mirror of
https://github.com/nubenetes/awesome-kubernetes.git
synced 2026-07-13 18:30:44 +00:00
20 KiB
20 KiB
Security Policy as Code
!!! info "Architectural Context" Detailed reference for Security Policy as Code in the context of Hardened Infrastructure.
Standard Reference
- Docker Hardened Images for Every Developer [COMMUNITY-TOOL]
- IBM Vault 2.0 UI Enhancements and Reporting Improvements [COMMUNITY-TOOL]
- Web-Check [COMMUNITY-TOOL]
- IBM IAM for AI Agents [COMMUNITY-TOOL]
- amazon.com: Policy-based countermeasures for Kubernetes – Part 1 [COMMUNITY-TOOL]
- medium: Automate policies enforcement with Policy-as-Code 🌟 [COMMUNITY-TOOL]
- blog.gitguardian.com: What is Policy-as-Code? An Introduction to Open Policy' Agent [COMMUNITY-TOOL]
- OPA Open Policy Agent 🌟 [COMMUNITY-TOOL]
- magalix.com: Integrating Open Policy Agent (OPA) With Kubernetes 🌟 [COMMUNITY-TOOL]
- PolicyHub CLI, a CLI tool that makes Rego policies searchable 🌟 [COMMUNITY-TOOL]
- blog.styra.com: Integrating Identity: OAUTH2 and OPENID CONNECT in Open' Policy Agent [COMMUNITY-TOOL]
- blog.styra.com: Rego Unit Testing [COMMUNITY-TOOL]
- github.com/instrumenta/policies: A set of shared policies for use with Conftest' and other Open Policy Agent tools ⭐ 66 [COMMUNITY-TOOL]
- blog.styra.com: Dynamic Policy Composition for OPA [COMMUNITY-TOOL]
- blog.styra.com: 5 OPA Deployment Performance Models for Microservices [COMMUNITY-TOOL]
- blog.styra.com: Open Policy Agent: The Top 5 Kubernetes Admission Control' Policies [COMMUNITY-TOOL]
- thenewstack.io: Getting Open Policy Agent Up and Running [COMMUNITY-TOOL]
- siegert-maximilian.medium.com: Ensure Content Trust on Kubernetes using' Notary and Open Policy Agent [COMMUNITY-TOOL]
- blog.styra.com: Policy-based infrastructure guardrails with Terraform and' OPA 🌟 [COMMUNITY-TOOL]
- medium: Automated Manifest File Validation Using Open Policy Agent and GitHub' Actions | Ravindu Sandeepa Rathugama [COMMUNITY-TOOL]
- thenewstack.io: Weaveworks Adds Policy as Code to Secure Kubernetes Apps' (Magalix) [COMMUNITY-TOOL]
- dev.to: Load external data into OPA: The Good, The Bad, and The Ugly [COMMUNITY-TOOL]
- inspektor.cloud: Evaluating open policy agent in rust using wasm [COMMUNITY-TOOL]
- medium.com/4th-coffee: What is Policy-as-Code? An Introduction to Open Policy' Agent [COMMUNITY-TOOL]
- banzaicloud.com: Istio and Kubernetes ft. OPA policies [COMMUNITY-TOOL]
- medium: Ensure Content Trust on Kubernetes using Notary and Open Policy' Agent [COMMUNITY-TOOL]
- kubermatic.com: Using Open Policy Agent With Kubermatic Kubernetes Platform [COMMUNITY-TOOL]
- k8s-security-policies ⭐ 177 [COMMUNITY-TOOL]
- medium: Deploying Open Policy Agent (OPA) on a GKE cluster — Step by Step [COMMUNITY-TOOL]
- blog.styra.com: Using OPA with GitOps to speed Cloud-Native development [COMMUNITY-TOOL]
- medium.com/gitguardian: What is Policy-as-Code? An Introduction to Open' Policy Agent [COMMUNITY-TOOL]
- hashicorp.com: Securing Infrastructure In Application Pipelines [COMMUNITY-TOOL]
- thenewstack.io: Yor Automates Tagging for Infrastructure as Code [COMMUNITY-TOOL]
- yor.io [COMMUNITY-TOOL]
- checkov.io [COMMUNITY-TOOL]
- aws.amazon.com: Policy-based countermeasures for Kubernetes – Part 1 [COMMUNITY-TOOL]
- MagTape ⭐ 152 [COMMUNITY-TOOL]
- Selefra: Selefra is an open-source policy-as-code software that provides' analytics for multi-cloud and SaaS. ⭐ 545 [COMMUNITY-TOOL]
- venturebeat.com: How Nirmata plans to ‘conquer Kubernetes complexity’ with' open source Kyverno [COMMUNITY-TOOL]
- neonmirrors.net: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno' 🌟 [COMMUNITY-TOOL]
- dev.to: Using Kyverno To Enforce EKS Best Practices [COMMUNITY-TOOL]
- kyverno.io: Mutating Resources [COMMUNITY-TOOL]
- squadcast.com: Kyverno - Policy Management in Kubernetes 🌟 [COMMUNITY-TOOL]
- neonmirrors.net: Exploring Kyverno: Part 3, Generation [COMMUNITY-TOOL]
- kyverno.io: Check deprecated APIs 🌟 [COMMUNITY-TOOL]
- kyverno.io: Generating resources into existing namespaces [COMMUNITY-TOOL]
- kyverno.io: Add Pod Proxies [COMMUNITY-TOOL]
- kyverno.io: Auto-Gen Rules for Pod Controllers [COMMUNITY-TOOL]
- kyverno.io: Require PodDisruptionBudget [COMMUNITY-TOOL]
- nirmata.com: Kubernetes Supply Chain Policy Management with Cosign and Kyverno [COMMUNITY-TOOL]
- neonmirrors.net: Exploring Kyverno: Introduction 🌟 [COMMUNITY-TOOL]
- nirmata.com: Introducing Kyverno 1.4.2: Trusted And More Efficient! [COMMUNITY-TOOL]
- Policy Reporter 🌟 ⭐ 371 [COMMUNITY-TOOL]
- sesin.at: Securing Kubernetes with Kyverno: How to Protect Your Users From' Themselves by Ritesh Patel [COMMUNITY-TOOL]
- movi.hashnode.dev: Simplify Kubernetes Cluster Management with Kyverno [COMMUNITY-TOOL]
- arun-sisodiya.medium.com: Kyverno — A Kubernetes native policy manager (Policy' as Code) [COMMUNITY-TOOL]
- dev.to: Default Kyverno Policies for OpenEBS [COMMUNITY-TOOL]
- kyverno.io: Restrict Image Registries [COMMUNITY-TOOL]
