Kyverno

Kyverno is a Kubernetes policy engine and cloud native governance tool. It functions as a policy-as-code framework that validates, mutates, and generates resources to enforce security and governance standards within a cluster.

The project distinguishes itself through a declarative policy model that utilizes native Kubernetes custom resource definitions, allowing policies to be managed as standard cluster objects without custom code. It provides specific security capabilities for container image verification and signature validation to ensure only trusted images are deployed.

Its broader capabilities include admission control for intercepting and modifying API requests, background scanning for compliance auditing, and resource automation for generating companion objects or cleaning up unused resources. It also covers multi-tenancy isolation, resource quota enforcement, and the application of security policies to maintain cluster health.

A command line tool is available for local policy testing and validation before deployment.

Features

Policy-As-Code Engines - Implements a policy-as-code engine to validate and enforce security and compliance rules for cluster resources.

Policy Evaluation Engines - Periodically evaluates existing cluster resources against security policies and industry benchmarks to identify non-compliant objects.

Policy Engines - Provides a portable engine for enforcing security and operational standards via validation, mutation, and generation of resources.

Compliance Governance Tools - Provides automated governance to maintain consistent configuration standards and security posture across infrastructure assets.

Image Integrity Verification - Verifies container image authenticity and integrity using digital signatures to prevent unauthorized code execution.

Custom Resource Definitions - Uses native Kubernetes custom resource definitions to store and manage policy definitions as cluster objects.

Kubernetes Policy Controllers - Manages authorization models and configuration rules as custom resource definitions within Kubernetes clusters.

Manifest Mutators - Modifies incoming object manifests in real-time to apply predefined mutation rules.

Audit and Compliance - Scans cluster resources to verify adherence to security policies and industry standards.

Compliance Verifications - Checks resources against defined policies during admission or background scans to ensure operational compliance.

Signature Validators - Validates container image signatures and attestations to ensure only trusted images are deployed.

Orchestration Admission Controllers - Intercepts Kubernetes API requests to validate or mutate resource configurations before they are persisted to the cluster store.

Kubernetes Compliance Monitoring - Continuously audits Kubernetes clusters against regulatory and security frameworks to identify violations.

Kubernetes Security - Hardens distributed cluster environments by restricting resource configurations and verifying image signatures.

Security Standard Enforcers - Enforces specific configuration rules to ensure resources meet security and operational standards before admission.

Admission Request Modification - Automatically modifies admission requests to inject required labels, sidecars, or security settings into resources.

Cluster State Evaluations - Runs a background process that evaluates existing resources at regular intervals to identify non-compliance.

Resource Quotas - Restricts compute, storage, and network usage based on predefined organizational policies.

Kubernetes Resource Generators - Automatically creates Kubernetes-native resources, such as ConfigMaps and Secrets, when primary workloads are deployed.

Multi-Tenancy Management - Isolates tenants and restricts privilege escalation to support secure multi-user workflows in shared environments.

Security Policy Management - Manages and applies security policies to restrict resource configurations according to industry best practices.

Signature Verification Tools - Validates container image integrity and authenticity by checking digital signatures against trusted providers.

Compliance Reporting - Generates detailed records of admission and scan results to track the policy status of resources.

Multi-tenant Isolation Policies - Enforces strict policy boundaries to restrict privilege escalation and isolate tenants in shared clusters.

Resource Constraints - Enforces resource limits on CPU and memory to maintain cluster stability and prevent resource exhaustion.

Policy as Code - Policy engine specifically designed for Kubernetes.

kyvernokyverno

Features

Star history