MCPcopy Index your code
hub / github.com/kyverno/kyverno

github.com/kyverno/kyverno @v1.18.1 sqlite

repository ↗ · DeepWiki ↗ · release v1.18.1 ↗
17,507 symbols 108,729 edges 1,692 files 2,457 documented · 14% 81 cross-repo links
README

Kyverno Tweet

Cloud Native Policy Management 🎉

Build Status Go Report Card License: Apache-2.0 GitHub Repo stars CII Best Practices OpenSSF Scorecard SLSA 3 Artifact HUB codecov FOSSA Status

Kyverno Logo

📑 Table of Contents

About Kyverno

Kyverno is a Kubernetes-native policy engine designed for platform engineering teams. It enables security, compliance, automation, and governance through policy-as-code. Kyverno can:

  • Validate, mutate, generate, and clean up resources using Kubernetes admission controls and background scans.
  • Verify container image signatures for supply chain security.
  • Operate with tools you already use — like kubectl, kustomize, and Git.

Open Source Security Index badge

📙 Documentation

Kyverno installation and reference documentation is available at kyverno.io.

🎥 Demos & Tutorials

🎯 Popular Use Cases

Kyverno helps platform teams enforce best practices and security standards. Some common use cases include:

1. Security & Compliance

  • Enforce Pod Security Standards (PSS)
  • Require specific security contexts
  • Validate container image sources and signatures
  • Enforce CIS Benchmark policies

2. Operational Excellence

  • Auto-label workloads
  • Enforce naming conventions
  • Generate default configurations (e.g., NetworkPolicies)
  • Validate YAML and Helm manifests

3. Cost Optimization

  • Enforce resource quotas and limits
  • Require cost allocation labels
  • Validate instance types
  • Clean up unused resources

4. Developer Guardrails

  • Require readiness/liveness probes
  • Enforce ingress/egress policies
  • Validate container image versions
  • Auto-inject config maps or secrets

📚 Explore the Policy Library

Discover hundreds of production-ready Kyverno policies for security, operations, cost control, and developer enablement.

👉 Browse the Policy Library

🙋 Getting Help

We’re here to help:

➕ Contributing

Thank you for your interest in contributing to Kyverno!

🧾 Software Bill of Materials

All Kyverno images include a Software Bill of Materials (SBOM) in CycloneDX format. SBOMs are available at:

👥 Contributors

Kyverno is built and maintained by our growing community of contributors!

Contributors image

Made with contributors-img

📄 License

Copyright 2026, the Kyverno project. All rights reserved.
Kyverno is licensed under the Apache License 2.0.

Kyverno is a Cloud Native Computing Foundation (CNCF) Incubating project and was contributed by Nirmata.

Extension points exported contracts — how you extend this code

ClusterPolicyReportLister (Interface)
ClusterPolicyReportLister helps list ClusterPolicyReports. All objects returned here must be treated as read-only. [534 …
pkg/client/listers/policyreport/v1alpha2/clusterpolicyreport.go
OperatorHandler (Interface)
OperatorHandler provides interface to manage types [10 implementers]
pkg/engine/variables/operator/operator.go
Validation (Interface)
Validation provides methods to validate a rule [64 implementers]
pkg/validation/policy/actions.go
ReportInterface (Interface)
+kubebuilder:object:generate=false ReportInterface abstracts the concrete report change request type [8 implementers]
api/reports/v1/interface.go
CreateClient (Interface)
(no doc) [557 implementers]
pkg/utils/controller/utils.go
CompiledPolicy (Interface)
(no doc) [20 implementers]
pkg/image/verification/evaluator/policy.go
Discovery (Interface)
Discovery provides interface to mange Kind and GVR mapping [4 implementers]
pkg/auth/auth.go
Lister (Interface)
(no doc) [547 implementers]
pkg/exceptions/selector.go

Core symbols most depended-on inside this repo

String
called by 5596
pkg/engine/anchor/anchor.go
Errorf
called by 1812
pkg/image/verifiers/ivpol/notary/log.go
StartChildSpan
called by 1704
pkg/tracing/childspan.go
SetSpanStatus
called by 1703
pkg/tracing/helpers.go
IsInSpan
called by 1703
pkg/tracing/helpers.go
RecordWithContext
called by 1700
pkg/metrics/client.go
GetName
called by 671
pkg/background/common/labels.go
Run
called by 658
pkg/leaderelection/leaderelection.go

Shape

Method 10,029
Function 5,187
Struct 1,800
Interface 402
TypeAlias 56
FuncType 33

Languages

Go100%

Modules by API surface

api/kyverno/v1/zz_generated.deepcopy.go130 symbols
pkg/engine/api/policy.go92 symbols
api/kyverno/v1/common_types.go80 symbols
api/kyverno/v2beta1/zz_generated.deepcopy.go76 symbols
cmd/internal/config.go71 symbols
api/kyverno/v2/zz_generated.deepcopy.go64 symbols
pkg/engine/context/context.go63 symbols
pkg/clients/kube/corev1/pods/resource.generated.go63 symbols
pkg/clients/kube/corev1/events/resource.generated.go60 symbols
pkg/clients/kube/clientset.generated.go60 symbols
pkg/validation/policy/validate.go58 symbols
pkg/clients/kube/corev1/client.generated.go57 symbols

Dependencies from manifests, versioned

cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/kmsv1.26.0 · 1×
cloud.google.com/go/longrunningv0.8.0 · 1×
cuelabs.dev/go/oci/ociregistryv0.0.0-2025121222160 · 1×
cuelang.org/gov0.16.0 · 1×
dario.cat/mergov1.0.2 · 1×
github.com/AdaLogics/go-fuzz-headersv0.0.0-2024080614160 · 1×

For agents

$ claude mcp add kyverno \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact