mirror of
https://github.com/nubenetes/awesome-kubernetes.git
synced 2026-07-14 19:05:53 +00:00
32 KiB
32 KiB
description
| description |
|---|
| Top Securityascode resources for 2026, AI-ranked: OPA Open Policy Agent, Policy Reporter and more — curated Cloud Native tools, guides and references. |
Security Policy as Code
!!! tip "Nubenetes V2 Elite Portal" You are browsing the AI-Curated V2 Elite Edition. Looking for the exhaustive list of references? Check out the V1 Historical Archive.
!!! info "Architectural Context" Detailed reference for Security Policy as Code in the context of Hardened Infrastructure.
Architectural Foundations
Kubernetes Tools
General Reference
- Docker Hardened Images for Every Developer [COMMUNITY-TOOL] — A curated technical resource and architectural guide covering Docker Hardened Images for Every Developer in the Kubernetes Tools ecosystem.
Cloud Infrastructure
Azure Networking
Security
- (2025) Azure Network Security Perimeter Concepts [N/A CONTENT] [ADVANCED LEVEL] [DOCUMENTATION] [COMMUNITY-TOOL] — An official conceptual reference for Azure Network Security Perimeters (NSP). This architecture allows enterprises to group PaaS resources—such as Azure Key Vault and Storage—and enforce access boundaries based on network identity, preventing data exfiltration and streamlining complex subnet-based network isolation policies.
Cloud Native Security
Infrastructure Security
IaC Scanning
- (2021) Apolicy [NONE CONTENT] [COMMUNITY-TOOL] — Apolicy (acquired by Sysdig) provides advanced policy-as-code governance designed for shifting cloud security left. Scans Infrastructure-as-Code (IaC) templates and automatically matches security rules to production deployment settings.
Mergers and Acquisitions
- (2021) sysdig.com: Sysdig and Apolicy join forces to help customers secure Infrastructure As Code and automate remediation [NONE CONTENT] [COMMUNITY-TOOL] — An industry announcement detailing Sysdig's acquisition of Apolicy. Highlights the integration of IaC security analysis with runtime monitoring to establish unified, end-to-end security loops from Git commits to production containers.
Runtime Analysis
- (2024) Fugue: Container and Kubernetes. Runtime infrastructure security [NONE CONTENT] [COMMUNITY-TOOL] — Fugue (now integrated under Snyk Container security suite) delivers continuous compliance and automated infrastructure monitoring for AWS, Azure, and Google Cloud alongside Kubernetes runtime configurations, mapping live states to CIS Benchmarks and SOC 2 frameworks.
Policy-as-code
Educational Video
- (2021) youtube: The Rise of Kubernetes Policy Engine | Ep 57 [NONE CONTENT] [COMMUNITY-TOOL] — An informative panel discussion examining the rise of Kubernetes policy engines. Tracks the evolution from manual auditing workflows to declarative, automated gatekeeping systems using OPA Gatekeeper and Kyverno.
Governance
- (2021) searchitoperations.techtarget.com: CNCF policy-as-code project bridges Kubernetes security gaps [NONE CONTENT] [COMMUNITY-TOOL] — An industry report outlining CNCF policy-as-code initiatives designed to patch security deficiencies within container orchestration. Compares the operational paradigms of Rego-based OPA and YAML-native Kyverno for policy-driven environments.
Kyverno
- (2021) cloud.redhat.com: Automate Your Security Practices and Policies on OpenShift With Kyverno 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — Illustrates automated security practice implementation inside OpenShift clusters utilizing Kyverno. Explores Kyverno's YAML-native approach, highlighting how platform engineers write policies using standard Kubernetes resource models without learning new programming languages.
Kyverno Training
- (2023) appsecengineer.com: Kubernetes Policy Management with Kyverno [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] [GUIDE] — An educational course focusing on Kyverno-driven Kubernetes policy engineering. Walks developers and SREs through writing advanced manifest mutation, generation, and validation policies with real-world scenarios.
OPA
- (2020) searchitoperations.techtarget.com: Kubernetes policy project takes enterprise IT by storm [REGO CONTENT] [COMMUNITY-TOOL] — Highlights the massive industry shift toward Open Policy Agent (OPA) for centralized, policy-as-code enforcement. Emphasizes OPA's ability to unify policy layers across different tools like Kubernetes admission controllers, API gateways, and CI/CD pipelines.
