Kyverno is well-known for its Kubernetes-native policy engine that enables users to validate, mutate, and generate resources using YAML-based policies.

But what if you want to apply Kyverno policies to non-Kubernetes workloads? Enter Kyverno JSON — a powerful sub-project of Kyverno designed to work with any JSON payload.

🌍 Why Kyverno JSON?

Kyverno JSON, a sub-project of Kyverno, bridges the gap between Kubernetes policies and the broader JSON ecosystem. Whether you're validating Dockerfiles, CI/CD manifests, or arbitrary JSON configurations, kyverno-json enables policy-as-code outside the cluster.

However, one common limitation developers face is this:

❌ kyverno-json doesn't support local policy testing without spinning up a cluster yet. It requires a Kuberenetes cluster, hence a kuberentes dependency.

🧠 How Do Other Engines Handle This?

The policy engines already support local testing and don’t require Kubernetes to function:

Open Policy Agent (OPA) – Supports local testing via opa run --server policies/
KubeWarden – Uses WebAssembly (Wasm) modules that can be tested locally

This proposal aims to bring similar local testing convenience to the Kyverno ecosystem.

🔧 Serve kyverno-json policies Locally — No K8s Needed

To address the gap and remove the Kubernetes dependency for JSON policy evaluation, I’ve added local server functionality to kyverno-json.

This allows developers to validate JSON payloads against Kyverno policies entirely locally — making it easier to test and iterate during development or in CI pipelines.

⚙️ Note: This is a proposed feature, and I’ve opened a pull request (PR) to share the changes.

🛠️ Proposed Idea: Local JSON Policy Validation Server

Run the Command

kyverno-json -h

kyverno-json is a CLI tool to apply policies to json resources.

Available Commands:
   ...
  scan        scan
  serve       serve
  ...

Start the Server

kyverno-json serve --policy-dir pkg/commands/serve/testdata

You’ll see the server listening on port 8080:

Listening on: 8080
2025/06/17 00:36:45 configured route /api/scan

This launches an HTTP server with /api/scan and /api/scan/:policy_name endpoints.

📦 Directory Structure

The —policy-dir Flag points to your policy directory. This directory must contain one or more Kyverno policies written in the standard YAML format.

pkg/commands/serve/testdata/
├── dockerfile-policy.yaml
├── payload.json

📡 Send JSON Payloads to Be Scanned

Now in Terminal 2, send a JSON payload using curl:

🧪 Scan with All Policies

curl -X POST http://localhost:8080/api/scan \
  -H "Content-Type: application/json" \
  --data-binary @pkg/commands/serve/testdata/payload.json | jq .

📋 Sample Output

{
  "results": [
    {
      "policy": "check-dockerfile",
      "rule": "deny-external-calls",
      "result": "fail",
      "message": "-> HTTP calls are not allowed...\n-> wget is not allowed..."
    }
  ]
}

🚨 The policy "check-dockerfile" flagged the usage of wget and external HTTP calls in the Dockerfile as violations.

🎯 Scan Against a Specific Policy

Want to test against just one policy?

curl -X POST http://localhost:8080/api/scan/check-dockerfile \
  -H "Content-Type: application/json" \
  --data-binary @pkg/commands/serve/testdata/payload.json | jq .

🧩 Under the Hood

Cobra CLI – Adds a --policy-dir flag to serve mode
Routing – Exposes /api/scan and /api/scan/:policy_name in routes.go
Policy Provider Layer – Handles loading and caching of policies from disk

🎉 Why This Matters

✅ No cluster required — run policies locally during CI or development
✅ Lightning fast — instant feedback on JSON compliance
✅ Language-agnostic — works with any JSON-producing system

🧪 Try It, or Contribute

This is an early-stage proposed feature, and I’d love feedback or suggestions. I’ll update my blog once this feature is merged.

With this, we hope to make policy testing easier, faster, and more accessible — anywhere JSON exists.

Removing the K8s Dependency: Local kyverno-json Validation

Table of contents