Available on winget

Install kyverno

Kyverno is a policy engine designed for Kubernetes.

Install with winget

winget install --id kyverno.kyverno

Upgrade

winget upgrade --id kyverno.kyverno

Uninstall

winget uninstall --id kyverno.kyverno

About kyverno

Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.

What's new in 1.17.1

What's Changed - chore: remove Nirmata refs (Cherry-pick #15114) by @kyverno-bot in #15115 - cli: simplify namespaced policy loading in CLI (Cherry-pick #15118) by @kyverno-bot in #15122 - fix: panic in metrics wrapper when generating response does not provide a result (Cherry-pick #15105) by @kyverno-bot in #15117 - fix: init dclient before using it (Cherry-pick #15172) by @kyverno-bot in #15173 - populate registry consistently (Cherry-pick #14632) by @kyverno-bot in #15184 - fix: eliminate memcache error spam from fake client discovery polling (Cherry-pick #15187) by @kyverno-bot in #15193 - fix: restmapper for fakeclient (cherry-pick #15177) by @realshuting in #15194 - cherry pick #0ffed6f by @fjogeleit in #15206 - fix: CVE-2025-68121 (Cherry-pick #15203) by @kyverno-bot in #15212 - fix: enable signed timestamp verification when TSA cert chain is provided (Cherry-pick #15192) by @kyverno-bot in #15217 - fix: add default message for ValidatingPolicy when message field is empty (Cherry-pick #13630) by @kyverno-bot in #15267 - fix: return errors from syncPolicy to enable workqueue retry (Cherry-pick #15082) by @kyverno-bot in #15268 - fix: skip side effects on dry-run in gpol/mpol (Cherry-pick #15143) by @kyverno-bot in #15270 - fix(ivpol): Unauthorized error when using a private repository (Cherry-pick #15136) by @kyverno-bot in #15271 - fix(charts): add missing endpointslices list permission to cleanup controller role (Cherry-pick #15140) by @kyverno-bot in #15272 - fix(admissionpolicygenerator): enqueue exceptions (Cherry-pick #15038) by @kyverno-bot in #15274 - changed...

Read release notes

Version history

Version	Updated	Notes
1.17.1	Unknown	What's Changed - chore: remove Nirmata refs (Cherry-pick #15114) by @kyverno-bot in #15115 - cli: simplify namespaced policy loading in CLI (Cherry-pick #15118) by @kyverno-bot in #15122 - fix: panic in metrics wrapper w...
1.13.4	Unknown	What's Changed - Fixed CVEs by bumping go dependencies (#12119) - Reverted "replace ghcr.io to reg.kyverno.io" (#12125)
1.12.4	Unknown	❗Important Notice ❗ If you are running 1.12, please upgrade to this version to pick up the fix for the ephemeralreports piling-up issue. Check this post and understand how to recover from an ETCD outage:Amazon EKS- manag...
1.11.3	Unknown	🐛 Fixed 🐛 - Fixed non-trigger resources to be skipped for background policies regardless of skipBackgroundRequests settings (#9333) - Fixed the CLI to use "store" for fetching regclient (#9345)
1.11.1	Unknown	What's Changed - Reduced verbosity of admission request filter INFO log message (cherry-pick #8712) by @gcp-cherry-pick-bot in #8882 - Close reponse right after succesful request (cherry-pick #8894) by @gcp-cherry-pick-b...
1.10.6	Unknown	No notes