devops

Announcing Kyverno 1.17!

Published: (February 18, 2026 at 07:11 AM EST)
7 min read
Source: CNCF Blog

Source: CNCF Blog

Posted on February 18, 2026
by Charles‑Edouard Breteche, Nirmata

CNCF projects highlighted in this post

Kyverno logo

Kyverno 1.17 is a landmark release that marks the stabilization of our next‑generation Common Expression Language (CEL) policy engine.

  • While 1.16 introduced the “CEL‑first” vision in beta, 1.17 promotes these capabilities to v1, offering a high‑performance, future‑proof path for policy as code.
  • This release focuses on “completing the circle” for CEL policies by introducing namespaced mutation and generation, expanding the available function libraries for complex logic, and enhancing supply‑chain security with upcoming Cosign v3 support.

A new look for kyverno.io

The first thing you’ll notice with 1.17 is our completely redesigned website. We’ve moved beyond a simple documentation site to create a modern, high‑performance portal for platform engineers.

Let’s be honest: the Kyverno website redesign was long overdue. As the project evolved into the industry standard for unified policy as code, our documentation needs to reflect that maturity. We are proud to finally unveil the new experience at .

Kyverno 1.17: a new era, a new website – flow chart showing the changes from the old Kyverno website to the new website

Highlights

  • Modern redesign – Built on the Starlight framework, the new site is faster, fully responsive, and features a clean, professional aesthetic that makes long‑form reading much easier on the eyes.
  • Enhanced documentation structure – We’ve reorganized our docs from the ground up. Information is now tiered by “User Journey” — from a simplified Quick Start for beginners to deep‑dive Reference material for advanced policy authors.
  • Fully redesigned policy catalog – Our library of 300+ sample policies has a new interface. It features improved filtering and a dedicated search that lets you find policies by Category (Best Practices, Security, etc.) or Type (CEL vs. JMESPath) instantly.
  • Enhanced search capabilities – We’ve integrated a more intelligent search engine that indexes both documentation and policy code, ensuring you get the right answer on the first try.
  • Brand‑new blog – The Kyverno blog has been refreshed to better showcase technical deep dives, community case studies, and release announcements like this one!

Namespaced mutating and generating policies

In 1.16 we introduced namespaced variants for validation, cleanup, and image verification.
Kyverno 1.17 completes this set by adding:

  • NamespacedMutatingPolicy
  • NamespacedGeneratingPolicy

These enable true multi‑tenancy: namespace owners can now define their own mutation and generation logic (e.g., automatically injecting sidecars or creating default ConfigMaps) without requiring cluster‑wide permissions or affecting other tenants.

CEL policy types reach v1 (GA)

The headline for 1.17 is the promotion of CEL‑based policy types to v1. This signifies that the API is now stable and production‑ready.

Promoted types

  • ValidatingPolicy & NamespacedValidatingPolicy
  • MutatingPolicy & NamespacedMutatingPolicy
  • GeneratingPolicy & NamespacedGeneratingPolicy
  • ImageValidatingPolicy & NamespacedImageValidatingPolicy
  • DeletingPolicy & NamespacedDeletingPolicy
  • PolicyException

With this graduation, platform teams can confidently migrate from JMESPath‑based policies to CEL to take advantage of significantly improved evaluation performance and better alignment with upstream Kubernetes ValidatingAdmissionPolicies / MutatingAdmissionPolicies.

New CEL capabilities and functions

To ensure CEL policies are as powerful as the original Kyverno engine, 1.17 introduces several new function libraries:

CategoryFunctions
Hash Functionsmd5(value), sha1(value), sha256(value)
Math Functionsmath.round(value, precision) – round numbers to a specific decimal or integer precision
X509 Decodingx509.decode(pem) – inspect and validate the contents of X.509 certificates directly within a CEL expression
Random String Generationrandom() – default pattern
random(pattern) – custom regex‑based pattern
Transform UtilitieslistObjToMap(list1, list2, keyField, valueField) – merge two object lists into a map
JSON Parsingjson.unmarshal(jsonString) – parse JSON strings into structured data
YAML Parsingyaml.parse(yamlString) – parse YAML strings into structured data
Time‑based Logictime.now()
time.truncate(timestamp, duration)
time.toCron(timestamp) – enable time‑since or “maintenance window” style policies

Deprecation of legacy APIs

As Kyverno matures and aligns more closely with upstream Kubernetes standards, we are making a strategic shift to a CEL‑first architecture. This means the legacy Policy and ClusterPolicy types (which served the community for years using JMESPath) are now entering their sunset phase.

