Kyverno 1.0: Kubernetes Policy Engine Reaches GA

Introduction

Kyverno 1.0 — Kubernetes Policy Engine Reaches GA — was released on October 5, 2021.

Policy usually becomes urgent the first time you need to stop a risky manifest from shipping — or when you’re trying to make standards repeatable across teams.

In this release: Kyverno 1.0 achieves General Availability, delivering a Kubernetes-native policy engine with validation, mutation, and generation capabilities for cloud-native security.

Kubernetes-Native Policy Engine

YAML-based policies enable teams to write policies using familiar Kubernetes resource syntax, eliminating the need to learn specialized policy languages.
Validation policies enforce security best practices, resource limits, and compliance requirements at admission time.
Mutation policies automatically modify resources to add defaults, labels, annotations, or inject sidecars before resource creation.
Generation policies create supporting resources like NetworkPolicies, PodDisruptionBudgets, or ServiceAccounts automatically.

Policy Capabilities

Context-aware policies leverage Kubernetes metadata (labels, annotations, namespaces) to make intelligent policy decisions.
Image verification ensures only signed and verified container images are deployed, preventing supply chain attacks.
Resource quotas enforcement automatically applies ResourceQuotas and LimitRanges based on namespace or workload characteristics.
Network policy generation creates NetworkPolicies automatically based on pod labels and service selectors.

Security & Compliance

Pod security policies enforce security contexts, seccomp profiles, and AppArmor/SELinux configurations.
RBAC automation generates RoleBindings and ClusterRoleBindings based on namespace or user patterns.
Compliance reporting provides detailed audit logs of policy violations and enforcement actions.
Policy exceptions enable controlled bypassing of policies for specific resources or use cases.

Operational Excellence

Policy testing framework enables unit testing of policies before deployment to production.
Dry-run mode previews policy effects without actually modifying resources.
Metrics & observability exposes Prometheus metrics for policy evaluation counts, violations, and performance.
Webhook management simplifies installation and configuration of admission webhooks.

Comparison with Gatekeeper

Native Kubernetes syntax vs. Rego policy language makes Kyverno more accessible to Kubernetes operators.
Built-in mutation support eliminates the need for separate mutation webhooks.
Resource generation enables automatic creation of supporting resources, reducing manual configuration.
Simpler debugging with YAML-based policies provides clearer error messages and easier troubleshooting.

Getting Started

kubectl create namespace kyverno
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno/v1.0.0/definitions/release/install.yaml

Create a validation policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Labels 'app' and 'version' are required"
      pattern:
        metadata:
          labels:
            app: "?*"
            version: "?*"

Summary

Aspect	Details
Release Date	October 5, 2021
Headline Features	Kubernetes-native policies, validation/mutation/generation, image verification
Why it Matters	Provides an accessible, powerful policy engine that integrates seamlessly with Kubernetes workflows

Kyverno 1.0 delivers a production-ready policy engine that makes Kubernetes security and compliance accessible to all teams, without requiring specialized policy language expertise.

Table of Contents