas. With everything I learned from the LFX mentorship, I graduated in September and am still contributing to the Kyverno community.
References
- Kyverno CLI Documentation: Documentation on Kyverno CLI, its use-cases – Kyverno CLI.
- Kyverno Slack and Community Meetings: Join Kyverno Slack community and weekly community calls to share your story and contributions. – Kyverno Slack, Community Meetings
- CNCF Slack: If you are interested in contributing to CNCF projects or joining community, you can join at CNCF Slack – CNCF Slack
- Mentorship Projects: Learn about mentorship projects at Kyverno and other open source projects – Mentorships