Files
awesome-kubernetes/v2-docs/securityascode.md

41 KiB
Raw Blame History

Security Policy as Code

!!! info "Architectural Context" Detailed reference for Security Policy as Code in the context of Hardened Infrastructure.

Architectural Foundations

Kubernetes Tools

General Reference

Cloud Native Security

Infrastructure Security

IaC Scanning

  • (2021) Apolicy [NONE CONTENT] [COMMUNITY-TOOL] — Apolicy (acquired by Sysdig) provides advanced policy-as-code governance designed for shifting cloud security left. Scans Infrastructure-as-Code (IaC) templates and automatically matches security rules to production deployment settings.

Mergers and Acquisitions

Runtime Analysis

  • (2024) Fugue: Container and Kubernetes. Runtime infrastructure security [NONE CONTENT] [COMMUNITY-TOOL] — Fugue (now integrated under Snyk Container security suite) delivers continuous compliance and automated infrastructure monitoring for AWS, Azure, and Google Cloud alongside Kubernetes runtime configurations, mapping live states to CIS Benchmarks and SOC 2 frameworks.

Policy-as-Code

Educational Video

  • (2021) youtube: The Rise of Kubernetes Policy Engine | Ep 57 [NONE CONTENT] [COMMUNITY-TOOL] — An informative panel discussion examining the rise of Kubernetes policy engines. Tracks the evolution from manual auditing workflows to declarative, automated gatekeeping systems using OPA Gatekeeper and Kyverno.

Governance

Kyverno

Kyverno Training

  • (2023) appsecengineer.com: Kubernetes Policy Management with Kyverno [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — An educational course focusing on Kyverno-driven Kubernetes policy engineering. Walks developers and SREs through writing advanced manifest mutation, generation, and validation policies with real-world scenarios.

OPA

OPA Wasm

  • (2025) ==compile OpenPolicyAgent policies into WebAssembly and run them on the edge== 348 [WEBASSEMBLY CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An open-source utility that compiles declarative Open Policy Agent (Rego) policies into high-performance WebAssembly (Wasm) modules. Designed for lightning-fast security and routing decisions at edge platforms like Cloudflare Workers and Envoy proxies.

Rego

Cloud-Native Platforms

Infrastructure-as-Code

Tagging and Auditing

  • (2026) ==yor.io== [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An open-source, extensible auto-tagging tool designed to dynamically trace infrastructure-as-code from code to cloud. It automatically adds ownership, lineage, and environment metadata tags during pull requests, allowing operations teams to seamlessly trace production resources back to their source repository.
  • (2021) thenewstack.io: Yor Automates Tagging for Infrastructure as Code [GO CONTENT] [COMMUNITY-TOOL] — Outlines the capabilities of Yor, an automated tagging engine designed to apply consistent metadata to IaC assets (Terraform, CloudFormation). Tracks resource ownership, drift, and git commit history through auto-injected tags, improving traceability and cloud financial operations (FinOps).

Kubernetes Reliability

High Availability

  • (2026) kyverno.io: Require PodDisruptionBudget [YAML CONTENT] [DOCUMENTATION] [COMMUNITY-TOOL] — A standardized Kyverno policy template ensuring that all mission-critical deployments are paired with active PodDisruptionBudgets (PDB). This governance rule guarantees cluster high-availability by guarding applications against node drain and cluster maintenance operations.

Kubernetes Security

EKS

  • (2021) dev.to: Using Kyverno To Enforce EKS Best Practices [YAML CONTENT] [COMMUNITY-TOOL] — Guided tutorial showing how platform engineers can utilize Kyverno to systematically lock down Amazon EKS clusters. Illustrates policy enforcement setups to enforce multi-tenant isolation, require standard resource limits, and disable host networking, using declarative Kubernetes manifests.

GitOps

  • (2021) thenewstack.io: Weaveworks Adds Policy as Code to Secure Kubernetes Apps' (Magalix) [GO CONTENT] [COMMUNITY-TOOL] — Reports on Weaveworks' acquisition and integration of Magalix to embed Policy-as-Code directly into GitOps pipelines. Details how declarative governance policies can be evaluated in continuous-delivery cycles prior to deployment, preventing misconfigured resources from ever entering a live cluster.

Governance (1)

  • (2022) dev.to: Using Kyverno Policies for Kubernetes Governance [YAML CONTENT] [COMMUNITY-TOOL] — Explains how organizations can use Kyverno to establish governance guardrails across shared development environments. Covers automating labels, validating ownership configurations, and managing resource consumption rules to ensure multi-tenant hygiene.

