Close Menu
    Trending
    Friday, February 27
    Cloud Computing

    Saying Kyverno 1.17! | CNCF

    CarterBy No Comments8 Mins Read
    Announcing Kyverno 1.17!

    Posted on February 18, 2026
    by Charles-Edouard Breteche, Nirmata

    CNCF initiatives highlighted on this publish

    Kyverno 1.17 is a landmark launch that marks the stabilization of our next-generation Frequent Expression Language (CEL) coverage engine.

    Whereas 1.16 launched the “CEL-first” imaginative and prescient in beta, 1.17 promotes these capabilities to v1, providing a high-performance, future-proof path for coverage as code.

    This launch focuses on “completing the circle” for CEL insurance policies by introducing namespaced mutation and era, increasing the out there perform libraries for complicated logic, and enhancing provide chain safety with upcoming Cosign v3 help.

    A brand new search for kyverno.io

    The very first thing you’ll discover with 1.17 is our fully redesigned web site. We’ve moved past a easy documentation web site to create a contemporary, high-performance portal for platform engineers.Let’s be sincere: the Kyverno web site redesign was lengthy overdue. Because the challenge advanced into the business commonplace for unified coverage as code, our documentation must replicate that maturity. We’re proud to lastly unveil the brand new expertise at

    A flow chart titled 'Kyverno 1.17: A new era, a new website' showcasing the changes from the old Kyverno website to the new website, with Kyverno 1.17.
    • Trendy redesign
      Constructed on the Starlight framework, the brand new web site is quicker, totally responsive, and incorporates a clear, skilled aesthetic that makes long-form studying a lot simpler on the eyes.
    • Enhanced documentation construction
      We’ve reorganized our docs from the bottom up. Info is now tiered by “User Journey”—from a simplified Fast Begin for newbies to deep-dive Reference materials for superior coverage authors.
    • Absolutely redesigned coverage catalog
      Our library of 300+ pattern insurance policies has a brand new interface. It options improved filtering and a devoted search that means that you can discover insurance policies by Class (Finest Practices, Safety, and so on.) or Sort (CEL vs. JMESPath) immediately.
    • Enhanced search capabilities
      We’ve built-in a extra clever search engine that indexes each documentation and coverage code, guaranteeing you get the fitting reply on the primary strive.
    • Model new weblog
      The Kyverno weblog has been refreshed to raised showcase technical deep dives, group case research, and launch bulletins like this one!

    Namespaced mutating and producing insurance policies

    In 1.16, we launched namespaced variants for validation, cleanup, and picture verification.

    Kyverno 1.17 completes this by including:

    • NamespacedMutatingPolicy
    • NamespacedGeneratingPolicy

    This permits true multi-tenancy. Namespace house owners can now outline their very own mutation and era logic (e.g., robotically injecting sidecars or creating default ConfigMaps) with out requiring cluster-wide permissions or affecting different tenants.

    CEL coverage varieties attain v1 (GA)

    The headline for 1.17 is the promotion of CEL-based coverage varieties to v1. This signifies that the API is now secure and production-ready.

    The promotion consists of:

    • ValidatingPolicy and NamespacedValidatingPolicy
    • MutatingPolicy and NamespacedMutatingPolicy
    • GeneratingPolicy and NamespacedGeneratingPolicy
    • ImageValidatingPolicy and NamespacedImageValidatingPolicy
    • DeletingPolicy and NamespacedDeletingPolicy
    • PolicyException

    With this commencement, platform groups can confidently migrate from JMESPath-based insurance policies to CEL to make the most of considerably improved analysis efficiency and higher alignment with upstream Kubernetes ValidatingAdmissionPolicies / MutatingAdmissionPolicies.

    New CEL capabilities and features

    To make sure CEL insurance policies are as highly effective as the unique Kyverno engine, 1.17 introduces a number of new perform libraries:

    • Hash Features
      Constructed-in help for md5(worth), sha1(worth), and sha256(worth) hashing.
    • Math Features
      Use math.spherical(worth, precision) to spherical numbers to a particular decimal or integer precision.
    • X509 Decoding
      Insurance policies can now examine and validate the contents of x509 certificates straight inside a CEL expression utilizing x509.decode(pem).
    • Random String Era
      Generate random strings with random() (default sample) or random(sample) for customized regex-based patterns.
    • Rework Utilities
      Use listObjToMap(list1, list2, keyField, valueField) to merge two object lists right into a map.
    • JSON Parsing
      Parse JSON strings into structured knowledge with json.unmarshal(jsonString).
    • YAML Parsing
      Parse YAML strings into structured knowledge with yaml.parse(yamlString).
    • Time-based Logic
      New time.now(), time.truncate(timestamp, period), and time.toCron(timestamp) features enable for time-since or “maintenance window” model insurance policies.

    The deprecation of legacy APIs

    As Kyverno matures and aligns extra carefully with upstream Kubernetes requirements, we’re making the strategic shift to a CEL-first structure. Which means the legacy Coverage and ClusterPolicy varieties (which served the group for years utilizing JMESPath) at the moment are coming into their sundown section.

