General blog posts related to Kyverno on Kyverno

Automating EKS CIS Compliance with Kyverno and KubeBench

Wed, 11 Jun 2025 00:00:00 +0000

Introduction: The Challenge of EKS Compliance at Scale

Maintaining CIS Benchmarks compliance for Amazon EKS across multiple clusters is a common challenge in cloud native environments. Traditional manual approaches don’t scale, and existing solutions often lack comprehensive coverage or real-time enforcement capabilities.

This article explores a practical approach to automating CIS compliance for EKS using Kyverno (a CNCF Kubernetes-native policy engine), combined with OpenTofu for infrastructure provisioning, and kube-bench for node-level CIS scanning. This solution demonstrates how CNCF ecosystem tools can work together to provide comprehensive security validation across the entire infrastructure and application stack.

Kyverno-Envoy-Plugin - Kyverno policies based authorization plugin for Envoy

Tue, 04 Jun 2024 00:00:00 +0000

Microservices enhance the productivity of individual development teams by dividing applications into smaller, independent components. However, microservices alone do not address longstanding challenges in distributed systems such as authentication and authorization. These problems can become even harder to manage due to the diverse and short-lived nature of the microservice environments.

As more organizations move to using microservices, there is an increasing need for separate authentication and authorization mechanisms that work across different microservices.

Kyverno Reports Server - The ultimate solution to scale reporting

Wed, 29 May 2024 00:00:00 +0000

Introduction

Policy Reports are used by Kyverno to store the result of policies and cluster policies that match a resource. Kyverno generates reports during admission request as well as periodically as background scans. They are very helpful in auditing the current state of policy compliance in a cluster.

Generating Kubernetes ValidatingAdmissionPolicies from Kyverno Policies

Mon, 26 Feb 2024 00:00:00 +0000

In the previous blog post, we discussed writing Common Expression Language (CEL) expressions in Kyverno policies for resource validation. CEL was first introduced to Kubernetes for the Validation rules for CustomResourceDefinitions, and then it was used by Kubernetes ValidatingAdmissionPolicies in 1.26.

ValidatingAdmissionPolicies offer a declarative, in-process alternative to validating admission webhooks.

ValidatingAdmissionPolicies use the Common Expression Language (CEL) to declare the validation rules of a policy. Validation admission policies are highly configurable, enabling policy authors to define policies that can be parameterized and scoped to resources as needed by cluster administrators.

Assigning Node Metadata to Pods

Mon, 19 Feb 2024 00:00:00 +0000

If you’re running Kubernetes in production, especially in a public cloud, where a single cluster may span multiple availability zones, chances are you’re configuring workloads with some awareness of your topology. Kubernetes has a few mechanisms to support zone awareness, but one common use case is how to propagate certain Node metadata, such as labels or annotations, to Pods to assist with this awareness. In this blog, we’ll go into specifics of how Pod scheduling really works and share some tips for how Kyverno can mutate Pods to add Node metadata like labels. Even if you’re not a Kyverno user, you’ll most likely learn something you didn’t know about Kubernetes.

Kyverno Chainsaw 0.1.4 - Awesome new features!

Thu, 15 Feb 2024 00:00:00 +0000

The latest release of Kyverno Chainsaw came out yesterday. Let’s look at the new features included in this release.

Resource diff in assertion failures
Resource templating support

Resource diff in assertion failures

This is a relatively straightforward one but it brings a lot of context to assertion failures.

Securing Services Meshes Easier with Kyverno

Sun, 04 Feb 2024 00:00:00 +0000

Service meshes are all too common these days in Kubernetes with some platforms even building them into clusters by default. Service meshes are no doubt useful in a variety of ways which are well known, but it’s also well known they dramatically increase the complexity in those clusters. In addition to added complexity, service meshes also pose a (infamous) problem when it comes to enforcing Pod security because they require elevated privileges which can be difficult for other admission controllers to handle like Kubernetes’ own Pod Security Admission. In this post, we’ll explain more about this problem and how Kyverno can be a real savior when employing service meshes while giving you a preview of something to come in Kyverno 1.12 which will make security service meshes a piece of cake!

Kyverno Chainsaw - Exploring the Power of Assertion Trees!

Wed, 13 Dec 2023 00:00:00 +0000

While the Chainsaw documentation is nice and comprehensive, I feel like the most powerful feature of Chainsaw deserves its own blog post for a couple of reasons:

Its hard to make it standout in the documentation
You can’t appreciate Chainsaw until you understand what makes it so unique
Seeing the feature in action is the best way to learn about it

What makes Chainsaw unique is its assertion model.

