Kyverno — Kubernetes policy in the language Kubernetes already speaks.

TL;DR — Kyverno is a Kubernetes-native policy engine written in YAML. Instead of Rego, you write validate/mutate/generate rules that can enforce AI platform guardrails at admission time.

What it is

Kyverno is a Kubernetes policy engine that uses Kubernetes manifests for policy definitions. It works as an admission controller and can validate, mutate, and generate resources. In the AI Native landscape it sits in AI Native Infra › Governance, Policy and Security.

Why it exists

If your AI platform already runs on Kubernetes, YAML-first policy is easier to adopt than a separate rule language. Kyverno keeps the mental model aligned with manifests, so teams can block unapproved images, require labels, or mutate resources to add guardrails.

How it works

Kyverno intercepts admission requests, matches them to policy rules, and returns allow/deny or patches. It can also generate objects like NetworkPolicies or ConfigMaps from templates. That makes it a good fit for platform guardrails around AI deployments.

Key features

• YAML-first policy authoring.
• Validate, mutate, generate in one engine.
• Kubernetes admission built in.
• Policy reports for auditability.

Quick start

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-approved-registry
spec:
  validationFailureAction: Enforce
  rules:
    - name: only-approved-images
      match:
        resources:
          kinds: ["Pod"]
      validate:
        message: "Images must come from the approved registry"
        pattern:
          spec:
            containers:
              - image: "registry.example.com/*"

When to use, when to skip

Use it if your AI platform is Kubernetes-first and you want policy in YAML. Skip it if your policy surface spans many systems and you want one language like OPA/Rego for all of them.

vs / alongside

References

• Kyverno — project home.
• Kyverno docs — policies and admission.
• kyverno/kyverno — source.

Verified against Kyverno docs, May 2026.