kyverno
kyverno
Kubernetes-native policy management
- Validate resources
- Mutate resources
- Generate resources
- Verify OCI images
Policies are managed as Kubernetes resources
No coding required
Cluster-wide or namespaced policies
Policy Samples
Kyverno manages community policies
These policies are searchable
Examples
Require specific labels on resources
Allowlist for image registries
Require attestations of security scans
Keyless image signatures using sigstore
How to introduce policies
Do not try a big bang
This will most likely break something
Things may seem fine at first
Policies are enforced when changes occur
Start small
Start with namespaced policies
Migrate to cluster-wide policies for well-tested settings
Continue with cluster-wide policies and exclusions