Kyverno Chainsaw - The ultimate end to end testing tool!

Tue, 12 Dec 2023 00:00:00 +0000

Creating Kubernetes operators is hard, testing Kubernetes operators is also hard. Of course creating, maintaining and testing a Kubernetes operator is even harder.

It often requires writing and maintaining additional code to get proper end to end testing, it takes time, is a cumbersome process, and making changes becomes a pain. All this often leads to poor operator testing and can impact the operator quality.

Today we are extremely proud to release the first stable version of Kyverno Chainsaw, a tool to make end to end testing Kubernetes operators entirely declarative, simple and almost fun.

Kyverno Completes Third-Party Security Audit

Tue, 28 Nov 2023 00:00:00 +0000

The Kyverno project is pleased to announce the completion of its third-party security audit. The audit was conducted by Ada Logics in collaboration with the Kyverno maintainers, the Open Source Technology Improvement Fund and was funded by the Cloud Native Computing Foundation.

The audit was a holistic security audit with four goals:

Define a formal threat model for Kyverno.
Conduct a manual code audit for security vulnerabilities.
Assess Kyverno’s fuzzing suite against the threat model.
Evaluate Kyverno’s supply-chain risks against SLSA.

Ada Logics found 10 security issues during the manual code auditing goal. Four of these had their root cause in the Notary verifier which had not been released prior to the audit. One of the findings was in a third-party dependency to Kyverno and was fixed by the Cosign project maintainers.

Using CEL Expressions in Kyverno Policies

Mon, 13 Nov 2023 00:00:00 +0000

Kyverno, in simple terms, is a policy engine for Kubernetes that can be used to describe policies and validate resource requests against those policies. It allows us to create policies for our Kubernetes cluster on different levels. It enables us to validate, change, and create resources based on our defined policies.

A Kyverno policy is a collection of rules. Whenever we receive an API request to our Kubernetes cluster, we validate it with a set of rules.

Applying Validating Admission Policies using Kyverno CLI

Wed, 04 Oct 2023 00:00:00 +0000

The Kyverno Command Line Interface (CLI) allows applying policies outside of Kubernetes clusters and can validate and test policy behavior prior to adding them to a cluster.

The two commands used for testing are apply and test:

The apply command is used to perform a dry run on one or more policies for the given manifest(s).
The test command is used to test a given set of resources against one or more policies to check the desired results defined in a special test manifest.

In this post, I will show you how you can apply/test Kubernetes ValidatingAdmissionPolicies that were first introduced in 1.26 with the enhancements to the Kyverno CLI in v1.11.

Kyverno Completes Fuzzing Security Audit

Wed, 06 Sep 2023 00:00:00 +0000

Kyverno, a CNCF policy engine for Kubernetes, is happy to announce the completion of its fuzzing security audit. The audit was carried out by Ada Logics and is part of an initiative by the CNCF to bring fuzzing to the CNCF landscape; Fuzzing is an important part in keeping CNCF projects secure and robust, and it has found security vulnerabilities and reliability issues in several other CNCF-hosted projects. The audit spanned July and August of 2023 and resulted in 15 fuzzers written for the Kyverno project. The fuzzers found three bugs during the audit itself and OSS-Fuzz will continue to run them after the audit has concluded to test Kyverno for bugs and vulnerabilities.

Verifying images in a private Amazon ECR with Kyverno and IAM Roles for Service Accounts (IRSA)

Fri, 18 Aug 2023 00:00:00 +0000

When running workloads in Amazon Elastic Kubernetes Service (EKS), it is essential to ensure supply chain security by verifying container image signatures and other metadata. To achieve this, you can configure Kyverno, a CNCF policy engine designed for Kubernetes, to pull from ECR private registries for image verification. It’s possible to pass in the credentials via secrets, but that can get difficult to manage and automate across multiple clusters. In this blog post, we will explore an alternative method that simplifies the authentication process by leveraging Kyverno and IRSA (IAM Roles for Service Accounts) in EKS for image verification.

Simplifying OpenShift MachineSet Management Using Kyverno

Fri, 28 Jul 2023 00:00:00 +0000

(Guest post from Red Hat Distinguished Architect, Andrew Block)

Managing infrastructure in a declarative fashion is one of the core principles that should be adopted when operating in any environment. In OpenShift, this paradigm for managing the underlying Node infrastructure is accomplished using the Machine API. This extension of the upstream Cluster API project enables the provisioning and management of instances once the OpenShift cluster finishes deploying.

