Convert Figma logo to code with AI

kyverno logokyverno

Cloud Native Policy Management

6,469
1,041
6,469
361
View on GitHub

Top Related Projects

open-policy-agent's avatar

gatekeeper

3,923

🐊 Gatekeeper - Policy Controller for Kubernetes

datreeio's avatar

datree

6,364

Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

FairwindsOps's avatar

polaris

3,271

Validation of best practices in your Kubernetes clusters

aquasecurity's avatar

trivy

27,268

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Quick Overview

Kyverno is an open-source, Kubernetes-native policy engine that allows users to validate, mutate, and generate configurations using policies as Kubernetes resources. It enables cluster administrators to enforce security best practices, manage resource allocation, and automate configuration management across their Kubernetes clusters.

Pros

  • Native Kubernetes integration, using Custom Resource Definitions (CRDs) for policies
  • No external dependencies or sidecars required
  • Supports both validation and mutation of resources
  • Extensive policy library and community support

Cons

  • Learning curve for writing complex policies
  • Performance impact on large-scale clusters with numerous policies
  • Limited support for non-Kubernetes resources
  • Potential for policy conflicts if not carefully managed

Getting Started

To install Kyverno using Helm:

helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace

To create a simple policy that requires all pods to have resource limits:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resource-limits
spec:
  validationFailureAction: enforce
  rules:
  - name: check-resource-limits
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Resource limits are required for all containers."
      pattern:
        spec:
          containers:
            - resources:
                limits:
                  memory: "?*"
                  cpu: "?*"

Apply the policy:

kubectl apply -f require-resource-limits.yaml

This will enforce resource limits on all pods in the cluster. For more advanced usage and policy examples, refer to the Kyverno documentation.

Competitor Comparisons

open-policy-agent logo

gatekeeper

3,923

🐊 Gatekeeper - Policy Controller for Kubernetes

Pros of Gatekeeper

  • Uses Rego, a powerful and flexible policy language
  • Supports complex policy logic and external data sources
  • Integrates well with existing OPA ecosystems

Cons of Gatekeeper

  • Steeper learning curve due to Rego language complexity
  • Requires separate CRDs for constraints and templates
  • More resource-intensive compared to Kyverno

Code Comparison

Kyverno policy example:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
    - name: check-for-labels
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "label 'app' is required"
        pattern:
          metadata:
            labels:
              app: "?*"

Gatekeeper constraint template example:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("you must provide labels: %v", [missing])
        }
datreeio logo

datree

6,364

Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

Pros of Datree

  • Simpler setup and configuration process
  • Focuses on policy enforcement during CI/CD pipelines
  • Provides a user-friendly web interface for policy management

Cons of Datree

  • Limited to YAML validation and Kubernetes manifests
  • Less flexible for complex policy scenarios
  • Requires a SaaS component, which may not be suitable for all environments

Code Comparison

Kyverno policy example:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
    - name: check-for-labels
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "label 'app' is required"
        pattern:
          metadata:
            labels:
              app: "?*"

Datree policy example:

customRules:
  - identifier: CUSTOM_LABEL_REQUIRED
    name: Ensure 'app' label exists
    query: metadata.labels.app
    errorMessage: The 'app' label is missing
    schema:
      type: string

Both tools aim to enforce policies in Kubernetes environments, but they differ in approach and scope. Kyverno offers more flexibility and can be used for a wider range of policy enforcement scenarios, while Datree focuses on simplicity and integration with CI/CD pipelines. The choice between them depends on specific use cases and organizational requirements.

FairwindsOps logo

polaris

3,271

Validation of best practices in your Kubernetes clusters

Pros of Polaris

  • User-friendly web interface for visualizing and managing policy violations
  • Includes a set of pre-defined best practices for Kubernetes configurations
  • Supports both CLI and admission controller modes for flexible integration

Cons of Polaris

  • Limited to static analysis of Kubernetes resources
  • Less extensive policy customization options compared to Kyverno
  • Primarily focused on configuration validation, lacking mutation capabilities

Code Comparison

Polaris configuration example:

checks:
  - name: hostNetworkSet
    exclude:
      - Deployment
  - name: hostPIDSet
    exclude:
      - DaemonSet

