Skip to main content

Overview

Kyverno validates and mutates Kubernetes resource manifests at admission time. Policies are written in YAML, making them accessible without learning a separate policy language.

Capabilities

  • Validate, mutate, generate, and clean up K8s resources
  • YAML-native policies
  • Pattern-based matching with wildcards and anchors
  • Image verification and signature checking

Limitations

  • Requires a Kubernetes cluster with Kyverno installed
  • Only applicable to Kubernetes workloads — check out Semgrep or CodeQL for application source code, or Checkov for IaC static analysis

Generated Format

  • Language: YAML
  • Structure: Kyverno ClusterPolicy or Policy resources with validate/mutate rules
  • Execution: Applied to a K8s cluster via kubectl apply

Example Guardrail

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
spec:
  rules:
    - name: run-as-non-root
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        failureAction: Enforce
        message: "Containers must run as non-root"
        pattern:
          spec:
            containers:
              - securityContext:
                  runAsNonRoot: true
Learn more at Kyverno documentation and writing policies.