While Machines are individual hosts provisioned as Nodes, cluster administrators typically interact with them via an abstraction – a MachineSet. A MachineSet represents a group of compute instances that not only share similar traits, such as the definition of the desired cloud provider, but they can be scaled based on the desired number of instances.

Using Kyverno with Pod Security Admission

Mon, 12 Jun 2023 00:00:00 +0000

Pod Security Admission (PSA) is the built-in successor to Kubernetes PodSecurityPolicy (PSP) and is enabled by default starting in v1.23, graduating to stable in v1.25, the same version where PSP was finally removed. PSA is different from PSP in many respects, however one of the most important–and central to how PSA operates–is that it is focuses on implementing standards and not individual checks like PSP did. The standards in this case are the Pod Security Standards. While many might see technologies like Kyverno and other admission controllers in competition PSA, the two can actually be highly complementary and deliver increased value through tighter security guarantees while catering to the flexibility demanded by modern Kubernetes operations. In this blog, we’ll explain some of these use cases for how Kyverno can be used alongside PSA to get the best of both worlds.

Let's Play Kyverno

Sun, 04 Jun 2023 00:00:00 +0000

Foreword

“Kyverno is a policy engine designed specifically for Kubernetes."

While this approach makes it very easy to use Kyverno in its intended environment, it is sometimes difficult to explain and present the capabilities when that environment is not available.

To help potential users get started and reduce the effort required to test Kyverno and/or develop new policies, the Kyverno Playground has been developed. This has now been available for 3 weeks, currently in version 0.3.1.

PodSecurityPolicy migration with Kyverno

Wed, 24 May 2023 00:00:00 +0000

As you’ve probably heard, PodSecurityPolicy (PSP) in Kubernetes is no more. After a deprecation beginning in v1.21, they were finally removed in v1.25. Many organizations out there are still relying on PSPs and, if you’re reading this post, you’re probably one of them. As you begin to upgrade your clusters closer and closer towards v1.25, the clock is ticking. The choices with which you are faced are to either delay cluster upgrades, which means you aren’t keeping up with the frequent releases and risk being on an unmaintained version, or upgrade to v1.25 or later and simply not have security for Pods. Neither is really an acceptable choice. In this blog post, we’ll show you what your options are and provide a step-by-step migration guide for getting off PSP and onto Kyverno so you can feel confident in your ability to upgrade safely.

New time related JMESPath filters in Kyverno!

Sun, 19 Feb 2023 00:00:00 +0000

The v1.9 release of Kyverno added several time related JMESPath filters. With this addition, users now can add time based rules in their Kyverno policies. This blog post aims to describe those new additions.

What is “JMESPath”?

JMESPath (pronounced “James path”) is a JSON query language that allows you to declaratively specify how to extract elements from a JSON document. It is similar to JSONPath in Kubernetes. It can be used almost anywhere in Kyverno.

Kyverno and SLSA 3

Wed, 01 Feb 2023 00:00:00 +0000

With the release of Kyverno 1.9, Kyverno has begun generating and attesting to the provenance of its release artifacts in the SLSA standard and provisionally meet Level 3. This blog post attempts to explain a bit about SLSA and Level 3 and how we meet the requirements. Once the Open Source Security Foundation (OpenSSF) establishes its conformance program, we hope to see official acknowledgement of this process.

About SLSA

Supply Chain Levels for Software Artifacts, or SLSA (pronounced “salsa”), is a security framework which aims to prevent tampering and secure artifacts in a project. SLSA helps in mitigating supply chain threats. SLSA compliance is based on four levels. Level 1 starts with basic requirements and achieving level 4 requires strict hardening of the supply chain platform.

Kyverno CVE-2022-47633 affecting image verification

Thu, 29 Dec 2022 00:00:00 +0000

Summary

Kyverno versions 1.8.3 and 1.8.4 contained a regression (CVE-2022-47633) which allowed a malicious proxy to facilitate a man-in-the-middle (MiTM) attack allowing an unsigned image to run in a Kubernetes cluster even if there was a Kyverno policy installed to ensure only signed images were permitted. This was due to there being two calls to the registry using the image tag, when there only should have been one, allowing a different digest to be returned on the second call than the first. The issue has been fixed in Kyverno 1.8.5.

New Kyverno Blog

Fri, 08 Jul 2022 00:00:00 +0000

Welcome to the new Kyverno blog!

As you can see, we now have a brand new and shiny blog page thanks to the folks behind the Docsy theme which the Kyverno website uses (in addition to others in the cloud native ecosystem).

Subscribe to the handy RSS feed to watch for updates, or check back to see blog articles published by the Kyverno team!