Skip to content

kyverno/kyverno

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

9,887 Commits
.devcontainer
.devcontainer
Β 
Β 
.github
.github
Β 
Β 
.vscode
.vscode
Β 
Β 
api
api
Β 
Β 
charts
charts
Β 
Β 
cmd
cmd
Β 
Β 
config
config
Β 
Β 
docs
docs
Β 
Β 
ext
ext
Β 
Β 
hack
hack
Β 
Β 
img
img
Β 
Β 
litmuschaos
litmuschaos
Β 
Β 
pkg
pkg
Β 
Β 
scripts
scripts
Β 
Β 
test
test
Β 
Β 
.codeclimate.yml
.codeclimate.yml
Β 
Β 
.directory
.directory
Β 
Β 
.gitignore
.gitignore
Β 
Β 
.golangci.yml
.golangci.yml
Β 
Β 
.goreleaser.yml
.goreleaser.yml
Β 
Β 
.ko.yaml
.ko.yaml
Β 
Β 
.krew.yaml
.krew.yaml
Β 
Β 
.trivyignore.rego
.trivyignore.rego
Β 
Β 
ADOPTERS.md
ADOPTERS.md
Β 
Β 
AGENTS.md
AGENTS.md
Β 
Β 
CHANGELOG.md
CHANGELOG.md
Β 
Β 
CODEOWNERS
CODEOWNERS
Β 
Β 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
CONTRIBUTORS.md
CONTRIBUTORS.md
Β 
Β 
DEPENDENCY-POLICY.md
DEPENDENCY-POLICY.md
Β 
Β 
DEVELOPMENT.md
DEVELOPMENT.md
Β 
Β 
GOVERNANCE.md
GOVERNANCE.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
MAINTAINERS.md
MAINTAINERS.md
Β 
Β 
Makefile
Makefile
Β 
Β 
NOTICE
NOTICE
Β 
Β 
OWNERS.md
OWNERS.md
Β 
Β 
README.md
README.md
Β 
Β 
ROADMAP.md
ROADMAP.md
Β 
Β 
SECURITY-INSIGHTS.yml
SECURITY-INSIGHTS.yml
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
codecov.yml
codecov.yml
Β 
Β 
go.mod
go.mod
Β 
Β 
go.sum
go.sum
Β 
Β 
sonar-project.properties
sonar-project.properties
Β 
Β 

Repository files navigation

Kyverno Tweet

Cloud Native Policy Management πŸŽ‰

Build Status Go Report Card License: Apache-2.0 GitHub Repo stars CII Best Practices OpenSSF Scorecard SLSA 3 Artifact HUB codecov FOSSA Status

Kyverno Logo

πŸ“‘ Table of Contents

About Kyverno

Kyverno is a Kubernetes-native policy engine designed for platform engineering teams. It enables security, compliance, automation, and governance through policy-as-code. Kyverno can:

  • Validate, mutate, generate, and clean up resources using Kubernetes admission controls and background scans.
  • Verify container image signatures for supply chain security.
  • Operate with tools you already use β€” like kubectl, kustomize, and Git.
Open Source Security Index badge

Non-Goals

Kyverno is only able to impact the policies used by Kubernetes and is not designed to address Kubernetes security flaws that are inherent in its design. For example, it cannot protect against vulnerabilities in the Kubernetes API server (e.g. Billion Laughs YAML deserialization, or a faulty Admission Controller implementation) or underlying infrastructure, and Kyverno's policy enforcement may be bypassed if Kubernetes itself has a security flaw. Kyverno does not enforce security requirements that were not explicitly defined β€” it enforces only the policies that users define and must be actively maintained like any other security product.

Kyverno does not replace, but works in conjunction with, Kubernetes RBAC: RBAC controls access while Kyverno enforces policy compliance. Cluster admins are expected to use RBAC to manage user and service account authorization, and then leverage Kyverno for additional checks that RBAC cannot perform.

Kyverno also does not replace Kubernetes' built-in policy controls like ValidatingAdmissionPolicies and MutatingAdmissionPolicies, but complements these native controls with additional features such as comprehensive reporting, exception management, and periodic background scanning.

Several capabilities that are out of scope for the core engine are addressed by companion projects in the Kyverno organization: end-to-end testing tooling (Chainsaw), policy violation reporting and UI (Policy Reporter), policy evaluation for non-Kubernetes JSON payloads (Kyverno JSON), and authorization policy for service meshes (Kyverno Envoy Plugin). These are maintained as separate projects with their own release cycles.

πŸ“™ Documentation

Kyverno installation and reference documentation is available at kyverno.io.

πŸŽ₯ Demos & Tutorials

🎯 Popular Use Cases

Kyverno helps platform teams enforce best practices and security standards. Some common use cases include:

1. Security & Compliance

  • Enforce Pod Security Standards (PSS)
  • Require specific security contexts
  • Validate container image sources and signatures
  • Enforce CIS Benchmark policies

2. Operational Excellence

  • Auto-label workloads
  • Enforce naming conventions
  • Generate default configurations (e.g., NetworkPolicies)
  • Validate YAML and Helm manifests

3. Cost Optimization

  • Enforce resource quotas and limits
  • Require cost allocation labels
  • Validate instance types
  • Clean up unused resources

4. Developer Guardrails

  • Require readiness/liveness probes
  • Enforce ingress/egress policies
  • Validate container image versions
  • Auto-inject config maps or secrets

πŸ“š Explore the Policy Library

Discover hundreds of production-ready Kyverno policies for security, operations, cost control, and developer enablement.

πŸ‘‰ Browse the Policy Library

πŸ™‹ Getting Help

We’re here to help:

βž• Contributing

Thank you for your interest in contributing to Kyverno!

🧾 Software Bill of Materials

All Kyverno images include a Software Bill of Materials (SBOM) in CycloneDX format. SBOMs are available at:

πŸ‘₯ Contributors

Kyverno is built and maintained by our growing community of contributors!

Contributors image

Made with contributors-img

πŸ“„ License

Copyright 2026, the Kyverno project. All rights reserved.
Kyverno is licensed under the Apache License 2.0.

Kyverno is a Cloud Native Computing Foundation (CNCF) Incubating project and was contributed by Nirmata.

About

Unified Policy as Code

kyverno.io

Topics

kubernetes security compliance governance policy-as-code

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

7.8k stars

Watchers

52 watching

Forks

1.4k forks
Report repository

Releases 292

v1.18.1 Latest
May 18, 2026
+ 291 releases

Packages

 
 
 

Contributors

Languages