kyverno/kyverno

Features

• Policy-As-Code Engines - Implements a policy-as-code engine to validate and enforce security and compliance rules for cluster resources.
• Policy Evaluation Engines - Periodically evaluates existing cluster resources against security policies and industry benchmarks to identify non-compliant objects.
• Policy Engines - Provides a portable engine for enforcing security and operational standards via validation, mutation, and generation of resources.
• Compliance Governance Tools - Provides automated governance to maintain consistent configuration standards and security posture across infrastructure assets.
• Image Integrity Verification - Verifies container image authenticity and integrity using digital signatures to prevent unauthorized code execution.
• Custom Resource Definitions - Uses native Kubernetes custom resource definitions to store and manage policy definitions as cluster objects.
• Kubernetes Policy Controllers - Manages authorization models and configuration rules as custom resource definitions within Kubernetes clusters.
• Manifest Mutators - Modifies incoming object manifests in real-time to apply predefined mutation rules.
• Audit and Compliance - Scans cluster resources to verify adherence to security policies and industry standards.
• Compliance Verifications - Checks resources against defined policies during admission or background scans to ensure operational compliance.
• Signature Validators - Validates container image signatures and attestations to ensure only trusted images are deployed.
• Orchestration Admission Controllers - Intercepts Kubernetes API requests to validate or mutate resource configurations before they are persisted to the cluster store.
• Kubernetes Compliance Monitoring - Continuously audits Kubernetes clusters against regulatory and security frameworks to identify violations.
• Kubernetes Security - Hardens distributed cluster environments by restricting resource configurations and verifying image signatures.
• Security Standard Enforcers - Enforces specific configuration rules to ensure resources meet security and operational standards before admission.
• Admission Request Modification - Automatically modifies admission requests to inject required labels, sidecars, or security settings into resources.
• Cluster State Evaluations - Runs a background process that evaluates existing resources at regular intervals to identify non-compliance.
• Resource Quotas - Restricts compute, storage, and network usage based on predefined organizational policies.
• Kubernetes Resource Generators - Automatically creates Kubernetes-native resources, such as ConfigMaps and Secrets, when primary workloads are deployed.
• Multi-Tenancy Management - Isolates tenants and restricts privilege escalation to support secure multi-user workflows in shared environments.
• Security Policy Management - Manages and applies security policies to restrict resource configurations according to industry best practices.
• Signature Verification Tools - Validates container image integrity and authenticity by checking digital signatures against trusted providers.
• Compliance Reporting - Generates detailed records of admission and scan results to track the policy status of resources.
• Multi-tenant Isolation Policies - Enforces strict policy boundaries to restrict privilege escalation and isolate tenants in shared clusters.
• Resource Constraints - Enforces resource limits on CPU and memory to maintain cluster stability and prevent resource exhaustion.
• Policy as Code - Policy engine specifically designed for Kubernetes.

Star history