kyverno

Kyverno is a CNCF-backed publisher that concentrates on cloud-native policy automation, offering a single yet far-reaching product: the Kyverno policy engine for Kubernetes. Built to work as an admission controller inside any standard Kubernetes cluster, Kyverno lets platform teams declare security, compliance and operational rules in familiar YAML, then enforces or audits those rules without writing code. Typical use-cases range from blocking images that lack approved signatures, to auto-injecting sidecars, limiting resource requests, spreading workloads across zones, and annotating namespaces for cost attribution. Because policies are Kubernetes resources themselves, they fit naturally into GitOps pipelines, allowing reviewers to treat governance changes like application pull requests. The engine supports both validate and mutate modes, can generate additional resources on the fly, and exposes detailed policy reports that feed directly into monitoring stacks. Operators often deploy Kyverno early in a cluster’s life-cycle to baseline security, then layer on more granular rules as teams migrate workloads; the separate CLI also lets developers test policies offline before they reach production. Although the footprint is lightweight—a small set of controllers and a webhook—the project scales to hundreds of policies across thousands of namespaces and integrates with OCI registries, Sigstore tooling, and external data sources for context-aware decisions. Kyverno’s software is available for free on get.nero.com, where downloads are delivered through trusted Windows package sources such as winget, always install the latest upstream release, and can be pulled in bulk alongside other applications.