KyvernoCon Virtual 2026

Name: KyvernoCon Virtual 2026
Start: 2026-05-06T08:00:00-04:00
End: 2026-05-06T11:00:00-04:00

Virtual Project Events (Hosted by CNCF)

May 6, 12:00 – 3:00 PM (UTC)

Get tickets

About this event

KyvernoCon Virtual 2026 will expand access to policy-as-code conversations by offering a fully virtual, globally accessible event. With a mix of thought leadership, hands-on sessions, and success stories, this event will showcase how Kyverno enables teams to scale policy management and AI workloads safely and efficiently, enhance platform security, and improve developer experiences. The virtual setting is ideal for connecting our broader global community while encouraging participation from new users and contributors.

KEY DATES:
CFP Closes: Sunday, March 8
Speaker Notifications: Wed, April 1
Schedule Announced: Wed, April 8

Who Should Submit & Who Should Attend
We welcome proposals from first-time speakers and seasoned presenters alike. Whether you’re an end user, platform engineer, security practitioner, contributor, or maintainer, we encourage you to share your experiences and lessons learned. KyvernoCon values a diverse range of voices across age, gender, background, and nationality, and we actively strive to create an inclusive and supportive speaking environment.
This event is open to everyone! KyvernoCon is a welcoming, global, and growing community focused on policy as code, an ever-green topic that continues to shape the future of Kubernetes, platform engineering, security, and AI workloads.

CFP TOPICS:
1. Getting Started with Kyverno (CEL-First)
For newcomers, evaluators, and teams beginning their Kyverno journey, this track focuses on fundamentals with a strong emphasis on CEL-based policy types, which represent the future of Kyverno policy authoring.
Introduction to policy as code in Kubernetes and why it matters
Writing your first Kyverno policies using CEL policy types (validating, mutating, generating, image validation)
Migrating from legacy and cluster-scoped policies to CEL-based approaches
Testing, validating, and iterating on policies safely across environments
Best practices for scaling policy adoption across teams and clusters
2. Security, Compliance & AI Workloads at Scale with Policy as Code
These talks highlight how Kyverno enables consistent, automated governance for security, compliance, and AI workloads, from development through production.
Using Kyverno for Kubernetes security hardening and runtime protection
Enforcing security controls for AI/ML workloads (images, provenance, resource constraints, data access)
Automating security and compliance checks in CI/CD pipelines
Mapping Kyverno policies to industry frameworks (CIS, NIST, SOC 2, PCI, etc.)
Leveraging policy as code to reduce risk while accelerating delivery
3. Developer Enablement & Platform Experience
Designed for platform engineers and DevEx leaders building Internal Developer Platforms (IDPs), this track focuses on how policy as code improves developer experience without sacrificing control.
Using Kyverno to standardize and simplify workload configuration
Policy-driven guardrails that enable developer self-service
Integrating Kyverno with developer portals and platforms (e.g., Backstage)
Policy-based scaffolding, defaults, and opinionated golden paths
How policy as code strengthens platform engineering outcomes
4. Kyverno Integrations and Advanced Use Cases
For experienced users, operators, and contributors, this track dives into advanced patterns, integrations, and real-world scaling strategies.
Kyverno integrations across the cloud-native ecosystem
Using external data sources, variables, and context-aware policies
Advanced CEL expressions and complex policy logic
Performance tuning, scalability, and operating Kyverno in large environments

When

Wednesday, May 6, 2026
12:00 PM – 3:00 PM (UTC)