- dev.to: Using Kyverno Policies for Kubernetes Governance [COMMUNITY-TOOL]
- kyverno.io: Implementing your best practices is simple with kyverno [COMMUNITY-TOOL]
- medium.com/compass-true-north: Governing Multi-Tenant Kubernetes Clusters' with Kyverno [COMMUNITY-TOOL]
- medium.com/@haseebshaukat2: Kyverno — Policy Engine for Kubernetes | Muhammad' Haseeb Shaukat [COMMUNITY-TOOL]
- blog.sigstore.dev: How to verify container images with Kyverno using KMS,' Cosign, and Workload Identity [COMMUNITY-TOOL]
- medium.com/@glen.yu: Why I prefer Kyverno over Gatekeeper for native Kubernetes' policy management [COMMUNITY-TOOL]
- Cloud Custodian ⭐ 6007 [ENTERPRISE-STABLE]
Cloud Native Security
Infrastructure Security
IaC Scanning
- (2021) Apolicy [NONE CONTENT] [COMMUNITY-TOOL] — Apolicy (acquired by Sysdig) provides advanced policy-as-code governance designed for shifting cloud security left. Scans Infrastructure-as-Code (IaC) templates and automatically matches security rules to production deployment settings.
Mergers and Acquisitions
- (2021) sysdig.com: Sysdig and Apolicy join forces to help customers secure Infrastructure As Code and automate remediation [NONE CONTENT] [COMMUNITY-TOOL] — An industry announcement detailing Sysdig's acquisition of Apolicy. Highlights the integration of IaC security analysis with runtime monitoring to establish unified, end-to-end security loops from Git commits to production containers.
Runtime Analysis
- (2024) Fugue: Container and Kubernetes. Runtime infrastructure security [NONE CONTENT] [COMMUNITY-TOOL] — Fugue (now integrated under Snyk Container security suite) delivers continuous compliance and automated infrastructure monitoring for AWS, Azure, and Google Cloud alongside Kubernetes runtime configurations, mapping live states to CIS Benchmarks and SOC 2 frameworks.
Policy-as-Code
Educational Video
- (2021) youtube: The Rise of Kubernetes Policy Engine | Ep 57 [NONE CONTENT] [COMMUNITY-TOOL] — An informative panel discussion examining the rise of Kubernetes policy engines. Tracks the evolution from manual auditing workflows to declarative, automated gatekeeping systems using OPA Gatekeeper and Kyverno.
Governance
- (2021) searchitoperations.techtarget.com: CNCF policy-as-code project bridges Kubernetes security gaps [NONE CONTENT] [COMMUNITY-TOOL] — An industry report outlining CNCF policy-as-code initiatives designed to patch security deficiencies within container orchestration. Compares the operational paradigms of Rego-based OPA and YAML-native Kyverno for policy-driven environments.
Kyverno
- (2021) cloud.redhat.com: Automate Your Security Practices and Policies on OpenShift With Kyverno 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — Illustrates automated security practice implementation inside OpenShift clusters utilizing Kyverno. Explores Kyverno's YAML-native approach, highlighting how platform engineers write policies using standard Kubernetes resource models without learning new programming languages.
Kyverno Training
- (2023) appsecengineer.com: Kubernetes Policy Management with Kyverno [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — An educational course focusing on Kyverno-driven Kubernetes policy engineering. Walks developers and SREs through writing advanced manifest mutation, generation, and validation policies with real-world scenarios.
OPA
- (2020) searchitoperations.techtarget.com: Kubernetes policy project takes enterprise IT by storm [REGO CONTENT] [COMMUNITY-TOOL] — Highlights the massive industry shift toward Open Policy Agent (OPA) for centralized, policy-as-code enforcement. Emphasizes OPA's ability to unify policy layers across different tools like Kubernetes admission controllers, API gateways, and CI/CD pipelines.
- (2020) blog.openshift.com: Fine-Grained Policy Enforcement in OpenShift with Open Policy Agent 🌟 [REGO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A deep-dive technical article by Red Hat showcasing fine-grained policy enforcement in OpenShift using Open Policy Agent. Details how to intercept Kubernetes API requests via admission controllers to block non-compliant resource deployments programmatically.
OPA Wasm
- (2025) ==compile OpenPolicyAgent policies into WebAssembly and run them on the edge== ⭐ 348 [WEBASSEMBLY CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An open-source utility that compiles declarative Open Policy Agent (Rego) policies into high-performance WebAssembly (Wasm) modules. Designed for lightning-fast security and routing decisions at edge platforms like Cloudflare Workers and Envoy proxies.
Rego
- (2021) fugue.co: 5 tips for using the Rego language for Open Policy Agent (OPA) [REGO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An additional collection of advanced Rego development practices, focusing on unit-testing frameworks, mock injections, and playground emulator tools to ensure policy robustness and security governance.