base on Cloud Native Policy Management <!-- Copyright 2025 The Kyverno Authors Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> # Kyverno [](https://twitter.com/intent/tweet?text=Cloud%20Native%20Policy%20Management.%20No%20new%20language%20required%1&url=https://github.com/kyverno/kyverno/&hashtags=kubernetes,devops) **Cloud Native Policy Management 🎉** [](https://github.com/kyverno/kyverno/actions) [](https://goreportcard.com/report/github.com/kyverno/kyverno)  [](https://github.com/kyverno/kyverno/stargazers) [](https://bestpractices.coreinfrastructure.org/projects/5327) [](https://securityscorecards.dev/viewer/?uri=github.com/kyverno/kyverno) [](https://slsa.dev) [](https://artifacthub.io/packages/search?repo=kyverno) [](https://app.codecov.io/gh/kyverno/kyverno/branch/main) [](https://app.fossa.com/projects/git%2Bgithub.com%2Fkyverno%2Fkyverno?ref=badge_shield) <p align="center"><a href="https://kyverno.io" rel="kyverno.io"><img src="img/Kyverno_Horizontal.png" alt="Kyverno Logo" width="400"></a></p> ## 📑 Table of Contents - [About Kyverno](#about-kyverno) - [Documentation](#-documentation) - [Demos & Tutorials](#-demos--tutorials) - [Popular Use Cases](#-popular-use-cases) - [Explore the Policy Library](#-explore-the-policy-library) - [Getting Help](#-getting-help) - [Contributing](#-contributing) - [Software Bill of Materials](#software-bill-of-materials) - [Community Highlights](#-community-highlights) - [Contributors](#contributors) - [License](#license) ## About Kyverno Kyverno is a Kubernetes-native policy engine designed for platform engineering teams. It enables security, compliance, automation, and governance through policy-as-code. Kyverno can: - Validate, mutate, generate, and clean up resources using Kubernetes admission controls and background scans. - Verify container image signatures for supply chain security. - Operate with tools you already use — like `kubectl`, `kustomize`, and Git. <a href="https://opensourcesecurityindex.io/" target="_blank" rel="noopener"> <img src="https://opensourcesecurityindex.io/badge.svg" alt="Open Source Security Index badge" width="282" height="56" /> </a> ## 📙 Documentation Kyverno installation and reference documentation is available at [kyverno.io](https://kyverno.io). - 👉 **[Quick Start](https://kyverno.io/docs/introduction/#quick-start)** - 👉 **[Installation Guide](https://kyverno.io/docs/installation/)** - 👉 **[Policy Library](https://kyverno.io/policies/)** ## 🎥 Demos & Tutorials - ▶️ [Getting Started with Kyverno – YouTube](https://www.youtube.com/results?search_query=kyverno+tutorial) - 🧪 [Kyverno Playground](https://playground.kyverno.io/) ## 🎯 Popular Use Cases Kyverno helps platform teams enforce best practices and security standards. Some common use cases include: ### 1. **Security & Compliance** - Enforce Pod Security Standards (PSS) - Require specific security contexts - Validate container image sources and signatures - Enforce CIS Benchmark policies ### 2. **Operational Excellence** - Auto-label workloads - Enforce naming conventions - Generate default configurations (e.g., NetworkPolicies) - Validate YAML and Helm manifests ### 3. **Cost Optimization** - Enforce resource quotas and limits - Require cost allocation labels - Validate instance types - Clean up unused resources ### 4. **Developer Guardrails** - Require readiness/liveness probes - Enforce ingress/egress policies - Validate container image versions - Auto-inject config maps or secrets ## 📚 Explore the Policy Library Discover hundreds of production-ready Kyverno policies for security, operations, cost control, and developer enablement. 👉 [Browse the Policy Library](https://kyverno.io/policies/) ## 🙋 Getting Help We’re here to help: - 🐞 File a [GitHub Issue](https://github.com/kyverno/kyverno/issues) - 💬 Join the [Kyverno Slack Channel](https://slack.k8s.io/#kyverno) - 📅 Attend [Community Meetings](https://kyverno.io/community/#community-meetings) - ⭐️ [Star this repository](https://github.com/kyverno/kyverno/stargazers) to stay updated ## ➕ Contributing Thank you for your interest in contributing to Kyverno! - ✅ Read the [Contribution Guidelines](/CONTRIBUTING.md) - 🧵 Join [GitHub Discussions](https://github.com/kyverno/kyverno/discussions) - 📖 Read the [Development Guide](/DEVELOPMENT.md) - 🏁 Check [Good First Issues](https://github.com/kyverno/kyverno/labels/good%20first%20issue) and request with `/assign` - 🌱 Explore the [Community page](https://kyverno.io/community/) ## 🧾 Software Bill of Materials All Kyverno images include a Software Bill of Materials (SBOM) in [CycloneDX](https://cyclonedx.org/) format. SBOMs are available at: - 👉 [`ghcr.io/kyverno/sbom`](https://github.com/orgs/kyverno/packages?tab=packages&q=sbom) - 👉 [Fetching the SBOM](https://kyverno.io/docs/security/#fetching-the-sbom-for-kyverno) ## 👥 Contributors Kyverno is built and maintained by our growing community of contributors! <a href="https://github.com/kyverno/kyverno/graphs/contributors"> <img src="https://contrib.rocks/image?repo=kyverno/kyverno" alt="Contributors image" /> </a> _Made with [contributors-img](https://contrib.rocks)_ ## 📄 License Copyright 2025, the Kyverno project. All rights reserved. Kyverno is licensed under the [Apache License 2.0](LICENSE). Kyverno is a [Cloud Native Computing Foundation (CNCF) Incubating project](https://www.cncf.io/projects/) and was contributed by [Nirmata](https://nirmata.com/?utm_source=github&utm_medium=repository). ", Assign "at most 3 tags" to the expected json: {"id":"3831","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"