Skip to main content
Hey everyone, it’s Srinivas from KodeKloud. In this lesson we’ll learn about Kyverno — a Kubernetes-native policy engine that validates and mutates Kubernetes resources using familiar Kubernetes-style CRDs. Kyverno helps enforce organization policies (labels, image sources, resource limits, replica counts, network policies, etc.) so that resource creation and updates comply with governance and best practices. We’ll cover:
  • What Kyverno is
  • How Kyverno works inside the API server admission flow
  • Example policies (validation and mutation) and a short demo workflow
The image contains an icon on the left and a list on the right with the headings: "What is Kyverno?", "How Kyverno Works?", and "Quick Demo: Some Example Policies." The background is black.

Why use Kyverno?

Consider a simple Deployment manifest you might apply to a cluster:
When you run kubectl apply, Kubernetes validates manifest syntax and authorizations, but it won’t enforce organization-specific policies by default. Requiring labels, disallowing public registries, enforcing resource requests/limits, or rejecting :latest images manually is error-prone and hard to scale. Automating policy enforcement with Kyverno ensures consistency, lowers developer feedback latency, and preserves compliance without slowing delivery.
The image depicts a flowchart connecting an organization, a manager or CEO, and a platform team or developers, highlighting concepts like governance, best practices, consistency, lower latency, and agility, with the Kubernetes logo featured prominently.

Common policy examples

Below are typical policies organizations enforce via Kyverno: You can adopt these examples to fit your environment (private registry prefix, minimum replicas, allowed namespaces, etc.).
The image lists four requirements: images must be from an approved repository, ingress hostnames must be globally unique, pods must have resource limits, and traffic must be denied without network policies.

Where Kyverno integrates with Kubernetes

Incoming API requests pass through authentication and authorization, then the admission controller pipeline. Admission webhooks can mutate or validate requests before objects are persisted to etcd. Kyverno runs as an admission webhook (a third-party policy agent) and can perform mutations and validations in the mutating and validating admission stages. If a request complies with Kyverno policies, the webhook allows it; otherwise it is denied or logged (depending on policy action).
The image is a flowchart illustrating the process of handling an API request with Kyverno, detailing steps like authentication, admission, and validation before storing in ETCD. It highlights the role of a Policy Agent in the mutating and validating admission stages.

Installing Kyverno

Kyverno is distributed via Helm. Installing creates the necessary CustomResourceDefinitions (CRDs) and deploys Kyverno controllers plus the admission webhook. Add the Helm repo, refresh, and inspect the chart:
A straightforward install (adjust replica counts for HA):
Verify the Kyverno CRDs:
Kyverno also provides an optional chart that ships pre-configured policies implementing the Kubernetes Pod Security Standards:

Policy basics (CRDs and actions)

Kyverno introduces CRDs such as ClusterPolicy and Policy. Policies can:
  • Validate requests (deny or audit violations).
  • Mutate requests before admission.
  • Generate reports.
Use validationFailureAction to control enforcement:
Set validationFailureAction to Enforce to deny non-compliant requests, or Audit to allow requests but record violations for reporting.

Example 1 — Require a team label on Deployments

ClusterPolicy that enforces a non-empty team label on Deployments:
Key points:
  • match targets resource kinds (here: Deployment).
  • validate.message is returned when the rule is violated.
  • The pattern team: "?*" requires a non-empty string for the team label.
Apply the policy and verify:
Creating a Deployment without the team label will be denied by Kyverno’s admission webhook:
Add labels: { team: frontend } to succeed.

Example 2 — Minimum replicas validation

Require at least 3 replicas for Deployments:
Kyverno evaluates spec.replicas and denies requests with replicas < 3.

Mutation example — set imagePullPolicy when image uses :latest

Kyverno can mutate incoming requests. Example: set imagePullPolicy when a container uses the :latest tag:
Notes:
  • mutate.patchStrategicMerge merges values into the incoming object.
  • The special key (image): "*:latest" matches container entries where image ends with :latest and sets imagePullPolicy.

Demo workflow (commands)

  1. Install Kyverno using the Helm commands above.
  2. Create and apply example ClusterPolicy YAML files (labels, replicas, mutation).
  3. Attempt to apply Deployments/Pods that violate policies to observe Kyverno denying them.
  4. Switch validationFailureAction from Audit to Enforce after validating policy impact.
Kyverno documentation covers validate/mutate rules, wildcard patterns, strategic merge, and more. For pattern matching details see: https://kyverno.io/docs/writing-policies/validate/
The image is a screenshot of a webpage from the Kyverno documentation, specifically the section on validating rules, with detailed explanations and a sidebar menu containing navigation links.

Additional policy examples

  • Deny :latest or require an explicit tag:
  • Allow only images from a private registry (example uses kodekloud.io):
The pattern kodekloud.io/* enforces that the image string begins with the private registry prefix — replace with your registry (for example: myregistry.internal/*).

Hands-on tips

  • Start with validationFailureAction: Audit to measure impact before switching to Enforce.
  • For lists like containers, Kyverno’s wildcard patterns and strategic merge keys (e.g., (image)) let you match items by key.
  • Consider enabling Kyverno’s pre-configured Pod Security Standard policies to get a baseline. See Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
The image is a flow diagram depicting an installation process involving a user, Helm, and Kubernetes-related components. It shows an arrow sequence from the user to Helm, and then to a group of puzzle-piece icons and a Kubernetes logo.

Summary

Kyverno is a Kubernetes-native policy engine that integrates with the admission webhook pipeline to validate and mutate resources using native Kubernetes CRDs (ClusterPolicy and Policy). With Kyverno you can automate enforcement of labels, image registries and tags, resource constraints, replica counts, network controls, and more. Installing via Helm is simple, and Kyverno offers pre-built policy bundles for common best practices. Start with Audit mode to validate impact, then move to Enforce when ready. Happy experimenting with Kyverno — it’s a practical way to automate policy enforcement across your cluster.

Watch Video