- (2020) blog.openshift.com: Fine-Grained Policy Enforcement in OpenShift with Open Policy Agent 🌟 [REGO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A deep-dive technical article by Red Hat showcasing fine-grained policy enforcement in OpenShift using Open Policy Agent. Details how to intercept Kubernetes API requests via admission controllers to block non-compliant resource deployments programmatically.
OPA Wasm
- (2025) ==compile OpenPolicyAgent policies into WebAssembly and run them on the edge== ⭐ 348 [WEBASSEMBLY CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An open-source utility that compiles declarative Open Policy Agent (Rego) policies into high-performance WebAssembly (Wasm) modules. Designed for lightning-fast security and routing decisions at edge platforms like Cloudflare Workers and Envoy proxies.
Rego
- (2021) fugue.co: 5 tips for using the Rego language for Open Policy Agent (OPA) [REGO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An additional collection of advanced Rego development practices, focusing on unit-testing frameworks, mock injections, and playground emulator tools to ensure policy robustness and security governance.
Cloud-native Platforms
Infrastructure-as-code
Tagging and Auditing
- (2026) ==yor.io== [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An open-source, extensible auto-tagging tool designed to dynamically trace infrastructure-as-code from code to cloud. It automatically adds ownership, lineage, and environment metadata tags during pull requests, allowing operations teams to seamlessly trace production resources back to their source repository.
- (2021) thenewstack.io: Yor Automates Tagging for Infrastructure as Code [GO CONTENT] [COMMUNITY-TOOL] — Outlines the capabilities of Yor, an automated tagging engine designed to apply consistent metadata to IaC assets (Terraform, CloudFormation). Tracks resource ownership, drift, and git commit history through auto-injected tags, improving traceability and cloud financial operations (FinOps).
Kubernetes Security
EKS
- (2021) dev.to: Using Kyverno To Enforce EKS Best Practices [YAML CONTENT] [COMMUNITY-TOOL] — Guided tutorial showing how platform engineers can utilize Kyverno to systematically lock down Amazon EKS clusters. Illustrates policy enforcement setups to enforce multi-tenant isolation, require standard resource limits, and disable host networking, using declarative Kubernetes manifests.
Gitops
- (2021) thenewstack.io: Weaveworks Adds Policy as Code to Secure Kubernetes Apps' (Magalix) [GO CONTENT] [COMMUNITY-TOOL] — Reports on Weaveworks' acquisition and integration of Magalix to embed Policy-as-Code directly into GitOps pipelines. Details how declarative governance policies can be evaluated in continuous-delivery cycles prior to deployment, preventing misconfigured resources from ever entering a live cluster.
Governance (1)
- (2022) dev.to: Using Kyverno Policies for Kubernetes Governance [YAML CONTENT] [COMMUNITY-TOOL] — Explains how organizations can use Kyverno to establish governance guardrails across shared development environments. Covers automating labels, validating ownership configurations, and managing resource consumption rules to ensure multi-tenant hygiene.
Kyverno (1)
- (2026) kyverno.io: Auto-Gen Rules for Pod Controllers [YAML CONTENT] [DOCUMENTATION] [COMMUNITY-TOOL] — Illustrates how Kyverno automatically propagates policies applied to raw Pod specs to downstream controllers (Deployments, DaemonSets, StatefulSets). Simplifies security operations by validating configurations at high-level workloads rather than only catching errors at low-level pod schedulers.
- (2020) neonmirrors.net: Exploring Kyverno: Part 3, Generation [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Deep-dive technical exploration into Kyverno's generation rules, demonstrating how the policy engine can automatically provision ancillary resources, like NetworkPolicies or ConfigMaps, whenever a new namespace is initialized. Optimizes cluster bootstrapping without custom operators.
- (2020) neonmirrors.net: Exploring Kyverno: Introduction 🌟 [YAML CONTENT] [COMMUNITY-TOOL] — A foundational introductory article dissecting the architecture and operational benefits of adopting Kyverno. Contrasts it with custom-coded validating webhooks and details its direct design philosophy of aligning container policy administration with idiomatic Kubernetes constructs.
Kyverno Releases
- (2021) nirmata.com: Introducing Kyverno 1.4.2: Trusted And More Efficient! [GO CONTENT] [COMMUNITY-TOOL] — Reviews release-specific improvements introduced in Kyverno v1.4.2, highlighting optimizations in validation speeds, improved caching models, and expanded schema support. Provides performance benchmarks of Kyverno when subjected to scale workloads across massive enterprise orchestrators.
