Kyverno is a Kubernetes-native policy engine that expresses admission, mutation, and generation rules in YAML instead of a dedicated policy language. Policies are themselves Kubernetes resources (ClusterPolicy, Policy), so they are reviewed, versioned, and deployed with the same GitOps tooling as the rest of the cluster.
The kyverno controller registers validating and mutating admission webhooks and evaluates incoming API requests against matching rules. Rules can validate fields using pattern matching and CEL, mutate objects by patching them, generate downstream resources like default NetworkPolicies or ConfigMaps when a namespace is created, and verify container image signatures and attestations via Cosign. A background scanner re-evaluates existing resources so policy drift surfaces as PolicyReport custom resources consumed by dashboards and Prometheus. Kyverno also ships a CLI for testing policies against manifests in CI.
Kyverno is a CNCF graduated project and directly competes with OPA Gatekeeper. Its main differentiator is avoiding Rego entirely — operators who already read Kubernetes YAML can write useful policies without learning a new language — and bundling image verification and resource generation in the same engine.
