Kubernetes has become the de facto standard for deploying and managing containerized applications. But with its power comes complexity—especially when it comes to enforcing security, compliance, and governance. That’s where Kyverno steps in.
Kyverno, a CNCF incubating project created by Nirmata, is a Kubernetes-native policy engine. Unlike traditional policy tools that require new languages or external services, Kyverno enables you to write, validate, mutate, generate, and clean up Kubernetes resources using policies defined as Kubernetes resources themselves. This means you can manage security and governance with the same declarative, GitOps-friendly workflows you already use for applications.
Now, with the release of Kyverno 1.15, the project takes a giant leap forward—introducing new policy types, boosting performance, and extending integration with Kubernetes-native APIs. Let’s break it down.
What’s New in Kyverno 1.15
1. MutatingPolicy: Flexible Resource Transformation
Kyverno now introduces MutatingPolicy, which integrates natively with Kubernetes by leveraging MutatingAdmissionPolicy. This allows administrators to define flexible transformation rules with Common Expression Language (CEL) functions.
- Full parity with traditional mutation rules
- Support for advanced CEL libraries and looping (
map(),filter()) - CLI support for offline mutation in CI/CD pipelines
- Automatic conversion into Kubernetes
MutatingAdmissionPolicyfor better performance
Why it matters: Instead of relying only on Kyverno’s admission controller, you can now shift mutation logic directly into Kubernetes itself—reducing latency and increasing resilience.
2. GeneratingPolicy: Smarter Resource Creation
Resource generation has always been a core strength of Kyverno. With GeneratingPolicy, the experience is even more powerful.
- CEL-first approach for defining logic
- Ability to dynamically generate resources across namespaces
- Access to Kyverno’s extended CEL libraries for complex use cases
For example, you can automatically clone secrets (like image pull credentials) into any new namespace created—ensuring smoother onboarding and consistent security.
3. DeletingPolicy: Lifecycle Cleanup Made Easy
Cluster sprawl is real. Without proper cleanup, unused resources can pile up and cause both cost and security risks. Enter DeletingPolicy, a new CEL-powered CRD that allows administrators to declare when and how resources should be removed.
Key highlights:
- Periodic evaluation with cron-like schedules
- Fine-grained deletion conditions using CEL
- Complements
MutatingPolicyandValidatingPolicyto cover the full resource lifecycle
Example: Automatically delete test pods older than 72 hours in namespaces labeled environment: test.
4. Performance Gains with ValidatingPolicy
Kyverno’s ValidatingPolicy, which integrates natively with Kubernetes as ValidatingAdmissionPolicy, brings major performance improvements over traditional ClusterPolicy:
- 44% faster latency under heavy load
- 59% less memory usage in multi-replica setups
- Up to 80% CPU reduction in some scenarios
For production workloads, this means faster admission checks, reduced infrastructure costs, and greater cluster stability.
5. New OpenReports API Group
Kyverno now supports the openreports.io API group for PolicyReport resources, aligning with the broader Kubernetes ecosystem.
- Standardized reporting format
- Updated tooling (
Reports Server,Policy Reporter) - Migration path from the legacy
wgpolicyk8s.io
This ensures long-term interoperability and stronger ecosystem alignment.
Why This Release Matters
Kyverno 1.15 isn’t just about new features—it’s about creating a modular, Kubernetes-native policy ecosystem that matches the pace of modern cloud-native environments.
- For platform teams, it simplifies resource management across mutation, generation, validation, and deletion.
- For security teams, it offers fine-grained control with performance improvements.
- For developers, it means smoother integration into CI/CD pipelines with CLI enhancements.
Getting Started
You can upgrade to the new version via Helm:
helm repo update
helm upgrade kyverno kyverno/kyverno -n kyverno --version v1.15.0
Kyverno 1.15 is fully backward compatible, so your existing ClusterPolicy resources will continue working while you gradually adopt the new policy types.
The Road Ahead
The Kyverno team has laid out a strong roadmap, including:
- Event logging and metrics expansion
- Namespaced versions of all CEL-based policy types
- Fine-grained policy exceptions
- Publishing the Kyverno engine API and SDK for ecosystem integrations
Conclusion
With MutatingPolicy, GeneratingPolicy, and DeletingPolicy, Kyverno now covers the entire Kubernetes resource lifecycle. Add to that performance boosts, standardized reporting, and a growing community, and it’s clear why Kyverno is becoming the go-to solution for Kubernetes policy management.
Whether you’re running a small cluster or managing massive production environments, Kyverno 1.15 brings the flexibility, efficiency, and security you need to scale with confidence.
👉 Explore the full release notes on Kyverno GitHub or visit kyverno.io to learn more.
