Kyverno is a policy engine designed for Kubernetes. It lets you validate, mutate, and generate Kubernetes resources using simple YAML policies — no need to learn Rego or any new language.
What Is Kyverno?
Kyverno is a CNCF incubating project that manages policies as Kubernetes resources. Unlike OPA/Gatekeeper which requires learning Rego, Kyverno policies are written in familiar YAML with pattern matching.
Key Features:
- Policies as Kubernetes resources (YAML)
- No new language to learn
- Validate, mutate, and generate resources
- Image verification and signing
- Policy reports and audit mode
- CLI for testing policies
- Background scanning
- Exception management
Installation
# Install via Helm
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
# Install CLI
brew install kyverno
Validation Policies
# Require resource limits on all containers
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
spec:
validationFailureAction: Enforce
rules:
- name: check-limits
match:
any:
- resources:
kinds:
- Pod
validate:
message: "All containers must have CPU and memory limits."
pattern:
spec:
containers:
- resources:
limits:
memory: "?*"
cpu: "?*"
---
# Disallow latest tag
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag
spec:
validationFailureAction: Enforce
rules:
- name: no-latest
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Using ':latest' tag is not allowed."
pattern:
spec:
containers:
- image: "!*:latest"
Mutation Policies
# Auto-add labels to all pods
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-labels
spec:
rules:
- name: add-team-label
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
metadata:
labels:
managed-by: kyverno
environment: "{{request.namespace}}"
---
# Auto-add resource defaults
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: default-resources
spec:
rules:
- name: set-defaults
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
containers:
- (name): "*"
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "256Mi"
cpu: "200m"
Generation Policies
# Auto-create NetworkPolicy for every new namespace
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-default-netpol
spec:
rules:
- name: default-deny
match:
any:
- resources:
kinds:
- Namespace
generate:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
name: default-deny-ingress
namespace: "{{request.object.metadata.name}}"
data:
spec:
podSelector: {}
policyTypes:
- Ingress
Kyverno API: Programmatic Policy Management
from kubernetes import client, config
config.load_kube_config()
custom = client.CustomObjectsApi()
# List all policies
policies = custom.list_cluster_custom_object(
group="kyverno.io",
version="v1",
plural="clusterpolicies"
)
for policy in policies["items"]:
rules = policy["spec"].get("rules", [])
action = policy["spec"].get("validationFailureAction", "Audit")
print(f"Policy: {policy['metadata']['name']}, Rules: {len(rules)}, Action: {action}")
# Get policy reports
reports = custom.list_namespaced_custom_object(
group="wgpolicyk8s.io",
version="v1alpha2",
namespace="default",
plural="policyreports"
)
for report in reports["items"]:
results = report.get("results", [])
passed = sum(1 for r in results if r["result"] == "pass")
failed = sum(1 for r in results if r["result"] == "fail")
print(f"Report: {report['metadata']['name']}, Passed: {passed}, Failed: {failed}")
CLI Testing
# Test policy against a resource
kyverno apply policy.yaml -r deployment.yaml
# Test all policies in a directory
kyverno apply ./policies/ -r ./resources/
# Validate policy syntax
kyverno validate ./policies/
Resources
- Kyverno Docs
- Kyverno GitHub — 5.5K+ stars
- Policy Library
Need to scrape web data for your Kubernetes workflows? Check out my web scraping tools on Apify — production-ready actors for Reddit, Google Maps, and more. Questions? Email me at spinov001@gmail.com
Top comments (0)