Unlocking Kubernetes Security and Compliance with Kyverno: A Distributed Cloud Technology to Consider

Kyverno

The 2023 Devoteam Tech Radar report identifies Kyverno as a distributed cloud technology that businesses should ‘assess’. But what is Kyverno and why should organisations be considering how to use it?

What is Kyverno?

Kyverno describes itself as ‘a policy engine for Kubernetes’. It allows you to build rules for your Kubernetes resources that can allow or deny the resource to be applied to a cluster.

Policies created with Kyverno can validate, mutate, generate, and clean up Kubernetes resources. They can also verify image signatures and artefacts to help secure the software supply chain.

The Kyverno CLI tool is also used by developers to test policies and validate resources as part of a CI/CD pipeline. 

Who is Kyverno for?

Kyverno is designed for any business that wants to improve security and compliance across their Kubernetes environment. The tool is particularly useful for enterprise-grade customers who may need to manage thousands of containers at scale. 

Easy to understand with simple policies and a no-code approach, Kyverno is ideal for freeing up developers to focus on development rather than deployment.

What are the top benefits of Kyverno?

Kyverno is a powerful, flexible tool for managing a large Kubernetes environment. Here are some of the top benefits for users.

• No new language requirements

In keeping with their mission to accelerate Kubernetes deployment and management, Kyverno has been designed so that developers do not need to learn any new languages. Because policies are managed as regular Kubernetes resources, familiar tools like kubectl, git, and kustomize can be used, reducing the learning curve and allowing developers to get started with the product more quickly.

• Library of policy templates

Kyverno maintains a comprehensive library of more than 280 policy templates. These examples can be imported and used free of charge, allowing developers to perform a range of actions quickly and efficiently. For instance, the best practice policy templates can be used to improve Kubernetes security and performance automatically.

• Extensive training resources

Kyverno is supported by an extensive library of documentation for developers and administrators. These are accompanied by a range of training videos that will help users get started faster. Kyverno also arrange monthly community meetings where users are invited to get involved with improving the product.

• “Playground” simulator

The Kyverno Playground simulator allows developers to test product capabilities without the need for a Kubernetes cluster. Working through their web browser, users can simulate policy execution by entering YAML content in the online console. Developers not only learn how the Kyverno tool works but they can begin writing and testing their own policies too.

• Commercial add-ons available

As the Kyverno community grows, a number of commercial add-ons have been made available to further extend product capabilities. These include an ISV add-on for Amazon Web Services (AWS), a plugin for the Rafay Kubernetes Operations Platform and policy set support for use in Red Hat Advanced Cluster Management and Red Hat OpenShift Platform Plus.

Who uses Kyverno?

Nirmata, the company behind the initial release of Kyverno claims that the tool has been downloaded over 300 million times, making it ‘the most-preferred Kubernetes policy engine on GitHub’. High profile Kyverno users include Vonage, Jetstack, CloudBees and Williams Sonoma.

Is Kyverno free?

Yes, Kyverno is available for free download from Github, licensed under the terms of the Apache License 2.0. Kyverno provides free support via a developer Slack channel. Bug reports and feature requests are accepted via the Github project page.

For Amazon EKS users, there is an Enterprise Support subscription provided by Nirmata via the AWS Marketplace. This gives Kyverno users access to 24×7 emergency support, training, upgrade assistance, best practice assessments and more. Nirmata also offers an ‘enterprise-grade distribution’ of Kyverno as a paid-for option.

Other commercial Kyverno managed services are available through providers including BlakYaks and Giant Swarm.

What else do I need to know about Kyverno?

Kyverno was accepted as an incubating project by the Cloud Native Computing Foundation (CNCF) in 2022. As such the CNCF considered Kyverno stable and ready for use in production environments.