Kyverno has officially graduated in the CNCF. On March 16, 2026, the CNCF Technical Oversight Committee voted to move Kyverno to the Graduated maturity level β and I am proud to have voted in favor of this milestone.
This is a significant moment for the Kubernetes policy ecosystem. Graduation is the highest maturity level in the CNCF, reserved for projects that demonstrate thriving adoption, a well-documented governance model, strong security practices, and community sustainability. Kyverno joins the ranks of projects like Kubernetes, Prometheus, Envoy, and Helm.
What Is Kyverno
Kyverno is a Kubernetes-native policy engine for validation, mutation, generation, and image verification. Unlike general-purpose policy engines that require learning a new language, Kyverno policies are written in familiar YAML β the same format Kubernetes practitioners already use every day.
This design choice is what makes Kyverno stand out. You can enforce policies like:
- Require resource limits on all pods β no more runaway containers consuming cluster resources
- Inject sidecar containers automatically β standardize observability or security agents across all workloads
- Verify container image signatures β enforce supply chain security by ensuring only signed images are deployed
- Generate NetworkPolicies automatically β create default network isolation for every new namespace
- Enforce pod security standards β replace the deprecated PodSecurityPolicy with Kyverno equivalents
All of this happens declaratively, using Kubernetes-native resources that integrate naturally into GitOps workflows.
The Road to Graduation
Kyvernoβs journey through the CNCF maturity levels tells a story of steady growth:
- Sandbox β accepted November 10, 2020
- Incubating β promoted July 13, 2022
- Graduated β March 16, 2026
The graduation application demonstrated what the TOC looks for at this level:
- Broad production adoption β adopters include Vodafone, Deutsche Telekom, LinkedIn, Spotify, Saxo Bank, US DoD Platform One, OVHcloud, and many more
- Multi-organization maintainership β maintainers from Nirmata, Chainguard, Kuaishou Technology, VELUX, RedNote, and Cloudflare
- Comprehensive security practices β third-party security audit by Ada Logics, SLSA level 3 compliance, OpenSSF Best Practices badge, and an ongoing joint assessment with TAG Security
- Healthy community metrics β 11,588 total contributors, 3,599 contributing organizations, 9,452 GitHub stars, and an estimated software value of $94.2M
The TOC vote passed with 9 out of 11 binding votes in favor β a strong signal of confidence from the technical oversight body.
Why Kyverno Matters for Platform Engineering
If you are building an internal developer platform, policy enforcement is not optional β it is foundational. Kyverno solves a critical problem: how do you ensure that every workload deployed to your cluster meets organizational standards without creating bottlenecks?
The answer is policy as code. Define your rules declaratively, version them in Git, and let Kyverno enforce them automatically at admission time. Platform teams define the guardrails; application teams deploy freely within them.
This is the same principle behind AI governance guardrails β you want automated enforcement, not manual review gates that slow everyone down.
Key Use Cases
Security compliance: Enforce zero-trust security policies across all namespaces β no privileged containers, mandatory network policies, required security contexts.
Multi-tenancy: In multi-tenant GPU clusters or shared platforms, Kyverno ensures tenant isolation through resource quotas, label requirements, and namespace-scoped policies.
Supply chain security: Verify that container images are signed and come from trusted registries before they reach your cluster. Combined with tools like Sigstore, this creates an end-to-end supply chain verification pipeline.
Operational standards: Automatically inject observability sidecars, enforce labeling conventions, and generate default resources for new namespaces β reducing toil and ensuring consistency.
Sub-Projects Worth Knowing
Kyverno is more than just the policy engine. The ecosystem includes:
- Kyverno Chainsaw β an end-to-end testing tool for Kubernetes operators and controllers
- Policy Reporter β a dashboard and notification system for policy results
- Kyverno JSON β policy evaluation for any JSON or YAML payload, not just Kubernetes resources
- Kyverno Backstage Plugin β integration with Backstage developer portals
What Graduation Means
CNCF Graduation is not just a badge. It signals:
- Production readiness β organizations can adopt with confidence
- Long-term sustainability β the project has proven governance, diverse maintainership, and community health
- Security maturity β third-party audits, vulnerability disclosure processes, and security response teams are in place
- Ecosystem integration β the project works well with other CNCF projects and the broader cloud-native stack
For CTOs and platform engineers evaluating policy engines, Graduated status means reduced risk. The project has been vetted by the CNCFβs rigorous due diligence process, and the community behind it is healthy enough to sustain long-term development.
Getting Started
If you are running Kubernetes and do not have a policy engine in place, start with Kyvernoβs sample policies β they cover the most common use cases out of the box.
For teams building Kubernetes platforms at scale, Kyverno fits naturally into a GitOps workflow where policies are versioned, reviewed, and deployed alongside application configurations.
Congratulations to the entire Kyverno community β maintainers, contributors, and adopters β for reaching this milestone. It was an honor to vote for this projectβs graduation.
For more on Kubernetes platform strategy and cloud-native security, connect with me on LinkedIn or follow @TheLucaBerton.
