Kyverno

L5 — Agent-Aware Governance Policy Engine Free (OSS) / Nirmata commercial Apache-2.0 · OSS

OSS Kubernetes-native policy engine. Apache-2.0 under CNCF. Validates, mutates, generates K8s resources via declarative YAML policies (no Rego required). Strong fit for K8s admission control, image trust, and supply-chain security.

AI Analysis

Kyverno is the OSS Kubernetes-native policy engine — Apache-2.0 license under CNCF. Validates, mutates, generates K8s resources via declarative YAML policies (no Rego required). Pick Kyverno for K8s-native policy where YAML ergonomics beat OPA Gatekeeper's Rego DSL.

Trust Before Intelligence

Kyverno's K8s-native + YAML-first design creates the lowest-friction policy primitive for K8s workloads. From a Trust Before Intelligence lens, this is the right tool for K8s admission control: image trust, supply-chain security, namespace isolation, network policies — all expressible in YAML. Distinct from Cerbos (app-authz) and OPA (general policy).

INPACT Score

27/36

I — Instant

5/6

Admission webhook overhead sub-50ms.

N — Natural

5/6

Native YAML policies — no Rego.

P — Permitted

5/6

K8s RBAC + Kyverno policies.

A — Adaptive

4/6

K8s-only. Cap rule N/A.

C — Contextual

4/6

Policy reports + admission logs.

T — Transparent

4/6

Audit + reports + OpenTelemetry.

GOALS Score

20/25

G — Governance

5/6

Governance specialty. 4/6 -> 5.

O — Observability

4/6

Reports. 2/6 -> 4 lenient.

A — Availability

4/6

5/6 -> 4.

L — Lexicon

3/6

1/6 -> 3.

S — Solid

4/6

5/6 -> 4.

AI-Identified Strengths

+ Apache-2.0 CNCF-graduated
+ K8s-native YAML policies — no Rego DSL
+ Validates + mutates + generates K8s resources
+ Strong supply-chain security primitives
+ Nirmata commercial support

AI-Identified Limitations

- K8s-only — not for general policy
- Smaller community than OPA Gatekeeper
- Compliance via attested K8s substrate

Industry Fit

Best suited for

K8s admission control + supply-chain securityImage trust + namespace isolationCNCF-aligned platforms

Compliance certifications

OSS Apache-2.0; substrate compliance via K8s.

Use with caution for

Non-K8s policy needsApp-authz priority (Cerbos)

AI-Suggested Alternatives

OPA

OPA for general-purpose policy. Kyverno for K8s-native YAML.

View analysis →

Cerbos

Cerbos for app-authz. Kyverno for K8s policy.

View analysis →

Integration in 7-Layer Architecture

Role: L5 K8s policy engine.

Upstream: K8s admission requests.

Downstream: Allow/deny + audit + reports.

⚡ Trust Risks

medium Used for app-authz when Cerbos fits

Mitigation: Right-tool: Kyverno for K8s admission; Cerbos for app-authz; OPA for general policy.

Use Case Scenarios

strong K8s admission control with supply-chain policies

Kyverno's specialty.

weak App-level authorization decisions

Cerbos fits.

Stack Impact

L5 L5 K8s-native policy engine.

⚠ Watch For

! Used for app-authz
! K8s admission misconfigured
! Audit log not preserved

2-Week POC Checklist

☐ K8s admission policies designed + tested
☐ Supply-chain primitives evaluated
☐ Audit log retention

Explore in Interactive Stack Builder →

Visit Kyverno website →

This analysis is AI-generated using the INPACT and GOALS frameworks from "Trust Before Intelligence." Scores and assessments are algorithmic and may not reflect the vendor's complete capabilities. Always validate with your own evaluation.