CNCF Automates Kubernetes SecOps With Kyverno
Open source Kubernetes policy engine technology Kyverno has been certified for use and formalized with a new Kyverno Certified Associate (KCA) exam by the Cloud Native Computing Foundation at KubeCon + CloudNativeCon North America this month in Salt Lake City.
Kyverno was created by security and governance specialist Nirmata and contributed to the CNCF in November 2020. It graduated as a CNCF Incubator in July 2022 and since then it has experienced nearly 10X growth in downloads and gained over 2,000 GitHub stars.
The technology works as a Kubernetes policy engine to validate, mutate and generate configurations, enabling the automation of security policies as code, beyond just audit and enforcement. As a result of its simplicity and range of features, Kyverno has been widely adopted by platform engineering teams that use Kubernetes as a composable platform for building Internal Developer Platforms (IDPs).
“Kyverno simplifies Kubernetes policy management and enhances security in cloud-native environments, making it a valuable tool for platform engineering teams,” said Chris Aniszczyk, CTO, of CNCF. “Kyverno being Kubernetes-native and having such prominent ease of use features – [especially] on top of its integration into CI/CD pipelines – has contributed to its widespread adoption in cloud-native projects.”
Admins, Ops & DevOps
Kyverno is designed to be used by Kubernetes administrators, operators and DevOps teams who are responsible for managing and maintaining Kubernetes clusters. It can be valuable in situations where policy management, resource validation and dynamic policy enforcement are required.
Kyverno, which means “govern” in Greek, works to provide policies that can enforce best practices so that it can scan workloads and block, patch and mutate API requests to enforce them. Kyverno can check if resource specifications match predefined policies, including Open Container Initiative (OCI) container images, to help secure the software supply chain. The Kyverno Command Line Interface (CLI) can be used to test policies and validate resources as part of a CI/CD pipeline.
Kyverno policies can be managed as Kubernetes resources and “familiar tools” like kubectl, git and kustomize can be used, so users do not need to learn a new programming language. Kyverno can also create additional objects and resources. It allows users to build rules for their Kubernetes resources that can allow or deny the resource to be applied to a cluster.
Kyverno Certified Associate (KCA)
“We are excited to launch the Kyverno Certified Associate (KCA) exam in partnership with the CNCF and Linux Foundation Education. Kubernetes runs mission-critical workloads across all major verticals and Kyverno has become an indispensable tool with its ability to automate security and operations with policy as code,” says Jim Bugwadia, Nirmata co-founder and CEO. “ With this certification, Kubernetes administrators will be able to assess their expertise in Kyverno and prove their ability to address key use cases for their organizations.
Kyverno secures software supply chains by automating security, compliance and best practices validation. It can verify container images and metadata, allowing teams to create an allowed list of approved base images for constructing containers. Additionally, Kyverno tailors security configurations with fine-grained pod security controls, offering flexibility to exempt specific controls within a pod security profile.
Streamlined DevSecOps Workflows
According to the CNCF project maintainer team, Kyverno streamlines the DevSecOps workflow and security management in cloud-native environments by validating resources as part of the CI/CD pipeline, producing policy reports that show the results of policy decisions, and enforcing policies as a Kubernetes admission controller, CLI-based scanner, or at runtime.
“Earning a Kyverno certification can enhance knowledge of Kubernetes policy management and demonstrate the ability to handle security, compliance and operational aspects of cloud-native projects. The education required for the certification will help [engineers] learn how to create, apply and manage Kyverno policies, while also building professional credibility and standing out from the competition. Additionally, certification prepares you for roles such as Kubernetes security specialist, DevSecOps engineer, or Kubernetes administrator,” notes the CNCF.
CNCF with Linux Foundation Education currently offers one Kyverno-specific course, Mastering Kubernetes Security with Kyverno (LFS255) and KubeCon + CloudNativeCon 2024 also saw the launch of the Kyverno Certified Associate (KCA).
