In addition to the Open Policy Agent, the Cloud Native Computing Foundation (CNCF) has now added another project for policy management to its portfolio. The Kyverno Policy Engine, originally developed by Nirmata, can now prove itself in the CNCF sandbox. The open source project is designed to be seamlessly integrated into Kubernetes and to use its existing resources and tools – developers should be able to forego learning new languages ​​or tools, promises Nirmata founder and CEO Jim Bugwadia.

Policies with CRDs, YAML and JSON regulate In contrast to Open Policy Agent, which requires the use of the Rego language for policy management, uses Kyverno YAML or JSON and can be combined with the kubectl, git and kustomize tools that most Kubernetes users are familiar with. In order to handle complex policy configurations with sometimes hundreds of parameters in the API, especially in a corporate context, when it comes to handling complex policy configurations, Kyverno uses the declarative approach of Kubernetes.

With the help of Custom Resource Definitions (CRDs), Kubernetes administrators can create, manage and automate guidelines for a wide variety of application areas. Kyverno can be used, for example, to automatically build certificates into pods, or to create sidecar containers. The policy engine can even be used for access control. Kyverno works as a validating and mutating webhook with the Kubernetes API server to block invalid or non-conforming configurations if necessary.

Easier configuration for more security Kyverno’s approach, which is based on patterns and best practices from Kubernetes, is intended to help make policy management easier, even in more complex corporate environments. Under the umbrella of the CNCF, Nirmata boss Bugwadia also hopes for synergies through closer cooperation with other projects. Among other things, the development team behind the CNCF sandbox project cert-manager has already expressed interest in using Kyverno for policy administration related to certificate management.

Further information on the policy engine can be found on the Kyverno homepage, the announcement as part of KubeCon + CloudNativeCon and in the project overview of the Cloud Native Computing Foundation.

(map)