SYSTEM Cited by 1 source
Kyverno¶
Kyverno is a CNCF Kubernetes-native policy engine — an admission controller that validates, mutates, and generates resources based on declarative policies expressed in Kubernetes YAML (no separate DSL, unlike Kubernetes's older policy tool OPA/ Rego). Common uses: security assertions (no privileged containers, required labels), mutation (inject sidecars, add defaults), resource generation (auto-create network policies).
Stub page — expand on future Kyverno-internals sources.
Sizing implications at scale¶
Kyverno sits in the pod-admission path: every new pod's creation is checked against every active policy. If Kyverno is undersized relative to the cluster's pod-churn rate, new-pod startup slows — the pods wait their turn through admission. This is a common-but- often-missed platform-tuning axis.
Seen in¶
- sources/2024-08-08-figma-migrated-onto-k8s-in-less-than-12-months — Figma's Hello-World-at-scale load test surfaced undersized Kyverno as a pod-startup bottleneck. Cited as the canonical example of a core compute service that has to be tuned for the cluster's pod count before real workloads arrive. Motivating case for patterns/load-test-at-scale.