Policy-as-code (1)
- (2022) ==k8s-security-policies== ⭐ 177 [YAML CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] [LEGACY] — A repository hosting robust and ready-to-use security configurations for Kubernetes clusters, heavily focused on replacing deprecated PodSecurityPolicies with Kyverno and OPA alternatives. It is a highly practical compliance baseline library for platform teams seeking rapid deployment of security controls.
- (2021) amazon.com: Policy-based countermeasures for Kubernetes – Part 1 [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Detailed architectural guide on implementing declarative guardrails in EKS clusters to reduce attack surfaces. Focuses on the synergy between Kubernetes admission controllers and modern policy engines, illustrating how to validate and mutate payloads to block insecure configuration drift.
- (2021) neonmirrors.net: Kubernetes Policy Comparison: OPA/Gatekeeper vs Kyverno' 🌟 [YAML CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — A seminal technical comparison contrasting the architecture and design patterns of OPA Gatekeeper (relying on the domain-specific Rego language) against Kyverno (which uses native Kubernetes YAML). Helps engineers evaluate resource consumption, developer velocity, and cognitive overhead for both systems.
- (2021) sesin.at: Securing Kubernetes with Kyverno: How to Protect Your Users From' Themselves by Ritesh Patel [YAML CONTENT] [COMMUNITY-TOOL] — Explores security policy implementation using Kyverno to proactively safeguard users against unsafe configuration actions. Discusses deployment of best-practice guardrails, preventing privilege escalation, insecure mount paths, and other critical risks without impeding agile deployment workflows.
Kubernetes Storage
Policy-as-code (2)
- (2021) dev.to: Default Kyverno Policies for OpenEBS [YAML CONTENT] [COMMUNITY-TOOL] — Walks through establishing Kyverno policies optimized for workloads using OpenEBS as their persistent storage driver. Demonstrates how to automatically enforce volume attachment limits, dynamic volume provisioning policies, and validate container mount points for improved system stability.
Multi-cloud Governance
Compliance Engine
- (2026) ==Cloud Custodian== ⭐ 6007 [PYTHON CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A robust, YAML-configured rules engine used by enterprise platform engineers to manage multi-cloud compliance, cost control, and security posture across AWS, Azure, and GCP. Automates cost-saving resource deletions, tag compliance, and real-time security remediation.
Multi-cluster Management
Policy-as-code (3)
- (2021) kubermatic.com: Using Open Policy Agent With Kubermatic Kubernetes Platform [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Examines the implementation of OPA Gatekeeper within Kubermatic Kubernetes Platform (KKP) for programmatic multi-cluster fleet management. Illustrates how operators can centrally define, distribute, and enforce admission controller policies across dozens of hybrid and multi-cloud Kubernetes deployments.
Security and Compliance
Cloud Security
- (2026) ==Selefra: Selefra is an open-source policy-as-code software that provides' analytics for multi-cloud and SaaS.== ⭐ 545 [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — An open-source policy-as-code platform engineered to analyze multi-cloud and SaaS configurations using SQL-based query patterns. This tool enables developers to scan cloud resources for compliance defects, security gaps, and operational overhead with rapid execution and modular plugins.
Developer Tooling
- (2021) ==PolicyHub CLI, a CLI tool that makes Rego policies searchable 🌟== [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A lightweight command-line utility engineered to improve discoverability and usability of Rego-based policies. This tool parses and indexes shared policy repositories, enabling infrastructure and platform engineers to search, validate, and integrate standard compliance policies directly from local environments.
IaC Security
- (2026) ==checkov.io== [PYTHON CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A leading static code analysis utility designed to scan Infrastructure-as-Code configurations (Terraform, Kubernetes, CloudFormation, Helm, Dockerfile) for security misconfigurations. Features out-of-the-box policy libraries that enforce industry standards like CIS Benchmarks, SOC2, and HIPAA prior to deployment.
Policy Library
- (2021) ==github.com/instrumenta/policies: A set of shared policies for use with Conftest' and other Open Policy Agent tools== ⭐ 66 [REGO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A structured directory of modular policy files for linting infrastructure-as-code deployments (Terraform, Kubernetes YAML, Helm charts). Designed to enforce standards like non-root container runs, memory limit boundaries, and forbidden network ingress setups early in CI/CD cycles.
