Kubernetes-native policy management
Policies are managed as Kubernetes resources
No coding required
Cluster-wide or namespaced policies
Kyverno manages community policies
These policies are searchable
Require specific labels on resources
Allowlist for image registries
Require attestations of security scans
Keyless image signatures using sigstore
This will most likely break something
Things may seem fine at first
Policies are enforced when changes occur
Start with namespaced policies
Migrate to cluster-wide policies for well-tested settings
Continue with cluster-wide policies and exclusions