Policy as Code (Kubernetes & Beyond)
Kyverno, OPA, Gatekeeper, Cedar — enforcing rules across infra.
Kubernetes admission control
- ★ Kyverno (CNCF) — write policies as YAML; matches the rest of your manifests; mutating + validating + generating policies. The default for k8s in 2026.
- ★ OPA Gatekeeper — wraps OPA + Rego for k8s admission. More powerful expressions, bigger learning curve.
- Cosign Policy Controller — Sigstore admission controller; verify image signatures.
- Connaisseur — image signature verification; simpler than Cosign Policy Controller.
OPA itself
- ★ OPA (Open Policy Agent) (CNCF) — generic policy engine using Rego. Use anywhere: HTTP middleware, Terraform, k8s admission, sidecars.
- Conftest — OPA-based testing for arbitrary config files (YAML, JSON, HCL).
- Styra — commercial OPA management plane.
Newer / typed alternatives
- ★ AWS Cedar — open-source policy language from AWS; cleaner than Rego; embeddable as Rust library / WASM.
- Topaz (Aserto) — combines OPA + a directory of subjects.
- OpenFGA — relationship-based, see Authorization.
IaC / config policy
- Checkov — broad IaC scanner with pre-built policies.
- tfsec — Terraform-specific.
- Conftest — write your own with Rego.
- kube-linter — best-practice scan for k8s manifests.
- datree — k8s policy enforcement (commercial).
- CUE / Kubeconform / kubeval — schema validation, not policy per se.
Service-level / API-level policy
- OPA as HTTP middleware — sidecar OPA, ask "is this allowed?" before serving.
- Cedar as embedded library — same idea, in-process.
- Authorino — k8s-native authorization for HTTP services.
What policy-as-code enforces
- ★ No
:latestimages in prod. - Required labels (team, env, cost-center).
- Resource limits / requests mandatory.
- No hostNetwork / privileged unless allowlisted.
- Image source allowlist (only registries you trust).
- No secrets in plain ConfigMaps (catch obvious mistakes).
- TLS only for ingresses.
- PodSecurity standards (restricted / baseline / privileged).
- Cosign signature verification.
Patterns to adopt
- ★ Audit mode first, enforce later. Roll out new policies in audit; review what would have been blocked; then enforce.
- Policies in git, GitOps-deployed. Treat them like code: review, test, version.
- Test policies with sample manifests. Kyverno + Conftest both have CI testing.
- Separate "warn" from "block" severities.
- Document why a policy exists. Future engineers will ask.
Pick this if…
- Default k8s admission: Kyverno.
- You want OPA everywhere (k8s + APIs + IaC): OPA + Gatekeeper.
- Image-signature-only verification: Cosign Policy Controller.
- App-level / API-level authorization: Cedar (typed, embeddable) or OpenFGA (ReBAC).
- Generic "test these YAML files": Conftest.
- IaC scan: Checkov.