Policy-as-code (4)
- (2026) ==OPA Open Policy Agent 🌟== [GO CONTENT] [ADVANCED LEVEL] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — General-purpose policy engine designed to unify and enforce fine-grained authorization across microservices, Kubernetes, CI/CD, and API gateways. Uses the declarative query language Rego to decouple policy decisions from execution, serving as a critical cornerstone in modern Zero-Trust architectures.
- (2022) blog.gitguardian.com: What is Policy-as-Code? An Introduction to Open Policy' Agent [REGO CONTENT] [COMMUNITY-TOOL] — Comprehensive introduction to Open Policy Agent (OPA) and its application of declarative, domain-agnostic policy enforcement using the Rego language. Evaluates the architectural shift of separating policy logic from application code, making security policies testable and auditable in Git repos.
- (2022) dev.to: Load external data into OPA: The Good, The Bad, and The Ugly [REGO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Analyses the complex architectural patterns required for injecting dynamic runtime datasets into Open Policy Agent (OPA). Evaluates caching strategies, JWT validation, HTTP pull-push mechanisms, and their relative trade-offs regarding latency, scalability, and network failure tolerance inside authorization pathways.
- (2021) thenewstack.io: Getting Open Policy Agent Up and Running [REGO CONTENT] [COMMUNITY-TOOL] — A pragmatic guide detailing bootstrap procedures for deploying Open Policy Agent (OPA) inside production systems. Guides the reader through daemon configuration, loading external data contexts, and integrating policy enforcement into Kubernetes via the Gatekeeper admission controller framework.
Security Reporting
Observability
- (2026) ==Policy Reporter 🌟== ⭐ 371 [GO CONTENT] 🌟🌟🌟🌟🌟 [DE FACTO STANDARD] — A CNCF-recognized dashboard and reporter engineered to capture, aggregate, and visualize policy violations (like Kyverno or OPA findings) inside Kubernetes clusters. Converts abstract policy status reports into accessible web UI tables and distributes real-time alerts to Slack or Grafana.
Supply Chain Security
Container Verifying
- (2021) nirmata.com: Kubernetes Supply Chain Policy Management with Cosign and Kyverno [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — Practical guide demonstrating how Nirmata utilizes Sigstore Cosign paired with Kyverno to authenticate digital signatures on incoming container images. Establishes programmatic cryptographic validation inside admission paths, preventing unverified or tampered binaries from launching in production environments.
Cryptographic Signatures
- (2022) blog.sigstore.dev: How to verify container images with Kyverno using KMS,' Cosign, and Workload Identity [GO CONTENT] [ADVANCED LEVEL] [COMMUNITY-TOOL] — An advanced technical exploration of enterprise container security architectures. Provides steps to construct a validation loop that verifies image signatures dynamically using Kyverno, integrated directly with KMS key stores, Sigstore Cosign, and OIDC-based Workload Identity.
Public Cloud
Azure Integration
Cloud Governance
- (2026) Azure Policy [ADVANCED LEVEL] [DOCUMENTATION] 🌟🌟🌟🌟 [ENTERPRISE-STABLE] — Specialized gateway and reference documentation for enforcing structural compliance, resource auditing, and governance across Azure resource environments. Explains custom definition policies, policy initiatives, and automated remediation workflows. Critical reference for maintaining operational guardrails in enterprise cloud architectures.
Security (1)
Identity and Access
Oauth2
- (2022) rapidapi.com:What is OAuth2.0? [COMMUNITY-TOOL] — A comprehensive foundational guide breaking down the OAuth 2.0 authorization framework. It delineates core concepts including authentication flows, grant types, token lifecycles, and security delegation mechanics.
Spring Security
- (2022) freecodecamp.org: How to Implement an OAuth2 Resource Server with Spring Security [JAVA CONTENT] [COMMUNITY-TOOL] — A hands-on implementation tutorial detailing the deployment of an OAuth2-compliant resource server using Spring Security. It guides through configuring middleware to parse and authenticate incoming JWT requests.
Policy Enforcement
Admission Control
- (2022) MagTape ⭐ 152 [JAVASCRIPT CONTENT] 🌟🌟 [LEGACY] — An admission controller developed by T-Mobile that evaluates resources against organizational policy constraints during creation. Written in Node.js, it offered a lightweight alternative to OPA for specific JSON schema validations. By 2026, it has been largely archived, with developers migrating to Gatekeeper or Kyverno.
💡 Explore Related: Devsecops | IaC | Ansible
🔗 See Also: Kubernetes Backup Migrations | OCP 4