Nirmata Commercializes the Kyverno Policy Engine
Nirmata, which created the open source Kyverno policy engine for Kubernetes clusters and last year donated it to the Cloud Native Computing Foundation (CNCF), is starting to establish itself as the company best positioned to oversee the commercialization of it.
Nirmata recently began making parts of its larger namesake Kubernetes management platform for DevSecOps available as standalone products that enterprises can use with any cloud platform and any Kubernetes distribution. In addition, at the KubeCon + CloudNativeCon North America this week, Nirmata is announcing a certification program around Kyverno to get more IT and DevOps teams familiar with the policy engine and comfortable with how to use it in their organizations.
“Even though [Kyverno is] very straightforward, it’s very easy, there is a slight learning curve to learning the concepts,” Ritesh Patel, co-founder and vice president of product at Nirmata, told The New Stack. “It’s Kubernetes-native, so people who are familiar with Kubernetes will pick it up. But then policies get complex and there’s all kinds of conditions and hoops and all of that.”
An Initial Focus on Containers
Nirmata has been part of the container ecosystem since its founding in 2013, with an initial focus of everything Docker — from Docker containers to Docker engines — in the burgeoning DevOps space. Four years later, the founders began to evolve Nirmata as Kubernetes hit the scene.
“We realized that Kubernetes was becoming the de facto orchestrator for containers and as we worked with our customers to adopt Kubernetes, we realized some of the challenges around all of the complexity that Kubernetes introduces,” Patel said.
Adopting Kubernetes required a shift in mindset for many companies that had become accustomed to virtual machines. Nirmata built its platform, which included a policy management component that in 2019 — after admission controllers were introduced in Kubernetes — was rewritten and open sourced into a project called Kyverno.
“One of the main selling points of Kyverno was that it was Kubernetes-native, so it understood Kubernetes-native constructs of policies,” Patel said. “It did it in the same format as your other applications in Kubernetes. It was using Kubernetes custom resource definitions for policies and Kyverno was acting as the admission controller.”
Kyverno and CNCF
A year later Nirmata donated Kyverno to the Cloud Native Computing Foundation and demand for it took off, he said. In the last nine months there have been about 7 million downloads of the policy engine, with companies from Amazon Web Services (AWS) to Red Hat using it and sharing their experiences. Now Nirmata, which continues to be among the main contributors to Kyverno, is looking to extend the technology’s reach.
Now the company is offering parts of the platform as standalone products that can be used separately from the entire DevSecOps platform. Earlier this month it unveiled Nirmata Cloud Native Policy Management, a cloud-based product based on Kyverno that enables IT teams to create what company officials call “intelligent guardrails” for managing compliance and security.
The product not only manages policies across multiple clusters but also delivers insights on the policies, including whether applications might be running in violation of those policies, Patel said. DevOps teams can see if software is not in compliance, collaborate over Slack and other tools and then fix the situation.
Security and Compliance
The collaboration part is important and something “a lot of security tools miss that part because it’s not just about getting that visibility and reporting violations, but also feeding that back into the development cycle early on and more often is what we are enabling with the policy manager,” he said.
With the policy management product, IT teams can manage policy lifecycles for applications created using cloud native microservices by developers who not always are steeped in issues of security and compliance. Kubernetes clusters are complex and misconfiguration can happen that don’t comply with policies, creating a security risk.
Kyverno Enterprise Hits the Scene
At the same time, Nirmata introduced Kyverno Enterprise, a lightweight commercial version of Kyverno that is tested and supported by Nirmata, with the company offering a curated set of policies, training and workshops. The goal is to give organizations that don’t want to get into managing Kyverno and keeping up with the ongoing changes to the community-driven technology an easier way to leverage the open source tool.
“There are certain classes of customers that want a very lightweight, supported version of Kyverno,” Patel said. “Because Kyverno is community-driven, there’s no guarantee that certain policies will work with certain versions of Kubernetes. We are … providing a curated, tested, validated offering where we have tested Kyverno with a set of policies, and we test them with a set of Kubernetes versions and let you know that what works and what doesn’t work.”
There is no other product around Kyverno Enterprise, though Nirmata may add more features to it in the future, he said.
Like the policy management platform, Kyverno Enterprise includes features and capabilities that are baked into the larger Nirmata platform. They are cloud- and distribution-agnostic, so they can work with other Kubernetes platforms like Red Hat’s OpenShift and Rancher.
The Kyverno Certification Program is designed to give IT and DevOps teams access to continuing education and development training through a self-paced, online curriculum on deploying and using Kyverno to develop policies in Kubernetes clusters.
Nirmata will continue to add features to its Kyverno-based offerings. Kyverno was created as an alternative to the Open Policy Agent (OPA), which Patel said wasn’t purpose-built for Kubernetes and doesn’t natively understand Kubernetes resources. Developers need to write code to create a policy, which they don’t have to do with Kyverno, which is driving its popularity as a compliance-as-code product, he said.
He noted that Duke Energy and the New York Times are among the large enterprises that are leveraging Nirmata’s offerings. The company has raised $4 million in two funding rounds, including $3.6 million in August from investors like Z5 Capital, Samsung Next and Benhamou Global Ventures.
Supply Chain Security in the Works
Security and compliance will continue to be a focus of Nirmata. There is interest in the Kyverno community around supply chain security, particularly in the wake of the SolarWinds attack and, more recently, mandates from the federal government earlier this year.
“Because Kyverno sits in that admission control path, it has a very unique point in getting the visibility into how these images are deployed and the attack vectors for supply chain in Kubernetes are two-fold,” Patel said, in particular, the configuration applied to Kubernetes for the applications and the images built in CI/CD pipelines. “We have the ability to make sure that only signed images at the stations are allowed in the cluster. That’s a use case that’s still evolving. It’s obviously not product yet, but we intend to do that. It’s something that the Kyverno community has worked on.”
Fleshing out what its products can offer also is being looked at, he said. A key feature of Kyverno is that, unlike OPA, developers don’t have to learn a new language for coding. However, “we’ve seen the users who have used the Open Policy Agent in the past.” Patel said. “It’s great for certain complex use cases which require you to write code, which Kyverno right now doesn’t do. We might introduce some coding to address some more advanced use cases, but 80 [to] 90% of the use cases can be addressed without writing a single line of code.”
Kyverno is now a sandbox-level project while OPA also is a CNCF project that has reached a graduated level.