Kyverno Automates Container Security
The latest Big Bang release introduces a Kyverno policy that automatically drops capabilities in Kubernetes pod specs unless explicitly required. This is a step toward operationalizing Zero Trust at the container level.
Kyverno, meaning "governance" in Greek, acts as a policy engine tailored for Kubernetes, enabling users to define, manage, and enforce security and operational policies. Unlike traditional policy engines needing complex domain-specific languages, Kyverno uses Kubernetes-native YAML configurations. This simplifies defining rules for DevOps and platform engineers. Kyverno operates as a Kubernetes admission controller, evaluating API requests against defined policies, ensuring only compliant configurations are applied. It validates, mutates, and generates resources; verifies image signatures; and provides auditing. This happens before anything is stored in etcd. The tool supports validating, mutating, and generating policies, along with dynamic policy updates that adapt in real-time to evolving cluster needs. Simplified auditing and reporting ensures regulatory compliance using built-in validation mechanisms. Kyverno helps organizations meet standards like CIS benchmarks, NIST, and GDPR. Kyverno enables enforcing Pod Security Policies (PSPs) through declarative YAML files, offering fine-grained control over pod security. It extends Kubernetes' built-in capabilities with features like fine-grained enforcement, CLI testing tools, and built-in reporting tools. Kyverno integrates with tools like Sixty and Cosign for image verification and offers testing tools via its Chainsaw project. Kyverno can verify OCI container image signatures and artifacts to help secure the software supply chain. Organizations can use Kyverno to enforce that containers do not run as root, set resource limits, and enforce liveness and readiness probes. Kyverno integrates with Sigstore tools to validate container images before allowing them to run. Kyverno offers features for complex policies, including API lookups and external data management, with an extended CEL library. It allows configuring policy exceptions using Kubernetes resources, making it possible to manage them via the Kubernetes API. Kyverno policies can be applied to any JSON or YAML payload, including Terraform or OpenTofu manifests. The adoption of Kubernetes in production has reached 80% of enterprises. Kyverno is now an essential tool for maintaining security and efficiency in complex Kubernetes environments.
