Sunday, 12 April 2026 @ 06:31 UTC ~13 12,244 130,110

kyverno

kyverno · kyverno.kyverno

Kyverno is a policy engine designed for Kubernetes.

Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.

winget install --id kyverno.kyverno --exact --source winget

Latest 1.17.1

Release Notes

What's Changed

  • chore: remove Nirmata refs (Cherry-pick #15114) by @kyverno-bot in #15115
  • cli: simplify namespaced policy loading in CLI (Cherry-pick #15118) by @kyverno-bot in #15122
  • fix: panic in metrics wrapper when generating response does not provide a result (Cherry-pick #15105) by @kyverno-bot in #15117
  • fix: init dclient before using it (Cherry-pick #15172) by @kyverno-bot in #15173
  • populate registry consistently (Cherry-pick #14632) by @kyverno-bot in #15184
  • fix: eliminate memcache error spam from fake client discovery polling (Cherry-pick #15187) by @kyverno-bot in #15193
  • fix: restmapper for fakeclient (cherry-pick #15177) by @realshuting in #15194
  • cherry pick #0ffed6f by @fjogeleit in #15206
  • fix: CVE-2025-68121 (Cherry-pick #15203) by @kyverno-bot in #15212
  • fix: enable signed timestamp verification when TSA cert chain is provided (Cherry-pick #15192) by @kyverno-bot in #15217
  • fix: add default message for ValidatingPolicy when message field is empty (Cherry-pick #13630) by @kyverno-bot in #15267
  • fix: return errors from syncPolicy to enable workqueue retry (Cherry-pick #15082) by @kyverno-bot in #15268
  • fix: skip side effects on dry-run in gpol/mpol (Cherry-pick #15143) by @kyverno-bot in #15270
  • fix(ivpol): Unauthorized error when using a private repository (Cherry-pick #15136) by @kyverno-bot in #15271
  • fix(charts): add missing endpointslices list permission to cleanup controller role (Cherry-pick #15140) by @kyverno-bot in #15272
  • fix(admissionpolicygenerator): enqueue exceptions (Cherry-pick #15038) by @kyverno-bot in #15274
  • changed default value and helm values documentation from integer to duration string (Cherry-pick #15124) by @kyverno-bot in #15275
  • fix: nil pointer dereference in Certificates branch of manifest valid… (Cherry-pick #15152) by @kyverno-bot in #15276
  • Fix Empty list in policy exclusion result in excluding all resources (Cherry-pick #13794) by @kyverno-bot in #15277
  • fix: imageVerify Multi-Signature Annotation Validation Bug (Cherry-pick #14500) by @kyverno-bot in #15279
  • Fix Chainsaw test for MutatingPolicy add-label-applyconfiguration (Cherry-pick #14587) by @kyverno-bot in #15282
  • chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (Cherry-pick #15164) by @kyverno-bot in #15278
  • fix(ivpol): use Kyverno namespace secrets in reports scanner (Cherry-pick #15220) by @kyverno-bot in #15287
  • chore: run unit tests in verbose mode (cherry-pick #15230) by @eddycharly in #15288
  • fix: handler crash for nmpol (Cherry-pick #15133) by @kyverno-bot in #15285
  • chore(deps): bump the kubernetes group across 3 directories with 7 updates (Cherry-pick #15183) by @kyverno-bot in #15284
  • fix: race conditions in configuration.IsExcluded() and breaker.ReportsBreaker (Cherry-pick #15145) by @kyverno-bot in #15289
  • fix: make the mutating policy use its ConditionCompiler to produce the evaluator (Cherry-pick #15242) by @kyverno-bot in #15291
  • release: v1.17.1-rc.1 by @eddycharly in #15298
  • change indentation of validationActions fields (cherry-pick #15257) by @eddycharly in #15300
  • fix: set UseSignedTimestamps when TSACertChain is provided in IVPOL cosign verifier (cherry pick #15305) by @lucchmielowski in #15306
  • release: v1.17.1 by @eddycharly in #15308 Full Changelog: v1.17.0...v1.17.1

Installer type: zip

Architecture Scope Download SHA256
x64 Download F74D4841916946076B9F56475696C29426E5E0BA8177D82BCFCA3FCD5506CDD9
arm64 Download 98B09117874EB2AA2874D02FAFBF5D834F5232F5B1E26BCAFD3C6D3923AC83D1

Details

Homepage
https://github.com/kyverno/kyverno
License
Apache-2.0
Publisher
kyverno
Support
https://github.com/kyverno/kyverno/issues

Tags

k8skubernetes

Older versions (5)

1.13.4
Architecture Scope Download SHA256
x64 Download AF3EAFAAA8FEFAB6FD5831B8122AD97578B2E08A723D30A5D5639512559CA59E
1.12.4
Architecture Scope Download SHA256
x64 Download 7152CD3223FF465A9DF1FB7B64A68FC5B5E36AB797590782F6C6D6DA8888A3A3
1.11.3
Architecture Scope Download SHA256
x64 Download F083B9A712AB319A0FF162702ED88C0A3D265EDB8A1C53EE731EF22C9D6387F9
1.11.1
Architecture Scope Download SHA256
x64 Download F5E33DB2E853DCCB9820BB8E9CD82C84AEB47A915C058BEC9F0A6E99F9581D83
1.10.6
Architecture Scope Download SHA256
x64 Download B346114FED44386A31643FE70412EB100315CFEE9A6811746C653A22D11A3560