https://backend-engineering-strategy-tools.github.io/site/tags/kyverno/Recent content in Kyverno on Backend Engineering Strategy ToolsHugo -- gohugo.ioen-usTue, 09 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/overview/Tue, 09 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/overview/<p>Encoding compliance, security, and operational rules as version-controlled, testable code — evaluated at the point where things are created or changed rather than audited after the fact.</p> <p>The alternative is manual review and reactive alerts. Policy as code shifts that left: rules are explicit, reviewable, and enforced automatically.</p> <h2 id="enforcement-points">Enforcement points </h2><p>The same policy intent can be applied at three different points in the lifecycle:</p> <p><strong>CI/CD gate</strong> — evaluate before anything reaches the cluster. Fail the pipeline on violations. Tools: Conftest, Checkov, Trivy IaC. Lowest blast radius, fastest feedback loop.</p> <p><strong>Cluster admission</strong> — intercept every <code>kubectl apply</code> at the API server. No non-compliant resource can be created or updated. Tools: Kyverno, Gatekeeper (OPA), K8s-native ValidatingAdmissionPolicy.</p> <p><strong>Runtime / drift detection</strong> — continuously evaluate live state against policy and surface violations. Catches things that predate the policy, or that arrived outside normal pipelines. Tools: OPA, AWS Config, Kyverno audit mode.</p> <p>Most teams layer these: CI catches the obvious mistakes early and cheap, admission control enforces hard requirements at the cluster boundary, audit mode gives visibility into what is already out of compliance.</p> <h2 id="how-the-tools-relate">How the tools relate </h2><p>OPA is the common engine underneath Gatekeeper and Conftest. Rego is its policy language — learn it once and it applies across both. Kyverno is a separate engine that replaces Rego with Kubernetes-native YAML; lower barrier to entry, but the policy language does not transfer outside K8s. The K8s-native ValidatingAdmissionPolicy uses CEL, a simpler expression language built into the API server — no extra install, but limited to validation and basic mutation.</p> <pre tabindex="0"><code>Policy intent ├── CI/CD gate → Conftest (Rego) / Checkov / Trivy IaC ├── K8s admission → Kyverno (YAML) / Gatekeeper (Rego) / VAP (CEL) └── Runtime → OPA server / Kyverno audit / AWS Config </code></pre><h2 id="to-explore">To explore </h2><ul> <li><strong>Rego standalone</strong> — eval policies against arbitrary JSON input using <code>opa eval</code> and the REPL, without Kubernetes. Good way to learn the language in isolation before wiring it into a pipeline or cluster. See the <a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/opa/" >OPA &amp; Rego</a> note.</li> </ul>https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/Mon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/<p>Kubernetes has three distinct policy enforcement mechanisms. They sit at the same point in the request lifecycle — the admission controller — but differ in language, capability, and operational complexity.</p> <table> <thead> <tr> <th></th> <th>Kyverno</th> <th>Gatekeeper (OPA)</th> <th>ValidatingAdmissionPolicy</th> </tr> </thead> <tbody> <tr> <td>Language</td> <td>YAML/JMESPath</td> <td>Rego</td> <td>CEL</td> </tr> <tr> <td>Native to K8s</td> <td>No (CRD)</td> <td>No (CRD)</td> <td>Yes (built-in)</td> </tr> <tr> <td>Validate</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Mutate</td> <td>Yes</td> <td>Limited</td> <td>Yes (1.32+)</td> </tr> <tr> <td>Generate</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>Image verify</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>GA since</td> <td>—</td> <td>—</td> <td>K8s 1.30</td> </tr> <tr> <td>Good for</td> <td>Full-featured, K8s-native feel</td> <td>Rego-first teams, policy-as-data</td> <td>Simple rules, no extra install</td> </tr> </tbody> </table> <h2 id="validatingadmissionpolicy-vap">ValidatingAdmissionPolicy (VAP) </h2><p>Added in Kubernetes 1.26, <strong>GA in 1.30</strong>. Policies are built into the API server — no admission controller to deploy or maintain. Policy is written in <strong>CEL</strong> (Common Expression Language), a simple expression language also used in Kubernetes&rsquo; <code>x-kubernetes-validations</code> CRD validation.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicy</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">failurePolicy</span>: <span style="color:#ae81ff">Fail</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchConstraints</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">resourceRules</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;apps&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">apiVersions</span>: [<span style="color:#e6db74">&#34;v1&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">operations</span>: [<span style="color:#e6db74">&#34;CREATE&#34;</span>, <span style="color:#e6db74">&#34;UPDATE&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">resources</span>: [<span style="color:#e6db74">&#34;deployments&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">validations</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">expression</span>: &gt;<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> object.spec.template.spec.securityContext.runAsNonRoot == true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">message</span>: <span style="color:#e6db74">&#34;Pods must run as non-root&#34;</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicyBinding</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root-binding&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">policyName</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validationActions</span>: [<span style="color:#ae81ff">Deny]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchResources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespaceSelector</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchLabels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">enforce-policy</span>: <span style="color:#e6db74">&#34;true&#34;</span> </span></span></code></pre></div><p>The <code>ValidatingAdmissionPolicyBinding</code> scopes where a policy applies — cluster-wide, specific namespaces, or by label selector.</p> <h3 id="cel-basics">CEL basics </h3><p>CEL expressions have access to <code>object</code> (the incoming resource), <code>oldObject</code> (for updates), <code>request</code> (metadata, user, etc.), and <code>params</code> (a referenced ConfigMap or CRD for parameterisation).</p> <pre tabindex="0"><code># Simple field check object.spec.replicas &lt;= 10 # Nested optional field (use ?. for optional traversal) object.spec.template.spec.?securityContext.?runAsNonRoot == optional.of(true) # List comprehension — all containers must have limits object.spec.template.spec.containers.all(c, has(c.resources) &amp;&amp; has(c.resources.limits) ) # String operations object.metadata.name.startsWith(&#34;prod-&#34;) </code></pre><h3 id="mutatingadmissionpolicy">MutatingAdmissionPolicy </h3><p>Added in Kubernetes 1.32 (alpha). Brings CEL-based mutation — set defaults, inject labels, patch fields — without Kyverno or a webhook. Still early; not production-ready yet.</p> <h2 id="gatekeeper">Gatekeeper </h2><p>OPA running as a Kubernetes admission controller. Policies are written in Rego and stored as <code>ConstraintTemplate</code> CRDs. The separation between template (the Rego logic) and constraint (the enforcement configuration + parameters) is the key design pattern.