Agenda

Welcome & Opening Remarks	Cortney Nickerson, CNCF Ambassador and Head of Community at Nirmata the creators of Kyverno, will open the day by bringing the community together to celebrate Kyverno's recent CNCF graduation with the global community. She will share project insights and set the stage for a day of learning and connection across the policy-as-code ecosystem.
From YAML to CEL: Understanding Kyverno’s New Policy Model	Kyverno’s support for CEL (Common Expression Language) introduces powerful new ways to write Kubernetes policies. However, for many users the shift from traditional YAML pattern matching to CEL-based policies can feel confusing at first. As someone entering the Kyverno ecosystem through the LFX mentorship program, I’ve been exploring this transition, understanding what changes, what improves, and where people often get stuck. In this lightning talk, I’ll briefly walk through the mental shift from YAML patterns to CEL expressions and share common beginner pitfalls when getting started with Kyverno’s newer policy model. Speaker: Kirti Goyal, DevRel @Keploy
Poison Control: Unifying Software and Content Provenance for AI Workloads via Kyverno	As AI workloads increasingly scale on Kubernetes, securing them requires more than locking down the infrastructure. While industry standards effectively secure containerized runtimes via SBOMs and binary authorization, the core intelligence — the AI models and training datasets — often remains unverified. This blind spot exposes Kubernetes pipelines to high-stakes threats like data poisoning and model tampering. Platform teams must establish verifiable trust for both. This session introduces the "Dual-Provenance Pattern," an architecture bridging infrastructure security with content authenticity. Attendees will explore building a zero-trust defense using Kyverno as a Policy-as-Code gatekeeper, integrating CNCF tooling to unify software provenance with content provenance (C2PA) standards. The talk details how Kyverno policies validate software provenance by enforcing cryptographic signatures on OCI artifacts. It also illustrates dynamically injecting initContainers to evaluate content provenance, verifying C2PA manifests for dataset origins before processing. By unifying these ecosystems, attendees will learn to neutralize poisoning risks and enforce tamper-proof deployments. Speakers: Anmol Krishan Sachdeva, Sr. Solutions Engineer (Platform Engineering) @ Google & Ankit Kotnala, Cloud Consultant @Google
From Policy to Production: Implementing ISO27001/BSI IT-Grundschutz in Kubernetes with Kyverno	How do you bridge the gap between strict compliance requirements, like Germany’s BSI IT-Grundschutz implementation of ISO27001, and dynamic Kubernetes environments? Using daily real-world scenarios from the field, this talk demonstrates how Kyverno can automate compliance for critical security controls - without sacrificing agility. We’ll spotlight three key IT-Grundschutz/ISO27001 building blocks and their Kyverno-powered implementations: - APP.4.4.A7 - Separation of Networks for Kubernetes - APP.4.4.A13 - Automated Configuration Auditing - APP.4.4.A21 - Regular Restart of Pods All with practical examples of how you could use them. Questions like: - How to baseline audit/compliance with the impact of "enforce" instead of "audit" and what does it do with your DevTeam! - Why use "generator" for Network-Policies and the benefits - Why do you use a Kyverno-Label (cleanup.kyverno.io/ttl) for deployments Speaker: Marcus Ross, DevOps/Plattform Engineer & Kubestronaut @Hamburg Port Authority
Break	Get up! Stretch, drink something, get a snack and be back here in 15mins for more KyvernoCon!
ReBAC with Kyverno: Automating Multi-Tenant RBAC at Scale	Managing Kubernetes RBAC at scale is painful — teams manually create Roles and RoleBindings per namespace, onboarding takes tickets, and permission drift is inevitable. At Grainger, we replaced this with a fully automated Relationship-Based Access Control (ReBAC) system powered by Kyverno generate policies. When a namespace is created, six ClusterPolicies instantly generate three tiered Roles (operator, contributor, viewer) and their corresponding RoleBindings — zero manual YAML, zero tickets. In this talk, you'll see: How 6 generate policies replace all manual RBAC provisioning across unlimited namespaces Live Demo: namespace creation → automatic RBAC scaffolding → user assignment → access verification Real debugging stories: the nonResourceURLs trap, precondition patterns to prevent generate-on-DELETE, and background mode for retroactive application A self-service workflow that eliminates cluster-admin dependency Key Takeaways: A reusable pattern for tiered namespace access control Why generate (not mutate) is the right tool for RBAC automation A migration playbook from static RBAC to policy-driven ReBAC Built and battle-tested on production Amazon EKS clusters. Speaker: Pavan Madduri, Senior Platform Engineer @W.W.Grainger.Inc
Drift Prevention in GitOps Workflows Using Kyverno	You deployed a clean, Git-approved config and three days later, something in your cluster quietly changed and nobody knows why. That's drift. And in GitOps, it's the silent killer of everything you thought was under control. GitOps promises that your Git repo is the single source of truth. But in reality, someone makes a "temporary" fix directly on the cluster. A script runs in the wrong environment. Suddenly your cluster and your Git repo are telling two different stories, and you only find out when something breaks in production. This is where Kyverno comes in. Rather than detecting drift after it happens, Kyverno lets you write policies that prevent it entirely. Nothing gets into the cluster unless it came through the right door. This session walks through how GitOps and policy as code reinforce each other. ArgoCD keeps things in sync, Kyverno enforces what can be synced, creating a workflow where your cluster does exactly what Git says, and only what Git says. This session explores how combining GitOps with policy as code turns your delivery workflow from a promise into a guarantee. Speaker: Omolade Akinwumi, DevOps Engineer/Founder @MAX
Policy-as-Code for LLM Inference: Cost & Security Guardrails	LLM inference workloads are unlike any other Kubernetes workload — a single misconfigured job can exhaust GPU quota for an entire team overnight. On multi-tenant AI platforms serving hundreds of ML researchers, unconstrained inference requests can silently drive runaway costs before anyone has visibility into the problem. In this talk, I'll show how Kyverno validating policies can enforce cost guardrails at admission time — before workloads ever reach the scheduler. You'll see real policies that reject or flag inference requests exceeding token budget thresholds, enforce GPU resource limits on model serving deployments, and require cost-attribution labels for chargeback visibility. No sidecars, no custom controllers — just declarative policies that your platform team can own and audit. Speaker: Sakalya Deshpande, Senior AI Infrastructure Engineer @SAP Labs
Webhook Topology and Admission Latency: Lessons from Migration	Kyverno’s ValidatingPolicy introduces a more fine-grained integration with Kubernetes admission webhooks. Instead of relying on catch-all endpoints like traditional ClusterPolicy resources, each ValidatingPolicy generates its own webhook entry with resource-specific matching rules. This design should improve efficiency by reducing unnecessary evaluations. While migrating our policy layer from Gatekeeper to Kyverno, deploying a mix of ValidatingPolicy and ClusterPolicy caused admission webhook p99 latency to spike from sub-second to several seconds across multiple clusters. The policy logic itself executed in under a millisecond. This talk shares our journey, how we debug this issue, and the lesson learnt. Speaker: Tanat Lokejaroenlarb, Staff SRE @Adevinta
Closing Remarks

KubeCon + CloudNativeCon India 2026 · 18-19 June · Mumbai · REGISTER NOW

KyvernoCon Virtual 2026

Virtual Project Events (Hosted by CNCF)

About this event

When

Agenda