    The deprecation schedule

    Kyverno 1.17 formally marks ClusterPolicy and CleanupPolicy as Deprecated. Whereas they continue to be purposeful on this launch, the clock has began on their elimination to make means for the extra performant, standardized CEL-based engines.

    LaunchDate (estimated)Standing
    v1.17Jan 2026Marked for deprecation
    v1.18Apr 2026Crucial fixes solely
    v1.19Jul 2026Crucial fixes solely
    v1.20Oct 2026Deliberate for elimination

    Why the change?

    By standardizing on the Frequent Expression Language (CEL), Kyverno considerably improves its efficiency and aligns with the native validation logic utilized by the Kubernetes API server itself.

    For platform groups, this implies one much less language to study and a extra predictable and scalable policy-as-code expertise.

    Be aware for authors

    From this level ahead, we strongly suggest that each new coverage you write be based mostly on the brand new CEL APIs. Selecting the legacy APIs for brand new work at this time merely provides to your migration workload later this yr.

    Migration suggestions

    We perceive that a lot of you could have a whole bunch of current insurance policies. To make sure a easy transition, now we have supplied complete sources:

    • The Migration Information
      Our new Migration to CEL Information offers a side-by-side mapping of legacy ClusterPolicy fields to their new equivalents (e.g., mapping validate.sample to ValidatingPolicy expressions).
    • New Coverage Varieties
      Now you can start transferring your guidelines into specialised varieties like ValidatingPolicy, MutatingPolicy, and GeneratingPolicy. You may see the complete breakdown of those new v1 APIs within the Coverage Varieties Overview.

    Enhanced provide chain safety

    Provide chain safety stays a core pillar of Kyverno.

    • Cosign v3 Help
      1.17 provides help for the most recent Cosign options, guaranteeing your picture verification stays suitable with the evolving Sigstore ecosystem.
    • Expanded Attestation Parsing
      New capabilities to deserialize YAML and JSON strings inside CEL insurance policies make it simpler to confirm complicated metadata and SBOMs.

    Observability and reporting upgrades

    Now we have refined how Kyverno communicates coverage outcomes:

    • Granular Reporting Management
      A brand new –allowedResults flag means that you can filter which ends (e.g., solely “Fail”) are saved in stories, considerably decreasing ETCD stress in giant clusters.
    • Enhanced Metrics
      Extra detailed latency and execution metrics for CEL insurance policies at the moment are included by default that can assist you monitor the “hidden” price of coverage enforcement.

    For builders and integrators

    To help the broader ecosystem and make it simpler to construct integrations, now we have decoupled our core parts:

    • New API Repository
      Our CEL-based APIs now stay in a devoted repository: kyverno/api. This makes it considerably lighter to import Kyverno varieties into your personal Go initiatives.
    • Kyverno SDK
      For builders constructing customized controllers or instruments that work together with Kyverno, the SDK challenge is now housed at kyverno/sdk.

    Getting began and backward compatibility

    Upgrading from 1.16 is easy. Nonetheless, for the reason that CEL coverage varieties have moved to v1, we suggest updating your manifests to the brand new API model. Kyverno will proceed to help v1beta1 for a transition interval.

    helm repo replace
helm improve --install kyverno kyverno/kyverno -n kyverno --version 3.7.0

    Wanting forward: The Kyverno roadmap

    As we transfer previous the 1.17 milestone, our focus shifts towards long-term sustainability and the “Kyverno Platform” expertise. Our objective is to make sure that Kyverno stays probably the most user-friendly and performant governance device within the cloud-native ecosystem.

    • Rising the group
      We’re doubling down on our dedication to the group. Anticipate extra frequent workplace hours, improved contributor onboarding, and a renewed concentrate on making the Kyverno group probably the most welcoming house in CNCF.
    • A unified tooling expertise
      Through the years, we’ve constructed a number of highly effective sub-projects (just like the CLI, Coverage Reporter, and Kyverno-Authz). A serious objective on our roadmap is to unify these instruments right into a cohesive expertise, decreasing fragmentation and making it simpler to handle the whole coverage lifecycle from a single vantage level.
    • Efficiency and scalability guardrails
      As clusters develop, efficiency turns into paramount. We’re shifting our focus towards rigorous automated efficiency testing and will probably be offering extra granular metrics concerning throughput and latency. We need to give platform engineers the info they should perceive precisely what Kyverno can deal with in high-scale manufacturing environments.
    • Steady UX enchancment
      The web site redesign was simply step one. We’ll proceed to iterate on our person interfaces, documentation, and error messaging to make sure that Kyverno stays “Simplified” by design, not simply in title.

    Conclusion

    Kyverno 1.17 is probably the most strong model but, mixing the flexibleness of our authentic engine with the efficiency and standardization of CEL.

    However this launch is about extra than simply code—it’s concerning the complete person expertise. Whether or not you’re looking the brand new coverage catalog or scaling hundreds of CEL-based guidelines, we hope this launch makes your Kubernetes journey smoother.

    An enormous thanks to our contributors for making this launch (and the brand new web site!) a actuality.

    Share.

    Related Posts

    Leave A Reply