kyverno

What is kyverno?

The Kyverno image packages Kyverno, an open-source Kubernetes-native policy engine. Kyverno enables teams to define policies as Kubernetes resources using familiar YAML rather than requiring a custom language.

It can validate (enforce rules like “all Pods must have resource limits”), mutate (modify resources automatically, such as injecting labels or sidecars), and generate (create additional resources like ConfigMaps or NetworkPolicies). Kyverno is also used for image verification, ensuring only signed and trusted container images are deployed.

Because it integrates directly with the Kubernetes API server, Kyverno is widely adopted by platform and security teams to enforce governance, security, and compliance requirements without steep learning curves.

How to use this image

The Kyverno image is typically deployed as a controller within a Kubernetes cluster.

Examples:

<code># Install Kyverno into a Kubernetes cluster using kubectl
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/release/install.yaml</code>

<code># Apply a sample validation policy (require resource requests/limits)
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/require_resources.yaml</code>

<code># Test the policy with a Pod that lacks resource limits
kubectl apply -f test-pod.yaml</code>

Kyverno policies are defined as Kubernetes CRDs, making them easy to version, share, and apply via GitOps workflows.

{{cta2}}

Image variants

The Kyverno image is generally released under the ghcr.io/kyverno/kyverno repository and published in these forms:

kyverno:<version>

Version-pinned images (e.g., kyverno:v1.12.0) are recommended for production clusters.

kyverno:latest

Tracks the most recent stable release. Useful for evaluation but not advised for long-term production use.

kyverno:nightly / dev

Built from the development branch. Intended for contributors or teams testing new features.