## Description The [Kyverno 1.17 release notes](https://kyverno.io/blog/2026/02/02/announcing-kyverno-release-1.17/) gave us until Kyverno 1.20 (Oct 2026) to move off `ClusterPolicy` before the CRD is removed. This epic migrates our ~50 ClusterPolicies to their CEL-based replacements: `ValidatingPolicy`, `MutatingPolicy`, and `GeneratingPolicy` under `policies.kyverno.io/v1`. Each policy migration has its own issue ([#216](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/216)-[#264](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/264)), one MR each, parallelizable across the team. See the [issue list](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/?label_name%5B%5D=kyvernoPolicies&label_name%5B%5D=kind%3A%3Aenhancement) for current progress. The [`docs/cel-migration/`](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/tree/main/docs/cel-migration) directory has the migration guide and ground rules. Ref: [&188](https://repo1.dso.mil/groups/big-bang/-/epics/188) (original Kyverno policy epic). ## Value to user of BB Kyverno policies automate security and compliance enforcement in Kubernetes clusters. This migration preserves all existing policy behavior while moving to CEL-based policy kinds before `ClusterPolicy` is removed in Kyverno 1.20. ## Requirements/Scope Each migrated policy should: * Preserve all existing CPol behavior (no regressions) * Be gated behind `celPoliciesBeta.<name>.enabled` (disabled by default during migration) * Pass offline kyverno CLI tests and live chainsaw admission tests * Run alongside the existing CPol (both can coexist; VPol/MPol/GPol is opt-in) * Key parameters controlled by values (exclusions, allowed/disallowed lists, limits/ranges) * Policy violations logged to logging stack (EFK or PLG) ## Out of Scope - Adding any new `MutatingPolicy` beyond the six required to replace our existing mutating `ClusterPolicies`. - Cutover (removing CPol equivalents, wiring `celPoliciesBeta` into umbrella chart) -- that's a follow-on effort after all migrations land. - Any work related to bb-common. ## Duration ~50 policies total. Each migration is its own issue and MR, parallelizable across the team. The work must land before Kyverno 1.20 (Oct 2026) removes `ClusterPolicy`. ## Team ~"team::Empire" ## Epic Team Members Current ~"team::Empire" roster: - @jasdeep.s.basra (kyverno SME) - @jrb - @dpritchettrm (mission team lead) ## Dependencies - First MutatingPolicy migration is complete; the remaining MPol migrations ([#260](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/260)-[#264](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/264)) are no longer blocked on MPol bootstrap work - First GeneratingPolicy migration is complete; follow-on GPol work can use it as the reference pattern - &609 (PolicyException separation) is related but not blocking ## Progress - First MutatingPolicy landed - First GeneratingPolicy landed - ValidatingPolicy migration is in progress across the remaining per-policy issues ## Risks - A Kyverno runtime bug in VPol/MPol/GPol could force helper rewrites, but the helpers are already tested against a live cluster and the risk is low. - Without proper insight into the applications users deploy, policies could inadvertently block workloads. Policies default to Audit mode to allow users to gather violation data before enforcing. ## Acceptance Criteria * Every existing ClusterPolicy has a CEL-based equivalent (VPol, MPol, or GPol) that passes offline and live-cluster tests * Each new policy can be enabled and set to Audit or Enforce with no package violations * Package continues to operate without problems * If an exception is in place, the rationale is documented ## Related Issues and/or Epics - [&188: Kyverno Policy Enforcement](https://repo1.dso.mil/groups/big-bang/-/epics/188) -- original introduction of Kyverno as BB's policy engine - &609 -- migrating policy exclusions to standalone `PolicyException` resources - [#207](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/issues/207) -- extend `additionalPolicies` template to support CEL-era policy kinds (needed before cutover) ## How this epic maps to P1 Vision or roadmap for Big Bang This epic is part of Multi-Tenancy Support and ensures Big Bang's policy enforcement layer remains functional as Kyverno moves to CEL-based policy kinds. ## How does this proposed work benefit the enterprise using Big Bang and/or end user SRE? Kyverno policies automate security and compliance enforcement using Kubernetes-native YAML. This migration ensures those policies continue to work after Kyverno removes `ClusterPolicy` in 1.20, with no action required from end users until the cutover phase. ## How does this benefit the internal Big Bang team Keeps Big Bang's out-of-the-box security and compliance posture intact through the Kyverno API transition. The per-policy issue structure lets the team parallelize work without merge conflicts. ## References ### Upstream deprecation schedule for `ClusterPolicy` [Source: Kyverno 1.17 release notes](https://kyverno.io/blog/2026/02/02/announcing-kyverno-release-1.17/) > The Deprecation Schedule > Kyverno 1.17 officially marks ClusterPolicy and CleanupPolicy as Deprecated. While they remain functional in this release, the clock has started on their removal to make way for the more performant, standardized CEL-based engines. ``` Release Date (estimated) Status v1.17 Jan 2026 Marked for deprecation v1.18 Apr 2026 Critical fixes only v1.19 Jul 2026 Critical fixes only v1.20 Oct 2026 Planned for removal ``` ### Migration guide [`docs/cel-migration/vpol-migration-guide.md`](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/docs/cel-migration/vpol-migration-guide.md) covers the full vendor-template-test workflow for each policy migration. ### Example upstream before and after: `disallow-privileged-containers` **Before**: [ClusterPolicy (JMESPath)](https://github.com/kyverno/policies/blob/main/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml) **After**: [ValidatingPolicy (CEL)](https://github.com/kyverno/policies/blob/main/pod-security-vpol/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml)