The Cloud Native Computing Foundation (CNCF) has officially recognized Kyverno, an open-source policy engine for Kubernetes, by elevating it to the "Graduated" project status. This significant milestone, achieved at KubeCon + CloudNativeCon in Amsterdam this March, marks the culmination of a five-year journey through the CNCF’s rigorous maturity ladder, from Sandbox to Incubation and now Graduation. The achievement underscores Kyverno’s production-readiness, widespread adoption, and robust governance, positioning it as a leading solution for managing complex Kubernetes environments.
Jim Bugwadia, CEO and co-founder of Nirmata, the primary maintainer of Kyverno, shared his insights on this achievement in an exclusive interview with The New Stack Makers. He detailed the significance of the graduation status, emphasizing the extensive vetting process and the project’s evolution, including its recent transition to the Common Expression Language (CEL).
The Significance of CNCF Graduation
CNCF graduation is not merely a symbolic award; it represents a project’s proven ability to operate at scale, maintain stability, and foster a vibrant community. Out of the hundreds of projects under the CNCF umbrella, only a select few, currently 35, have reached this highest tier of maturity. This selective process involves comprehensive security reviews, code audits, and demonstrated stability over an extended period.
"Incubation is really a good sign of the maturity of a project," Bugwadia explained. "It means it’s production-ready. It has a lot of adopters. Then graduation is more about project governance, other security reviews, and things to get through. It took us about four years to go from incubation to graduation." This extended incubation period allowed Kyverno to solidify its position as a critical tool within the cloud-native ecosystem.
The CNCF landscape, a vast and ever-expanding directory of cloud-native technologies, is a testament to the rapid growth and innovation in the space. Kyverno’s progression through its ranks highlights its substantial contribution and its ability to meet the demanding standards set by the foundation.
Kyverno: A Policy Engine for the Modern Cloud
Kyverno, whose name derives from the Greek word for "to govern," is designed to simplify and automate policy enforcement within Kubernetes. As Kubernetes clusters become increasingly complex and are utilized by diverse teams – developers, security operations, and infrastructure operators – the need for clear, consistent, and enforceable rules becomes paramount.
"Kubernetes is designed for multiple roles. You have developers, security teams, and operators, all using the same configurations. So if you have a deployment or a pod, there are bits and pieces in there for everybody," Bugwadia stated. "So how do you manage this at scale? How do you tell developers: You must configure a security context, or your images must come from this specific registry. Policies are really good at declaratively instructing."
Kyverno addresses this challenge by allowing users to define policies in a declarative manner, similar to how Kubernetes resources are managed. These policies can be used to validate, mutate, and generate Kubernetes resources, ensuring that clusters adhere to organizational security, compliance, and operational best practices.
Evolution and Adoption in the Age of AI
Kyverno’s journey has seen significant technical advancements. A notable recent development was the migration of the project from custom YAML to the Common Expression Language (CEL). CEL is a modern, expressive language that is natively integrated with the Kubernetes API server. This move enhances performance, simplifies policy authoring, and improves the overall developer experience.
The project’s user base has also expanded significantly, driven in part by the burgeoning adoption of Artificial Intelligence (AI) technologies. The increasing prevalence of AI workloads and autonomous agents within cloud-native environments necessitates more stringent policy enforcement and automation than ever before. Enterprises are looking to govern the deployment and behavior of these AI systems, and Kyverno provides a robust framework to do so.
"If you have a social club with people and you want to write down a set of rules in Kubernetes, these are digital policies which are running in the cluster, and they are making sure that these rules are enforced, or auditing and reporting and letting you know that, ‘Hey, something’s off, it needs to be looked at,’ or ‘This would be good to fix and optimize’," Bugwadia elaborated. This analogy effectively captures Kyverno’s role in maintaining order and compliance within dynamic Kubernetes clusters.
The impact of these developments is evident in Kyverno’s download statistics, which have surpassed an impressive 3 billion downloads. This widespread adoption underscores its critical role in ensuring secure and compliant Kubernetes operations across a diverse range of industries.
The Nirmata-Kyverno Synergy: Balancing Open Source and Commercial Value
Nirmata, the company founded by Bugwadia and his colleagues, plays a crucial role in the Kyverno ecosystem by offering commercial support and advanced enterprise features. This relationship exemplifies a common strategy in the open-source world: leveraging a strong community project to drive commercial success.
"Many open-source-backed companies fail by giving away too much value for free, yet open sourcing remains the fastest path to adoption," Bugwadia acknowledged. Nirmata navigates this challenge through a strict "church-and-state" separation between the open-source Kyverno project and its commercial offering, Nirmata Enterprise for Kyverno.
Nirmata Enterprise for Kyverno provides crucial additions for large-scale deployments, including centralized fleet management, advanced observability, and sophisticated governance capabilities. While the open-source Kyverno excels at detecting and flagging policy violations, Nirmata Enterprise focuses on remediation and proactive management.
"Kyverno is really good at detecting and finding problems, but businesses don’t want to just find things. They want to fix things, and Nirmata is very good at fixing things," Bugwadia stated. This symbiotic relationship ensures that the open-source project remains a community-driven endeavor, free from vendor lock-in, while the commercial product offers enhanced capabilities for enterprises that require them.
A key tenet of participation in the open-source ecosystem is true openness. This means the Kyverno project itself cannot favor specific integrations, such as a particular GitOps tool. However, Nirmata Enterprise is designed to be more inclusive, offering broader integration possibilities. This approach has proven effective, with an estimated 2% to 5% conversion rate from open-source users to the premium Nirmata enterprise offering. While this percentage might seem small, it represents a significant number of users when considering the scale of Kyverno’s adoption, especially at the billion-image download level.
Looking Ahead: Continued Growth and Innovation
Kyverno’s graduation from the CNCF is not an endpoint but a testament to its journey and a springboard for future innovation. The project’s continued development, coupled with the commercial offerings from Nirmata, positions it to address the evolving challenges of cloud-native governance. As organizations increasingly rely on Kubernetes for critical workloads, the demand for robust, scalable, and user-friendly policy management solutions like Kyverno will only continue to grow. The project’s recent technical advancements, combined with its strong community backing and clear commercial strategy, suggest a bright future for Kyverno in the dynamic landscape of cloud-native computing.
Bugwadia concluded by inviting stakeholders to explore the full conversation, available through video and audio, to gain deeper insights into the careful balance struck between open-source collaboration and enterprise-grade solutions that define Kyverno’s success.