Back to all videos

Why finding a Kubernetes problem is only half the battle for Kyverno users

By The New Stack

Cloud ComputingKubernetesOpen Source SoftwareDevOps
Share:

Key Concepts

  • Kyverno: An open-source policy engine for Kubernetes designed for security, automation, and compliance.
  • CNCF (Cloud Native Computing Foundation): The organization hosting critical infrastructure projects like Kubernetes, Prometheus, and Envoy.
  • Project Graduation: The final stage of a CNCF project lifecycle, signifying production readiness, mature governance, and multi-vendor diversity.
  • Open Core Model: A business strategy where the core software is open-source, while commercial value-added services (remediation, management) are sold separately.
  • Policy-as-Code: The practice of using declarative digital rules to manage, secure, and audit configurations within a cluster.
  • Governance Review: A mandatory CNCF process ensuring a project is not controlled by a single vendor and maintains an open, fair contribution process.

1. Kyverno and CNCF Graduation

Kyverno, co-created by Jim Bugwadia (CEO of Nermata), recently achieved "Graduated" status within the CNCF. This milestone marks the end of a four-year journey from incubation to graduation.

  • Significance: Graduation is not merely about code quality; it requires rigorous security reviews and, crucially, project governance.
  • Governance Requirements: To graduate, a project must demonstrate that it is not tied to a single vendor. It requires maintainers from multiple companies to ensure the project’s longevity and neutrality.
  • Scale: The project has seen over 3 billion image pulls, indicating massive adoption across regulated industries and, increasingly, AI-driven workloads.

2. The Role of Policy in Kubernetes

Kubernetes environments involve diverse personas—developers, security teams, and operators—all interacting with the same configurations.

  • The Problem: Managing security contexts, registry restrictions, and configuration standards at scale is complex.
  • The Solution: Kyverno acts as a policy engine that allows teams to write declarative rules. These rules enforce security, audit configurations, and provide reporting, ensuring that "digital policies" are applied consistently across the cluster.

3. Open Source Strategy: The "Open Core" Model

Bugwadia explains that open-sourcing Kyverno was a strategic decision to build a foundation rather than a traditional product.

  • Avoiding "Bait and Switch": The team ensured the open-source version was full-featured and scalable. They avoided locking performance or scale behind a commercial paywall, which they argue is essential for developer trust.
  • Business Model: Nermata does not monetize the Kyverno engine itself. Instead, they provide commercial value by offering remediation agents and management tools that "complete the loop"—moving from simply detecting problems (Kyverno) to fixing them (Nermata).
  • Conversion Funnel: The business treats open-source adoption as a top-of-funnel activity. By fostering a large user base, they can convert a small percentage (typically 2–5%) into commercial customers who require advanced management services.

4. Maintaining and Growing the Project

  • Recruiting Maintainers: The project utilizes the Linux Foundation’s mentorship program to bring in students and interns, some of whom have transitioned into full-time maintainer roles.
  • Preventing Burnout: To avoid the fate of projects that deprecate due to lack of resources, the team encourages companies that use Kyverno to sponsor their staff to contribute. This aligns the project’s roadmap with the business interests of the organizations using it.
  • International Collaboration: By embracing remote-first and asynchronous communication practices, the project has built a global maintainer community, allowing for 24/7 development and support.

5. Future Outlook and Expansion

Kyverno is evolving beyond its original Kubernetes-centric scope:

  • Unified Policy Language: The project is expanding to govern any payload, including cloud configurations and AI agents.
  • Conformance Program: Following the model of Kubernetes, the CNCF is introducing a conformance program for graduated projects. Kyverno intends to participate, allowing other vendors to build services on top of it with verified compatibility.
  • Call to Action: Bugwadia emphasizes that contributions are not limited to code. Documentation, sample policies, blog posts, and community talks are vital for the project's continued growth.

Notable Quotes

  • "Kyverno means to govern in Greek... it’s a policy engine designed for Kubernetes. It does a lot of interesting things around automation and security." — Jim Bugwadia
  • "Open source is not a business model. It’s a long game. First, you have to prove your product-market fit for the open source... and then you have to build your commercial models on top of that." — Jim Bugwadia
  • "Kyverno is really good at detecting and finding problems. But businesses don’t want to just find things, they want to fix things." — Jim Bugwadia

Synthesis

The graduation of Kyverno highlights the maturation of the cloud-native ecosystem. By successfully navigating the transition from a vendor-led project to a multi-company, CNCF-governed entity, Kyverno has established a sustainable model for open-source security. The key takeaway is that for open-source projects to survive, they must balance the "open core" philosophy with a clear, value-added commercial strategy that incentivizes corporate sponsorship and active, diverse maintainer participation.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Why finding a Kubernetes problem is only half the battle for Kyverno users". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video