Deprecation schedule

ReleaseDate (estimated)Status
v1.17Jan 2026Marked for deprecation
v1.18Apr 2026Critical fixes only
v1.19Jul 2026Critical fixes only
v1.20Oct 2026Planned for removal

Why the change?

By standardizing on the Common Expression Language (CEL), Kyverno significantly improves its performance, security, and compatibility with native Kubernetes admission control mechanisms. This transition paves the way for a more robust, future‑ready policy engine that can scale with the evolving needs of cloud‑native platforms.

Performance and Alignment

The new CEL engine improves performance and aligns with the native validation logic used by the Kubernetes API server itself.

For platform teams, this means one less language to learn and a more predictable, scalable policy‑as‑code experience.

Note for authors

From this point forward, we strongly recommend that every new policy you write be based on the new CEL APIs. Choosing the legacy APIs for new work today simply adds to your migration workload later this year.

Migration tips

We understand that many of you have hundreds of existing policies. To ensure a smooth transition, we have provided comprehensive resources:

  • The Migration Guide – A side‑by‑side mapping of legacy ClusterPolicy fields to their new equivalents (e.g., mapping validate.pattern to ValidatingPolicy expressions).
  • New Policy Types – Overview of specialized types like ValidatingPolicy, MutatingPolicy, and GeneratingPolicy.

Enhanced supply‑chain security

Supply‑chain security remains a core pillar of Kyverno.

  • Cosign v3 Support – 1.17 adds support for the latest Cosign features, ensuring your image verification remains compatible with the evolving Sigstore ecosystem.
  • Expanded Attestation Parsing – New capabilities to deserialize YAML and JSON strings within CEL policies make it easier to verify complex metadata and SBOMs.

Observability and reporting upgrades

We have refined how Kyverno communicates policy results:

  • Granular Reporting Control – A new --allowedResults flag allows you to filter which results (e.g., only “Fail”) are stored in reports, significantly reducing ETCD pressure in large clusters.
  • Enhanced Metrics – More detailed latency and execution metrics for CEL policies are now included by default to help you monitor the “hidden” cost of policy enforcement.

For developers and integrators

To support the broader ecosystem and make it easier to build integrations, we have decoupled our core components:

  • New API Repository – Our CEL‑based APIs now live in a dedicated repository: kyverno/api.
  • Kyverno SDK – The SDK project for custom controllers or tools is now housed at kyverno/sdk.

Getting started and backward compatibility

Upgrading from 1.16 is straightforward. Since the CEL policy types have moved to v1, we recommend updating your manifests to the new API version. Kyverno will continue to support v1beta1 for a transition period.

helm repo update
helm upgrade --install kyverno kyverno/kyverno -n kyverno --version 3.7.0

Looking ahead: The Kyverno roadmap

As we move past the 1.17 milestone, our focus shifts toward long‑term sustainability and the “Kyverno Platform” experience.

  • Growing the community – More frequent office hours, improved contributor onboarding, and a renewed focus on making the Kyverno community the most welcoming space in CNCF.
  • A unified tooling experience – Consolidating sub‑projects (CLI, Policy Reporter, Kyverno‑Authz) into a cohesive suite to reduce fragmentation.
  • Performance and scalability guardrails – Automated performance testing and granular metrics to help platform engineers understand throughput and latency at scale.
  • Continuous UX improvement – Ongoing iteration on user interfaces, documentation, and error messaging to keep Kyverno “Simplified” by design.

Conclusion

Kyverno 1.17 is the most robust version yet, blending the flexibility of our original engine with the performance and standardization of CEL.

But this release is about more than just code—it’s about the total user experience. Whether you’re browsing the new policy catalog or scaling thousands of CEL‑based rules, we hope this release makes your Kubernetes journey smoother.

A massive thank you to our contributors for making this release (and the new website!) a reality.

0 views
#kyverno #kubernetes #policy-as-code #cel #cncf #release-1.17 #supply-chain security #cosign
View source
Share:
Back to Blog

Related posts

Read more »

11.Resolve Pod Deployment Issue

Lab Information A junior DevOps team member encountered difficulties deploying a stack on the Kubernetes cluster. The pod fails to start, presenting errors. Le...