CNCF Accepts Kyverno as the Latest Sandbox Project

Nov. 30, 2020, 3:15 p.m.

TL;DR

Nirmata, a Kubernetes operation and management platform, has announced that CNCF has accepted Kyverno, its Kubernetes-based policy engine, at the sandbox level. Kyverno is described on its official website as a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources, and no new language is required to write policies.

Policy engines are crucial for enterprise Kubernetes management

Key Facts

1
Kyverno is a Greek word meaning “Governance.” The Kubernetes-native policy engine allows cluster administrators to manage policies using familiar tools like Git, Kubectl, and Kustomize.
2
Kyverno helps create policies and runs as a validating and mutating webhook aligned with the Kubernetes API server to provide configuration security.
3
It can mutate as well as generate resources, which allows users to do fine-grained configuration management, not possible manually.
4
Nirmata hopes that Kyverno can significantly increase the worldwide use of Kubernetes policy. Many people hesitate to implement Kubernetes policies due to their complexity.
5
In the future, Kyverno hopes to collaborate with other CNCF sandbox projects like cert-manager.

Details

Nirmata announced the news of the acceptance of Kyverno by CNCF in its official blog post. The post said that the decision to donate Kyverno was taken to promote the adoption of Kubernetes policies. Policy engines are crucial for enterprise Kubernetes management, but their complexity and learning curve hinder many from adopting it.

Kyverno comes with a host of features, including:

Admission controls: To provide configuration security and block invalid and non-compliant configurations.
Background scanning: Regularly scans all resources and creates a policy report for each namespace and cluster-wide resources.
Automated rules for pod controllers: Uses pod policies to automatically generate rules for pod controllers, making Kubernetes policy management easier.
Dynamic generation of new configurations: It helps enable several use cases by supporting flexible triggers for automatic dynamic regeneration of new configuration resources.
Synchronize configuration across namespaces: Kyverno allows automatic propagation of changes from a common source by automatically synchronizing configuration changes across namespaces.

Security seems one of the main concerns of enterprises that have already adopted this Kubernetes. Several companies are building tools to resolve critical security issues in Kubernetes. Just like Kyverno helps in securing Kubernetes, there are several other tools like Kube-bench, Kube-hunter, and Project Calico that help in securing networking issues in Kubernetes.

To ensure compliance and apply best practices, policy engines are critical for enterprise Kubernetes management. The complexity and learning-curve of solutions that require a new language and foreign tools have hindered adoption. Kyverno simplifies Kubernetes policy management and allows admins to manage policies and reports as native resources.
Jim Bugwadia
Co-founder and CEO, Nirmata