Project post by Kyverno maintainers
Kyverno, the open-source policy engine originally built for Kubernetes, is pleased to announce support for non-Kubernetes workloads, by supporting policies that operate on JSON payloads.
Due to its simplicity and wide range of features, Kyverno has been widely adopted by platform engineering teams that use Kubernetes as a composable platform for building Internal Developer Platforms (IDPs) for their organizations. However, these platform engineers are often responsible for other systems such as Continuous Integration and Continuous Delivery (CI/CD) systems, Infrastructure as Code (IaC) tools, serverless workloads, and other cloud services.
For example, a platform team using Amazon Web Services (AWS) may offer internal Amazon EKS and Amazon ECS for containerized workloads, AWS Lambda for serverless applications, and may use Terraform for IaC. Now, they can apply Kyverno’s low-code declarative policies for unified governance across all of these systems.
In prior releases, Kyverno was offered as a Command Line Interface (CLI) that applied policies on Kubernetes resources, a Kubernetes admission controller that integrated with the Kubernetes control plane, and a background scanner that periodically scans all cluster resources for compliance with security and operational best practices.
With the newly announced release, Kyverno now supports three new form factors:
- A CLI for JSON processing: the new Command Line Interface (CLI) can be used in CI/CD pipelines, or any scenario where JSON configuration data need to be checked via policies.
- REST API: Kyverno now can be run as an application service that exposes a REST API for policy decisions. This allows usage in any scenario where policies need to be applied to configurations that are external to Kubernetes.
- Golang library: the Kyverno engine can now be consumed via Golang API allowing Kyverno to be consumed by developers, for application authorization decisions, or for their applications policy needs.
“Platform engineers love Kyverno due to its simplicity and powerful features for security, compliance, and automation” said Jim Bugwadia, CEO at Nirmata and co-creator of Kyverno. “A frequent request was to be able to use Kyverno policies across all systems the platform teams manage. With the latest release, this is now easily possible!”
Kyverno, which means “govern” in the Greek language, was created by Nirmata, and donated to the CNCF by Nirmata in November of 2020. The Kyverno project graduated to the CNCF Incubator in July 2022. Since then, Kyverno has seen almost 10X growth in downloads and added more than 2000 GitHub stars, as it has become a widely used solution for platform engineering teams using Kubernetes.
Kyverno can be used to validate, mutate, and dynamically generate configurations. This allows platform engineering teams to go beyond audit and enforcement and apply policy as code to automate security concerns.
In the last 12 months, Kyverno has added an impressive set of features including integrated image verification for software supply chain security, policy exceptions for scalable management and rollout of policies, and cleanup policies to remove unused resources.
“Supporting JSON payloads expands the use of Kyverno for governance of Infrastructure-as-Code, cloud services, application authorization, and several other use cases. It’s clear that the Kyverno project is committed to addressing the evolving security and compliance needs of the cloud native community,” said Kishore Nadendla who contributes to the CNCF Security Technical Advisory Group and works on platform and developer experience initiatives at a large financial services organization.
The Kyverno project continues to invite contributions and collaboration from the open-source community as it remains dedicated to empowering the cloud native community with robust policy management capabilities that automate security and compliance.
The new Kyverno JSON engine is available at: https://github.com/kyverno/kyverno-json.
For more information about Kyverno and to download the latest version, please visit kyverno.io.