Kyverno (1)

  • (2026) kyverno.io: Mutating Resources [YAML CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Official documentation detailing how Kyverno modifies incoming resource specifications dynamically using JSON patch operations. It covers mutating rules such as auto-injecting sidecar containers, adding node affinity constraints, and enforcing default labels on namespaces at creation time.
  • (2026) kyverno.io: Generating resources into existing namespaces [YAML CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — Official guide on retroactively generating Kubernetes objects, such as secrets or network rules, across pre-existing namespaces using Kyverno's dynamic policy synchronization engine. Eliminates manually syncing resources across namespaces created prior to policy deployment.
  • (2026) kyverno.io: Auto-Gen Rules for Pod Controllers [YAML CONTENT] [DOCUMENTATION] [COMMUNITY-TOOL] — Illustrates how Kyverno automatically propagates policies applied to raw Pod specs to downstream controllers (Deployments, DaemonSets, StatefulSets). Simplifies security operations by validating configurations at high-level workloads rather than only catching errors at low-level pod schedulers.
  • (2021) squadcast.com: Kyverno - Policy Management in Kubernetes 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — Explores the design patterns of Kyverno as a Kubernetes-native policy engine that eliminates the need to learn specialized programming languages. Highlights how Kyverno manages resource validation, mutation, and generation using declarative YAML configurations designed to fit existing GitOps workflows.
  • (2020) neonmirrors.net: Exploring Kyverno: Part 3, Generation [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deep-dive technical exploration into Kyverno's generation rules, demonstrating how the policy engine can automatically provision ancillary resources, like NetworkPolicies or ConfigMaps, whenever a new namespace is initialized. Optimizes cluster bootstrapping without custom operators.
  • (2020) neonmirrors.net: Exploring Kyverno: Introduction 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — A foundational introductory article dissecting the architecture and operational benefits of adopting Kyverno. Contrasts it with custom-coded validating webhooks and details its direct design philosophy of aligning container policy administration with idiomatic Kubernetes constructs.

Kyverno Policies

  • (2026) kyverno.io: Add Pod Proxies [YAML CONTENT] [DOCUMENTATION] [COMMUNITY-TOOL] — Technical documentation demonstrating how to use Kyverno to dynamically inject HTTP/HTTPS proxy environment variables into Pod containers upon admission. Solves enterprise proxy configuration demands automatically without requiring manual pod-by-pod updates from development teams.
  • (2026) kyverno.io: Implementing your best practices is simple with kyverno [YAML CONTENT] [DOCUMENTATION] [COMMUNITY-TOOL] — Standard Kyverno policy design pattern focused on enforcing health probe settings (liveness, readiness, startup) across all deployed container payloads. This rule enforces Kubernetes operations best practices, safeguarding application lifecycle management and endpoint routing.

Kyverno Releases

  • (2021) nirmata.com: Introducing Kyverno 1.4.2: Trusted And More Efficient! [GO CONTENT] [COMMUNITY-TOOL] — Reviews release-specific improvements introduced in Kyverno v1.4.2, highlighting optimizations in validation speeds, improved caching models, and expanded schema support. Provides performance benchmarks of Kyverno when subjected to scale workloads across massive enterprise orchestrators.

Policy-as-Code (1)

  • (2022) ==k8s-security-policies== 177 [YAML CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — A repository hosting robust and ready-to-use security configurations for Kubernetes clusters, heavily focused on replacing deprecated PodSecurityPolicies with Kyverno and OPA alternatives. It is a highly practical compliance baseline library for platform teams seeking rapid deployment of security controls.
  • (2021) amazon.com: Policy-based countermeasures for Kubernetes Part 1 [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Detailed architectural guide on implementing declarative guardrails in EKS clusters to reduce attack surfaces. Focuses on the synergy between Kubernetes admission controllers and modern policy engines, illustrating how to validate and mutate payloads to block insecure configuration drift.
  • (2021) aws.amazon.com: Policy-based countermeasures for Kubernetes Part 1 [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Spanish localized edition of AWS's architectural breakdown detailing policy-driven mitigations within Kubernetes runtime layers. Instructs platform engineers on configuring robust security guardrails using native Kubernetes controllers and cloud provider identity brokers to neutralize container vulnerabilities.
  • (2021) neonmirrors.net: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno' 🌟 [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A seminal technical comparison contrasting the architecture and design patterns of OPA Gatekeeper (relying on the domain-specific Rego language) against Kyverno (which uses native Kubernetes YAML). Helps engineers evaluate resource consumption, developer velocity, and cognitive overhead for both systems.
  • (2021) sesin.at: Securing Kubernetes with Kyverno: How to Protect Your Users From' Themselves by Ritesh Patel [YAML CONTENT] [COMMUNITY-TOOL] — Explores security policy implementation using Kyverno to proactively safeguard users against unsafe configuration actions. Discusses deployment of best-practice guardrails, preventing privilege escalation, insecure mount paths, and other critical risks without impeding agile deployment workflows.

Upgrade Paths

  • (2026) kyverno.io: Check deprecated APIs 🌟 [YAML CONTENT] [DOCUMENTATION] [LEGACY] — Outlines a pre-configured Kyverno policy targeted at scanning incoming manifests to detect and block deprecated or removed Kubernetes API groups. Indispensable for preventing cluster upgrade blockages, validating manifests before execution on newer API-driven orchestrators.

Kubernetes Storage

Policy-as-Code (2)

  • (2021) dev.to: Default Kyverno Policies for OpenEBS [YAML CONTENT] [COMMUNITY-TOOL] — Walks through establishing Kyverno policies optimized for workloads using OpenEBS as their persistent storage driver. Demonstrates how to automatically enforce volume attachment limits, dynamic volume provisioning policies, and validate container mount points for improved system stability.

