DEV Community

Alex Spinov
Alex Spinov

Posted on

Kyverno Has a Free API — Kubernetes Native Policy Management

#kubernetes #security #cloudnative #devops

Kyverno: Kubernetes Policies Without Learning Rego

Kyverno is a policy engine designed specifically for Kubernetes. Unlike OPA/Gatekeeper that requires learning Rego, Kyverno policies are written in familiar YAML. Validate, mutate, generate, and clean up Kubernetes resources — all declaratively.

How Kyverno Works

Kyverno runs as an admission controller. When a resource is created/updated, Kyverno evaluates it against policies and either allows, denies, or mutates it.

The Free API (CRDs) 

# Require all pods to have resource limits
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-limits
spec:
  validationFailureAction: Enforce
  rules:
  - name: check-limits
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "CPU and memory limits are required"
      pattern:
        spec:
          containers:
          - resources:
              limits:
                memory: "?*"
                cpu: "?*"
Enter fullscreen mode Exit fullscreen mode 
# Auto-add labels to new namespaces
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-labels
spec:
  rules:
  - name: add-team-label
    match:
      any:
      - resources:
          kinds:
          - Namespace
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            managed-by: kyverno
Enter fullscreen mode Exit fullscreen mode 
# Check policy status
kubectl get clusterpolicies

# View policy reports
kubectl get policyreports -A

# Check violations
kubectl get clusterpolicyreports -o yaml
Enter fullscreen mode Exit fullscreen mode

Kyverno vs OPA Gatekeeper

Feature Kyverno OPA Gatekeeper
Language YAML Rego
Learning curve Low High
Mutation Built-in Separate webhook
Generation Yes No
Cleanup Yes No
Reports Built-in Separate

Real-World Use Case

A platform team needed to enforce standards across 50 dev teams on a shared cluster. Kyverno automatically adds sidecar containers, enforces image pull policies, and generates NetworkPolicies for every new namespace. No team training needed — policies are transparent.

Quick Start 

helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno -n kyverno --create-namespace
Enter fullscreen mode Exit fullscreen mode

Resources

Need automated security scanning data? Check out my tools on Apify or email spinov001@gmail.com for custom automation.

Top comments (0)