Skip to main content
🎓 Claude Code Masterclass Learn AI-assisted development on Udemy — plus the companion book on Leanpub & Amazon. Start Learning
Kyverno CNCF Graduation AI Governance
Platform Engineering

Kyverno Graduates to CNCF: Policy-Driven AI

Kyverno reaches CNCF Graduation — trusted by Deutsche Telekom, LinkedIn, and Spotify for policy-driven governance of cloud native and AI infrastructure.

LB
Luca Berton
· 3 min read

At the CNCF Press Conference during KubeCon Europe 2026, Jim Bugwadia — Kyverno co-creator and CEO of Nirmata — announced that Kyverno has reached CNCF Graduation. This is the highest maturity level in the CNCF project lifecycle, joining the ranks of Kubernetes, Prometheus, and Envoy.

For platform engineering teams managing AI workloads, this graduation signals that policy-driven governance is no longer optional — it is table stakes.

What Kyverno Does

Kyverno is a Kubernetes-native policy engine that validates, mutates, and generates Kubernetes resources based on declarative policies. Unlike Open Policy Agent (OPA), Kyverno policies are written in YAML — the same language as Kubernetes manifests — making them accessible to platform engineers without learning a separate policy language.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-gpu-limits
spec:
  rules:
    - name: check-gpu-limits
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "GPU workloads must specify resource limits"
        pattern:
          spec:
            containers:
              - resources:
                  limits:
                    nvidia.com/gpu: "?*"

Why Graduation Matters

CNCF Graduation requires:

  • Proven production adoption at scale
  • Security audit completion
  • Diverse contributor base (not dependent on a single company)
  • Governance maturity with clear decision-making processes

Kyverno’s production adoption speaks for itself. The press conference highlighted three enterprise references:

  • Deutsche Telekom — Using Kyverno for multi-cluster governance across their cloud native platform
  • LinkedIn — Enforcing security and compliance policies across their Kubernetes fleet
  • Spotify — Platform engineering guardrails for developer self-service

The AI Governance Angle

Bugwadia emphasized Kyverno’s role as an essential guardrail for AI governance at scale. This is where the project’s trajectory gets interesting for AI platform teams.

AI workloads on Kubernetes introduce governance challenges that traditional workloads do not:

GPU Resource Governance

  • Enforce GPU resource limits and requests on all AI pods
  • Prevent GPU hoarding by setting maximum allocations per namespace
  • Validate that GPU workloads use approved node selectors and tolerations

Model Provenance

  • Require container images for inference serving to come from approved registries
  • Enforce image signing and SBOM attestation for model containers
  • Validate that model artifacts include provenance metadata

Cost Controls

  • Enforce cost labels on all GPU workloads for FinOps attribution
  • Block deployments that exceed namespace GPU quotas
  • Require autoscaling configurations on inference deployments

Security Boundaries

  • Enforce network policies between AI workloads and data stores
  • Validate that model endpoints are not exposed without authentication
  • Require encryption for model weight volumes

Platform Engineering and Kyverno

The CNCF’s Q1 2026 Technology Radar report (focused on Platform Engineering) confirms that 28% of organizations now have a dedicated platform engineering team. For these teams, Kyverno provides the policy layer that makes developer self-service safe.

Without policy governance:

  • Developers request GPUs without limits → cluster resource exhaustion
  • Teams deploy models from untrusted registries → security risk
  • Inference endpoints go live without autoscaling → cost blowout

With Kyverno:

  • Policies enforce guardrails automatically at admission time
  • Developers get immediate feedback on policy violations
  • Platform teams define the rules once, enforce everywhere

Getting Started with Kyverno for AI

If you are managing AI workloads on Kubernetes and not using policy governance, start with these three policies:

  1. Require GPU limits — Every pod requesting GPUs must specify limits
  2. Enforce approved registries — Model containers must come from your internal registry
  3. Require cost labels — All GPU workloads must have team, project, and environment labels
# Install Kyverno
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

# Apply your policies
kubectl apply -f policies/

Kyverno’s graduation means it is production-ready, well-maintained, and here to stay. If you are building an AI platform on Kubernetes, policy governance is not a nice-to-have — it is a requirement.

Related Articles

Backstage: Build an Internal Developer Portal on Kubernetes
Platform Engineering

Backstage: Build an Internal Developer Portal on Kubernetes

Deploy Spotify's Backstage on Kubernetes — service catalog, software templates, TechDocs, and plugin ecosystem for platform engineering.

Cilium and eBPF: Next-Generation Kubernetes Networking and Security
Platform Engineering

Cilium & eBPF: Next-Gen Kubernetes Networking

Replace kube-proxy with Cilium — eBPF-powered networking, transparent encryption, network policies, and service mesh without sidecars.

CRI-O vs containerd: Kubernetes Container Runtime Guide
Platform Engineering

CRI-O vs containerd: Kubernetes Container Runtime Guide

CRI-O vs containerd — architecture differences, performance benchmarks, security posture, OCI compliance, and which runtime to choose for production Kubernetes.

Crossplane: Manage Cloud Infrastructure from Kubernetes
Platform Engineering

Crossplane: Manage Cloud Infrastructure from Kubernetes

Use Crossplane to provision AWS, Azure, and GCP resources with Kubernetes manifests. The universal cloud control plane for platform engineering teams.

All Articles

Free 30-min AI & Cloud consultation

Book Now