Kyverno policy example:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
    - name: check-for-labels
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "label 'app.kubernetes.io/name' is required"
        pattern:
          metadata:
            labels:
              app.kubernetes.io/name: "?*"

Both tools aim to improve Kubernetes cluster security and configuration management, but they differ in approach and capabilities. Polaris focuses on pre-defined best practices and offers a user-friendly interface, while Kyverno provides more extensive policy customization options and supports both validation and mutation of resources.

aquasecurity logo

trivy

27,268

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Pros of Trivy

  • Broader scope: Scans containers, filesystems, git repositories, and more
  • Faster scanning speed, especially for large images or repositories
  • More comprehensive vulnerability database, including OS packages and language-specific dependencies

Cons of Trivy

  • Limited policy enforcement capabilities compared to Kyverno
  • Lacks native Kubernetes integration and admission control features
  • Primarily focused on vulnerability scanning rather than configuration management

Code Comparison

Trivy CLI command:

trivy image nginx:latest

Kyverno policy example:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
    - name: check-for-labels
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "label 'app.kubernetes.io/name' is required"
        pattern:
          metadata:
            labels:
              app.kubernetes.io/name: "?*"

While Trivy focuses on vulnerability scanning with a simple CLI interface, Kyverno provides declarative policies for Kubernetes resource management and validation. Trivy excels in comprehensive security scanning across various artifacts, while Kyverno specializes in Kubernetes-native policy enforcement and admission control.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Kyverno Tweet

Cloud Native Policy Management 🎉

Go Report Card License: Apache-2.0 GitHub Repo stars CII Best Practices OpenSSF Scorecard SLSA 3 Artifact HUB codecov FOSSA Status

logo

Kyverno is a policy engine designed for cloud native platform engineering teams. It enables security, automation, compliance, and governance using policy-as-code. Kyverno can validate, mutate, generate, and cleanup configurations using Kubernetes admission controls, background scans, and source code respository scans. Kyverno policies can also be used to verify OCI images, for software supply chain security. Kyverno policies can be managed as Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.

Open Source Security Index - Fastest Growing Open Source Security Projects

📙 Documentation

Kyverno installation and reference documents are available at kyverno.io.

👉 Quick Start

👉 Installation

👉 Sample Policies

🎯 Popular Use Cases

Kyverno helps platform teams enforce best practices and security policies. Here are some common use cases:

  1. Security & Compliance

    • Enforce pod security standards
    • Require specific security contexts
    • Validate image sources and signatures
    • Ensure resource limits and requests

  2. Operational Excellence

    • Automatically add labels and annotations
    • Enforce naming conventions
    • Generate default network policies
    • Validate resource configurations

  3. Cost Optimization

    • Enforce resource quotas
    • Require cost allocation labels
    • Clean up unused resources
    • Validate instance types

  4. Developer Guardrails

    • Enforce ingress/egress rules
    • Require liveness/readiness probes
    • Validate container images
    • Auto-mount configuration

Each use case includes ready-to-use policies in our policy library.

🙋‍♂️ Getting Help

We are here to help!

👉 For feature requests and bugs, file an issue.

👉 For discussions or questions, join the Kyverno Slack channel.

👉 For community meeting access, see mailing list.

👉 To get follow updates ⭐️ star this repository.

➕ Contributing

Thanks for your interest in contributing to Kyverno! Here are some steps to help get you started:

✔ Read and agree to the Contribution Guidelines.

✔ Browse through the GitHub discussions.

✔ Read Kyverno design and development details on the GitHub Wiki.

✔ Check out the good first issues list. Add a comment with /assign to request assignment of the issue.

✔ Check out the Kyverno Community page for other ways to get involved.

Software Bill of Materials

All Kyverno images include a Software Bill of Materials (SBOM) in CycloneDX JSON format. SBOMs for Kyverno images are stored in a separate repository at ghcr.io/kyverno/sbom. More information on this is available at Fetching the SBOM for Kyverno.

Contributors

Kyverno is built and maintained by our growing community of contributors!

Made with contributors-img.

License

Copyright 2025, the Kyverno project. All rights reserved. Kyverno is licensed under the Apache License 2.0.

Kyverno is a Cloud Native Computing Foundation (CNCF) Incubating project and was contributed by Nirmata.