Tooling

Policy as Code (Kubernetes & Beyond)

Kyverno, OPA, Gatekeeper, Cedar — enforcing rules across infra.

Kubernetes admission control

  • Kyverno (CNCF) — write policies as YAML; matches the rest of your manifests; mutating + validating + generating policies. The default for k8s in 2026.
  • OPA Gatekeeper — wraps OPA + Rego for k8s admission. More powerful expressions, bigger learning curve.
  • Cosign Policy Controller — Sigstore admission controller; verify image signatures.
  • Connaisseur — image signature verification; simpler than Cosign Policy Controller.

OPA itself

  • OPA (Open Policy Agent) (CNCF) — generic policy engine using Rego. Use anywhere: HTTP middleware, Terraform, k8s admission, sidecars.
  • Conftest — OPA-based testing for arbitrary config files (YAML, JSON, HCL).
  • Styra — commercial OPA management plane.

Newer / typed alternatives

  • AWS Cedar — open-source policy language from AWS; cleaner than Rego; embeddable as Rust library / WASM.
  • Topaz (Aserto) — combines OPA + a directory of subjects.
  • OpenFGA — relationship-based, see Authorization.

IaC / config policy

  • Checkov — broad IaC scanner with pre-built policies.
  • tfsec — Terraform-specific.
  • Conftest — write your own with Rego.
  • kube-linter — best-practice scan for k8s manifests.
  • datree — k8s policy enforcement (commercial).
  • CUE / Kubeconform / kubeval — schema validation, not policy per se.

Service-level / API-level policy

  • OPA as HTTP middleware — sidecar OPA, ask "is this allowed?" before serving.
  • Cedar as embedded library — same idea, in-process.
  • Authorino — k8s-native authorization for HTTP services.

What policy-as-code enforces

  • No :latest images in prod.
  • Required labels (team, env, cost-center).
  • Resource limits / requests mandatory.
  • No hostNetwork / privileged unless allowlisted.
  • Image source allowlist (only registries you trust).
  • No secrets in plain ConfigMaps (catch obvious mistakes).
  • TLS only for ingresses.
  • PodSecurity standards (restricted / baseline / privileged).
  • Cosign signature verification.

Patterns to adopt

  • Audit mode first, enforce later. Roll out new policies in audit; review what would have been blocked; then enforce.
  • Policies in git, GitOps-deployed. Treat them like code: review, test, version.
  • Test policies with sample manifests. Kyverno + Conftest both have CI testing.
  • Separate "warn" from "block" severities.
  • Document why a policy exists. Future engineers will ask.

Pick this if…

  • Default k8s admission: Kyverno.
  • You want OPA everywhere (k8s + APIs + IaC): OPA + Gatekeeper.
  • Image-signature-only verification: Cosign Policy Controller.
  • App-level / API-level authorization: Cedar (typed, embeddable) or OpenFGA (ReBAC).
  • Generic "test these YAML files": Conftest.
  • IaC scan: Checkov.

On this page