Kubernetes-native policy management

Policies are managed as Kubernetes resources

No coding required

Cluster-wide or namespaced policies

Policy Samples

Kyverno manages community policies

These policies are searchable


Check for deprecated APIs

Require specific labels on resources

Allowlist for image registries

Require attestations of security scans

Keyless image signatures using sigstore

How to introduce policies

Do not try a big bang

This will most likely break something

Things may seem fine at first

Policies are enforced when changes occur

Start small

Start with namespaced policies

Migrate to cluster-wide policies for well-tested settings

Continue with cluster-wide policies and exclusions