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">templates.gatekeeper.sh/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConstraintTemplate</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">k8srequiredlabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">crd</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">names</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validation</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">openAPIV3Schema</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">properties</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">array</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">items</span>: {<span style="color:#f92672">type</span>: <span style="color:#ae81ff">string}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">targets</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">target</span>: <span style="color:#ae81ff">admission.k8s.gatekeeper.sh</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">rego</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> package k8srequiredlabels </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> violation[{&#34;msg&#34;: msg}] { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> provided := {label | input.review.object.metadata.labels[label]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> required := {label | label := input.parameters.labels[_]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> missing := required - provided </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> count(missing) &gt; 0 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> msg := sprintf(&#34;missing required labels: %v&#34;, [missing]) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> }</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">constraints.gatekeeper.sh/v1beta1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">require-team-label</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#e6db74">&#34;Namespace&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">parameters</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: [<span style="color:#e6db74">&#34;team&#34;</span>, <span style="color:#e6db74">&#34;environment&#34;</span>] </span></span></code></pre></div><p>Gatekeeper also supports <strong>audit mode</strong> — it continuously evaluates existing resources against policies and surfaces violations without blocking. Useful for measuring compliance against policies you&rsquo;re not yet ready to enforce.</p> <h3 id="gatekeeper-vs-kyverno">Gatekeeper vs Kyverno </h3><p>Kyverno is better if your team does not know Rego and wants policies that look like Kubernetes manifests. Gatekeeper is better if you are already invested in OPA/Rego and want a single policy language across K8s and non-K8s surfaces (via Conftest).</p> <p>The K8s-native VAP is the right default for simple validation rules on new clusters — no extra install, but it does not cover mutation (until 1.32+), generation, or image verification.</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://open-policy-agent.github.io/gatekeeper/" target="_blank" rel="noopener" >Gatekeeper documentation</a></li> <li><a class="link" href="https://github.com/open-policy-agent/gatekeeper-library" target="_blank" rel="noopener" >Gatekeeper library</a> — ready-made ConstraintTemplates</li> <li><a class="link" href="https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/" target="_blank" rel="noopener" >ValidatingAdmissionPolicy docs</a></li> <li><a class="link" href="https://kubernetes.io/docs/reference/using-api/cel/" target="_blank" rel="noopener" >CEL in Kubernetes</a></li> <li><a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/" >Kyverno</a> — separate note</li> </ul>https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/Mon, 01 Jan 2024 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/<p>Kyverno is a policy engine for Kubernetes. It runs as an admission controller and intercepts every resource creation or update, applying rules that validate, mutate, or generate resources. Policies are written as Kubernetes CRDs in YAML — no Rego, no separate language to learn. If you can write a Kubernetes manifest, you can write a Kyverno policy.</p> <h2 id="three-rule-types">Three rule types </h2><p><strong>Validate</strong> — reject resources that don&rsquo;t meet requirements:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">kyverno.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ClusterPolicy</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">require-labels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">rules</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#ae81ff">check-team-label</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">any</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">resources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#ae81ff">Deployment]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validate</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">message</span>: <span style="color:#e6db74">&#34;Deployments must have a &#39;team&#39; label.&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">pattern</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">team</span>: <span style="color:#e6db74">&#34;?*&#34;</span> </span></span></code></pre></div><p><strong>Mutate</strong> — automatically add or modify fields on admission:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">add-default-resources</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">any</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">resources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#ae81ff">Pod]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">mutate</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">patchStrategicMerge</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">containers</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">(name)</span>: <span style="color:#e6db74">&#34;*&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">resources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">requests</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">+(memory)</span>: <span style="color:#e6db74">&#34;64Mi&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">+(cpu)</span>: <span style="color:#e6db74">&#34;250m&#34;</span> </span></span></code></pre></div><p><strong>Generate</strong> — create related resources automatically. A common use: generate a <code>NetworkPolicy</code> every time a new namespace is created.</p> <h2 id="enforcement-vs-audit">Enforcement vs audit </h2><p>Policies run in <code>enforce</code> mode (block non-compliant resources) or <code>audit</code> mode (allow but report violations). Audit mode is the right starting point — understand your existing state before enforcing.</p> <h2 id="common-policies">Common policies </h2><p>The <a class="link" href="https://kyverno.io/policies/" target="_blank" rel="noopener" >Kyverno policy library</a> has ready-made policies for common requirements: disallow privileged containers, require image tags to not be <code>latest</code>, enforce resource limits, restrict hostPath mounts. Most teams start from the library and customise.</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://kyverno.io/docs/" target="_blank" rel="noopener" >Kyverno documentation</a></li> <li><a class="link" href="https://kyverno.io/policies/" target="_blank" rel="noopener" >Kyverno policy library</a></li> </ul>