IDP Blueprint

kyverno

Version: 3.5.2 Type: application Homepage

Kubernetes-native policy management and security engine

Component Information

PropertyValue
Chart Version3.5.2
Chart Typeapplication
Upstream Projectkyverno
MaintainersPlatform Engineering Team (repo)

Why Kyverno?

Kyverno uses Kubernetes-native resources (policies are CRDs, like any other manifest) and doesn’t require learning a specialized language like Rego. Policies are written in YAML, which means the learning curve is lower if you already understand Kubernetes manifests.

Beyond validation, Kyverno supports:

  • Validation: Accept or reject resources based on rules
  • Mutation: Modify resources on admission (e.g., inject labels, add sidecars)
  • Generation: Create new resources when a trigger resource is created (e.g., generate NetworkPolicy for every new namespace)
  • Image Verification: Validate container image signatures using Sigstore/Cosign

The platform currently uses Kyverno primarily for validation. The mutation and generation capabilities are available for future use as governance requirements evolve. Kyverno also integrates with FinOps tools like Kubecost.

Architecture Role

Kyverno operates at Layer 2 of the platform, the Automation & Governance layer. It sits in the admission control path, evaluating every resource before it’s persisted to etcd.

Key integration points:

  • Kubernetes API: Kyverno registers as a validating and mutating webhook
  • ArgoCD: Policies evaluate resources that ArgoCD deploys
  • PolicyReport CRDs: Kyverno generates reports that Policy Reporter consumes
  • Prometheus: Exposes metrics on policy evaluations, violations, and webhook performance

Most policies currently run in audit mode, meaning violations are reported but don’t block deployments. This follows the “paved road” philosophy: guide users toward best practices without creating friction. The exception is enforce-namespace-labels, which runs in enforce mode to guarantee that all namespaces have the metadata required for cost attribution and governance.

See Security & Policy Model for the platform’s governance architecture.

Configuration Values

kyverno

Version: 3.5.2

Component Information

Property Value
Chart Version 3.5.2
Chart Type ``
Upstream Project N/A

Configuration Values

The following table lists the configurable parameters:

Values

Deployment Strategy

Key Type Default Description
admissionController object {"strategy":{"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"}} Rolling update strategy for zero-downtime updates

Other Values

Key Type Default Description
admissionController.strategy object {"rollingUpdate":{"maxSurge":1,"maxUnavailable":0},"type":"RollingUpdate"} Deployment strategy for admission controller
admissionController.strategy.rollingUpdate.maxSurge int 1 Maximum surge pods during update
admissionController.strategy.rollingUpdate.maxUnavailable int 0 Maximum unavailable pods during update (0 for zero-downtime)
backgroundController.resources.limits.cpu string "250m" CPU limit for background controller
backgroundController.resources.limits.memory string "256Mi" Memory limit for background controller
backgroundController.resources.requests.cpu string "100m" CPU request for background controller
backgroundController.resources.requests.memory string "128Mi" Memory request for background controller
cleanupController.resources.limits.cpu string "250m" CPU limit for cleanup controller
cleanupController.resources.limits.memory string "256Mi" Memory limit for cleanup controller
cleanupController.resources.requests.cpu string "100m" CPU request for cleanup controller
cleanupController.resources.requests.memory string "128Mi" Memory request for cleanup controller
crds.install bool true Install Kyverno CRDs
livenessProbe object {"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} Liveness probe for the main admission controller.
livenessProbe.failureThreshold int 3 Failed probes tolerated before restart
livenessProbe.initialDelaySeconds int 0 Delay before starting liveness checks
livenessProbe.periodSeconds int 10 Frequency of liveness probes
livenessProbe.successThreshold int 1 Successful probes required to mark ready
livenessProbe.timeoutSeconds int 1 Timeout per liveness probe
priorityClassName string "platform-policy" Priority class for Kyverno admission controller
readinessProbe object {"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} Readiness probe for the main admission controller.
readinessProbe.failureThreshold int 3 Failed readiness probes tolerated
readinessProbe.initialDelaySeconds int 0 Delay before starting readiness checks
readinessProbe.periodSeconds int 10 Frequency of readiness probes
readinessProbe.successThreshold int 1 Successful probes required to be ready
readinessProbe.timeoutSeconds int 1 Timeout per readiness probe
reportsController.resources.limits.cpu string "250m" CPU limit for reports controller
reportsController.resources.limits.memory string "256Mi" Memory limit for reports controller
reportsController.resources.requests.cpu string "100m" CPU request for reports controller
reportsController.resources.requests.memory string "128Mi" Memory request for reports controller
resources object {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"128Mi"}} Resources for the main admission controller.
resources.limits.cpu string "250m" CPU limit for admission controller
resources.limits.memory string "256Mi" Memory limit for admission controller
resources.requests.cpu string "100m" CPU request for admission controller
resources.requests.memory string "128Mi" Memory request for admission controller
startupProbe object {"failureThreshold":30,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} Startup probe for the main admission controller.
startupProbe.failureThreshold int 30 Failed startup probes tolerated
startupProbe.initialDelaySeconds int 0 Delay before starting startup probes
startupProbe.periodSeconds int 10 Frequency of startup probes
startupProbe.successThreshold int 1 Successful startup probes required
startupProbe.timeoutSeconds int 1 Timeout per startup probe