Kyverno 1.16: Revolutionizing Kubernetes Policy as Code

New Features

Kyverno 1.16 introduces several groundbreaking features designed to enhance flexibility, security, and usability in Kubernetes environments:

CEL-Based Policies in Beta: A new generation of policies using CEL for validation, mutation, generation, deletion, and image validation. These are introduced at API version v1beta1 for cluster-scoped policies (ValidatingPolicy, MutatingPolicy, GeneratingPolicy, DeletingPolicy, ImageValidatingPolicy). Namespaced variants include NamespacedValidatingPolicy, NamespacedDeletingPolicy, and NamespacedImageValidatingPolicy, enabling least-privilege RBAC and improved multi-tenancy by limiting enforcement to specific namespaces. Full namespaced support for Generating and Mutating policies is slated for 1.17, with promotion to v1 in 1.17 and General Availability (GA) targeted for 1.18.
Kyverno Authz Server: A standalone HTTP authorization server that extends Kyverno's policy decisions to non-Kubernetes services, such as Envoy gateways via External Authorization filters. It processes requests and returns allow/deny verdicts based on configured policies.
Kyverno SDK: A Go-based Software Development Kit for integrating Kyverno policies into custom applications. It simplifies loading, compiling, and evaluating policies for authorization decisions in Envoy or plain HTTP services, laying the groundwork for broader ecosystem tools.
Fine-Grained Policy Exceptions: Enhancements to PolicyException resources now support image-based exceptions (using an images attribute), value-based exceptions (via allowedValues), and configurable reporting statuses (e.g., displaying "pass" instead of "skip" in reports).
Label-Based Reporting Configuration: Policies can now include a reports.kyverno.io/disabled label to suppress all reporting (both ephemeral and PolicyReports) without impacting enforcement actions.
CEL Libraries in Match Conditions: Kyverno's CEL libraries can now be used in matchConditions for more sophisticated, context-aware rule targeting.

Additional additions include support for CEL quantity libraries, label selectors in resource lists, and versioned compilers for improved policy handling.

Enhancements and Changes

Beyond new features, Kyverno 1.16 includes numerous enhancements to improve performance, observability, and usability:

Observability Improvements: Comprehensive Prometheus metrics for CEL policy execution, including latency histograms labeled by policy name, resource kind, and result. Native Kubernetes Events are now generated for policy passes, violations, errors, and compilation issues, providing detailed context for troubleshooting.
CLI Enhancements: Added completion commands, support for parameters in ValidatingAdmissionPolicy (VAP) and MutatingAdmissionPolicy (MAP) modes, and fixed return codes across output formats.
Helm Chart Updates: Removed unused hooks, added support for configurable pod annotations, shortened hook names, created a standalone CRDs chart, and fixed templating scopes.
Performance and Efficiency: Optimized namespace fetching, switched to lazy loading for resource hashes, reduced memory allocation, and disabled histogram tracking to lower memory usage.
Kubernetes Compatibility: Added support for versions 1.30–1.32 in the podSecurity subrule and bumped internal Kubernetes libraries to v1.34.

Other changes include backward compatibility with existing ClusterPolicy resources, allowing gradual migration to CEL-based policies. New adopters like Sophotech, Swiss Post, Finastra, and Okteto highlight growing community adoption.

Bug Fixes

The release addresses several issues for stability:

Fixed CLI apply command return codes and display of excluded resources.
Resolved resource name matching for auto-generated names and report queuing.
Corrected panics in reports controllers and namespace selector matching in exceptions.
Improved logging for namespace termination and rejected generate rules.
Fixed reporting for pod controllers and mutating policies on compilation errors.

Breaking Changes

Kyverno 1.16 introduces no explicit breaking changes, ensuring a smooth upgrade for users of previous versions. Existing ClusterPolicy resources remain fully supported.

Deprecations

No new deprecations are introduced in this release. However, the legacy ClusterPolicy API will enter a formal deprecation process once CEL-based policies reach GA, with a non-breaking migration path provided. A deprecated webhook has been removed.

Upgrade Instructions

To upgrade to Kyverno 1.16 using Helm:

Update your Helm repository: helm repo update.
Install or upgrade: helm upgrade --install kyverno kyverno/kyverno -n kyverno --version 3.6.0.

The release includes migration jobs for new policy types in the Helm chart.

Conclusion

Kyverno 1.16 sets a new standard for policy management in Kubernetes, with CEL policies paving the way for more efficient, expressive, and secure configurations. By synthesizing insights from official sources, it's clear that this release prioritizes observability, multi-tenancy, and extensibility, with a roadmap toward full CEL GA in upcoming versions. Users are encouraged to explore the beta features and contribute feedback to shape future developments. For the full changelog, refer to the GitHub comparison between v1.15.2 and v1.16.0.