<!-- Copyright 2025 The Kyverno Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->

Kyverno

Cloud Native Policy Management 🎉

<p align="center"><a href="https://kyverno.io" rel="kyverno.io"><img src="img/Kyverno_Horizontal.png" alt="Kyverno Logo" width="400"></a></p>

📑 Table of Contents

• About Kyverno
• Documentation
• Demos & Tutorials
• Popular Use Cases
• Explore the Policy Library
• Getting Help
• Contributing
• Software Bill of Materials
• Contributors
• License

About Kyverno

Kyverno is a Kubernetes-native policy engine designed for platform engineering teams. It enables security, compliance, automation, and governance through policy-as-code. Kyverno can:

• Validate, mutate, generate, and clean up resources using Kubernetes admission controls and background scans.
• Verify container image signatures for supply chain security.
• Operate with tools you already use — like kubectl, kustomize, and Git.

<a href="https://opensourcesecurityindex.io/" target="_blank" rel="noopener"> <img src="https://opensourcesecurityindex.io/badge.svg" alt="Open Source Security Index badge" width="282" height="56" /> </a>

📙 Documentation

Kyverno installation and reference documentation is available at kyverno.io.

• 👉 Quick Start
• 👉 Installation Guide
• 👉 Policy Library

🎥 Demos & Tutorials

• ▶️ Getting Started with Kyverno – YouTube
• 🧪 Kyverno Playground

🎯 Popular Use Cases

Kyverno helps platform teams enforce best practices and security standards. Some common use cases include:

1. Security & Compliance

• Enforce Pod Security Standards (PSS)
• Require specific security contexts
• Validate container image sources and signatures
• Enforce CIS Benchmark policies

2. Operational Excellence

• Auto-label workloads
• Enforce naming conventions
• Generate default configurations (e.g., NetworkPolicies)
• Validate YAML and Helm manifests

3. Cost Optimization

• Enforce resource quotas and limits
• Require cost allocation labels
• Validate instance types
• Clean up unused resources

4. Developer Guardrails

• Require readiness/liveness probes
• Enforce ingress/egress policies
• Validate container image versions
• Auto-inject config maps or secrets

📚 Explore the Policy Library

Discover hundreds of production-ready Kyverno policies for security, operations, cost control, and developer enablement.

👉 Browse the Policy Library

🙋 Getting Help

We’re here to help:

• 🐞 File a GitHub Issue
• 💬 Join the Kyverno Slack Channel
• 📅 Attend Community Meetings
• ⭐️ Star this repository to stay updated

➕ Contributing

Thank you for your interest in contributing to Kyverno!

• ✅ Read the Contribution Guidelines
• 🤖 Read The AI_Usage_Policy
• 🧵 Join GitHub Discussions
• 📖 Read the Development Guide
• 🏁 Check Good First Issues and request with /assign
• 🌱 Explore the Community page

🧾 Software Bill of Materials

All Kyverno images include a Software Bill of Materials (SBOM) in CycloneDX format. SBOMs are available at:

• 👉 ghcr.io/kyverno/sbom
• 👉 Fetching the SBOM

👥 Contributors

Kyverno is built and maintained by our growing community of contributors!

<a href="https://github.com/kyverno/kyverno/graphs/contributors"> <img src="https://contrib.rocks/image?repo=kyverno/kyverno" alt="Contributors image" /> </a>

Made with contributors-img

📄 License

Copyright 2026, the Kyverno project. All rights reserved.
Kyverno is licensed under the Apache License 2.0.

Kyverno is a Cloud Native Computing Foundation (CNCF) Incubating project and was contributed by Nirmata.