Multi-Cloud Governance

Compliance Engine

  • (2026) ==Cloud Custodian== 6007 [PYTHON CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A robust, YAML-configured rules engine used by enterprise platform engineers to manage multi-cloud compliance, cost control, and security posture across AWS, Azure, and GCP. Automates cost-saving resource deletions, tag compliance, and real-time security remediation.

Multi-Cluster Management

Policy-as-Code (3)

  • (2021) kubermatic.com: Using Open Policy Agent With Kubermatic Kubernetes Platform [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines the implementation of OPA Gatekeeper within Kubermatic Kubernetes Platform (KKP) for programmatic multi-cluster fleet management. Illustrates how operators can centrally define, distribute, and enforce admission controller policies across dozens of hybrid and multi-cloud Kubernetes deployments.

Security and Compliance

Cloud Security

Developer Tooling

  • (2021) ==PolicyHub CLI, a CLI tool that makes Rego policies searchable 🌟== [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A lightweight command-line utility engineered to improve discoverability and usability of Rego-based policies. This tool parses and indexes shared policy repositories, enabling infrastructure and platform engineers to search, validate, and integrate standard compliance policies directly from local environments.

IaC Security

  • (2026) ==checkov.io== [PYTHON CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A leading static code analysis utility designed to scan Infrastructure-as-Code configurations (Terraform, Kubernetes, CloudFormation, Helm, Dockerfile) for security misconfigurations. Features out-of-the-box policy libraries that enforce industry standards like CIS Benchmarks, SOC2, and HIPAA prior to deployment.

Policy Library

Policy-as-Code (4)

  • (2026) ==OPA Open Policy Agent 🌟== [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — General-purpose policy engine designed to unify and enforce fine-grained authorization across microservices, Kubernetes, CI/CD, and API gateways. Uses the declarative query language Rego to decouple policy decisions from execution, serving as a critical cornerstone in modern Zero-Trust architectures.
  • (2022) blog.gitguardian.com: What is Policy-as-Code? An Introduction to Open Policy' Agent [REGO CONTENT] [COMMUNITY-TOOL] — Comprehensive introduction to Open Policy Agent (OPA) and its application of declarative, domain-agnostic policy enforcement using the Rego language. Evaluates the architectural shift of separating policy logic from application code, making security policies testable and auditable in Git repos.
  • (2022) dev.to: Load external data into OPA: The Good, The Bad, and The Ugly [REGO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Analyses the complex architectural patterns required for injecting dynamic runtime datasets into Open Policy Agent (OPA). Evaluates caching strategies, JWT validation, HTTP pull-push mechanisms, and their relative trade-offs regarding latency, scalability, and network failure tolerance inside authorization pathways.
  • (2021) thenewstack.io: Getting Open Policy Agent Up and Running [REGO CONTENT] [COMMUNITY-TOOL] — A pragmatic guide detailing bootstrap procedures for deploying Open Policy Agent (OPA) inside production systems. Guides the reader through daemon configuration, loading external data contexts, and integrating policy enforcement into Kubernetes via the Gatekeeper admission controller framework.

Security Reporting

Observability

  • (2026) ==Policy Reporter 🌟== 371 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A CNCF-recognized dashboard and reporter engineered to capture, aggregate, and visualize policy violations (like Kyverno or OPA findings) inside Kubernetes clusters. Converts abstract policy status reports into accessible web UI tables and distributes real-time alerts to Slack or Grafana.

Supply Chain Security

Container Governance

  • (2026) kyverno.io: Restrict Image Registries [YAML CONTENT] [DOCUMENTATION] [COMMUNITY-TOOL] — Official documentation outlining how to write Kyverno policies to block deployment of images from unapproved registries. Enforces a key tenant of secure container delivery by ensuring workloads only pull code from trusted, internally-vetted registry endpoints.

Container Verifying

  • (2021) nirmata.com: Kubernetes Supply Chain Policy Management with Cosign and Kyverno [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Practical guide demonstrating how Nirmata utilizes Sigstore Cosign paired with Kyverno to authenticate digital signatures on incoming container images. Establishes programmatic cryptographic validation inside admission paths, preventing unverified or tampered binaries from launching in production environments.

Cryptographic Signatures

Public Cloud

Azure Integration

Cloud Governance

  • (2026) Azure Policy [ADVANCED LEVEL] [DOCUMENTATION] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Specialized gateway and reference documentation for enforcing structural compliance, resource auditing, and governance across Azure resource environments. Explains custom definition policies, policy initiatives, and automated remediation workflows. Critical reference for maintaining operational guardrails in enterprise cloud architectures.

Security

Policy Enforcement

Admission Control

  • (2022) MagTape 152 [JAVASCRIPT CONTENT] 🌟🌟 [LEGACY] — An admission controller developed by T-Mobile that evaluates resources against organizational policy constraints during creation. Written in Node.js, it offered a lightweight alternative to OPA for specific JSON schema validations. By 2026, it has been largely archived, with developers migrating to Gatekeeper or Kyverno.

💡 Explore Related: IaC | Terraform | Oauth