Nirmata

Kubernetes policy governance platform built on Kyverno with an AI CLI agent for natural-language policy generation.

Last reviewedMay 15, 2026

Overview

Nirmata is the enterprise commercial platform built on Kyverno, the open-source Kubernetes policy engine that Nirmata created and donated to the CNCF in November 2020. Kyverno has over 3.2 billion downloads.

Kyverno implements policy as Kubernetes custom resources using YAML and CEL, meaning policies are created, versioned, and audited with the same tooling as any other Kubernetes object. The engine runs as an admission controller intercepting resource creation and modification requests. It also runs background scans against existing resources — a distinction from Kubernetes native ValidatingAdmissionPolicy, which only fires on changes. Kyverno 1.16 (November 2025) introduced CEL-based policies in beta.

Nirmata Control Hub, the commercial layer, adds centralized management across multiple clusters: a dashboard, policy lifecycle versioning, compliance reporting, automated remediation agents, and an AI Copilot for natural-language policy authoring. It supports EKS, AKS, GKE, Rancher, OpenShift, and air-gapped on-premises Kubernetes distributions.

Key Features

Kyverno policy engine: validate, mutate, generate, and image-verify Kubernetes resources using YAML and CEL custom resources — no new policy language to learn; policies are managed like any other Kubernetes object

Admission control plus background scanning: enforces policies on new resources at admission time and retroactively scans existing resources — fills the gap in Kubernetes native ValidatingAdmissionPolicy which only fires on changes

Kyverno CLI for shift-left enforcement: apply and test Kyverno policies in CI/CD pipelines and IaC workflows before changes reach a cluster; integrates with Argo CD, Flux, and standard GitOps patterns

Nirmata Control Hub: centralized multi-cluster policy management with dashboards, policy lifecycle versioning, exception management, and compliance reports mapped to security frameworks across EKS, AKS, GKE, and on-premises clusters

AI Copilot for policy generation: describe a governance requirement in plain language; the AI agent generates, tests, and explains the corresponding Kyverno policy YAML and opens a signed pull request with approver steps

Image signature verification: validates container image signatures and attestations using Notary and Cosign, enforcing supply chain security controls as a policy rather than a separate pipeline step

Integrations

No integrations on file.

Pricing

No pricing data on file.

Compliance

0 / 6 attested

SOC 2

HIPAA

GDPR

FedRAMP

PCI DSS

ISO 27001

No compliance attestations on file. Confirm directly with the vendor before procurement.

Freshness

Heartbeatverified · 4d ago

Listings are re-verified on a recurring sweep. If the website 200s and pricing hasn't shifted since the last check, the heartbeat stays green.

UpdatedJun 18, 2026

What does AI Native mean?

AI maturity is an independent editorial rating assigned by infraplz.dev — not a vendor self-claim. We assess how meaningfully each tool actually uses AI in production workflows, cutting through marketing copy.

AI NativeAI is the core product — the tool wouldn't exist without it.
AI EnhancedAI is a first-class feature that materially changes the workflow.
AI AdjacentAI features exist but are superficial or bolt-on additions.
AI MinimalNo meaningful AI features; listed as a critical platform engineering tool.

AboutSubmit a tool