At KubeCon EU this April, I was on a panel presenting “A Practical Guide To Kubernetes Policy as Code.” I was joined by Rita Zhang, a Principal Engineer at Microsoft, the SIG Auth Chair, a member of the Security Response Committee, and a maintainer of Gatekeeper; Joe Betz, a Staff Engineer at Google and the Special Interest Group (SIG) API Machinery Lead; and Jim Bugwadia, the founder and CEO at Nirmata, Policy Working Group (WG) Co-Chair, and a maintainer of Kyverno. I am a maintainer of Goldilocks, Pluto, and Polaris, and I’m also a Co-Chair of the Policy WG. Together, we’ve spent a lot of time thinking about the role of policies in Kubernetes and how to enforce them.
We already know that Kubernetes has changed how organizations deploy, scale, and manage applications. But as adoption in production environments grows and clusters grow in scale and complexity, so do the challenges of maintaining security, compliance, and operational consistency across teams and clusters. Policy enforcement in K8s, first enabled in the 1.8 release with the introduction of admission webhooks, now underpins just about everything we do in Kubernetes, across audit, assurance, and operational areas.
“Policy as Code ... is the use of code artifacts to manage and apply rules and conditions.”
- Policy as Code by Jimmy Ray
Policy as Code brings the power of automation, collaboration, and version control to the governance of Kubernetes environments. Kubernetes now provides a variety of patterns and built-in policy enforcement points.
Policy as Code is the practice of defining and managing policies using machine-readable code artifacts, rather than relying on static documentation or manual configuration. In Kubernetes, this means expressing security, compliance, and operational requirements as code that can be version-controlled, reviewed, and automatically enforced across clusters.
This approach offers several advantages:
Kubernetes is dynamic: workloads are created, updated, and destroyed quickly. Manual policy enforcement is not only impractical but also error-prone. Policy as Code addresses these fundamental challenges by:
Kubernetes supports a variety of policy types, each serving different governance needs, including authentication and authorization policies to control who can access what using role-based access control (RBAC) and advanced authorization models, admission policies that intercept and validate (or mutate) resource requests before they are persisted in the cluster, network policies that define which services can communicate with one another (thus enforcing zero-trust principles), and resource quotas and limits to prevent resource abuse and ensure fair allocation across teams.
Admission controllers are central to policy enforcement in Kubernetes. They review API requests and determine whether to admit or reject them based on defined policies. There are two main types:
The Kubernetes ecosystem offers several mature tools for implementing Policy as Code. The following list includes just a few of them, but there are many others worthy of investigation:
Kubernetes now supports Validating Admission Policies (VAP) and Mutating Admission Policies (MAP), which use the Common Expression Language (CEL) for defining rules directly within the API server. CEL is fast, human-readable, and avoids the complexity of external webhooks, making policy enforcement more reliable and efficient.
“CEL’s integration into the Kubernetes API server represents a significant step forward in policy enforcement, offering a modern, efficient approach to managing complex cloud-native environments… This eliminates latency issues and enhances reliability while avoiding the unpredictability of Turing-complete languages.”
— CNCF Blog: CEL-ebrating simplicity: mastering Kubernetes policy enforcement with CEL
Kyverno is an open-source, cloud-native policy engine specifically designed for Kubernetes and other cloud-native environments. Essentially, it helps organizations define, manage, and enforce security, compliance, and operational best practices within their Kubernetes clusters. Kyverno policies are declarative YAML resources, and therefore, you don’t need to learn a new language to manage Policy as Code. Kyverno allows the use of familiar K8s tools, such as kubectl, git, and kustomize to manage policies. It also supports JMESPath and CEL for efficient handling of complex logic.
Open Policy Agent (OPA) is a general-purpose policy engine, widely adopted for Kubernetes via the Gatekeeper project. Gatekeeper acts as a dynamic admission webhook, enabling users to write policies in Rego (OPA’s domain-specific language) or CEL, and supports advanced scenarios, including auditing, external data sources, and multi-cluster federation.
Polaris is an open-source policy engine focused on Kubernetes best practices. It can run as a dashboard, command-line tool, or admission controller, and supports automated remediation via mutating admission controllers. Polaris’s integration with Fairwinds Insights enables continuous scanning, reporting, and policy enforcement at scale.
Here are some of the biggest takeaways from our session: Core Kubernetes is going to continue to support more Policy as Code. What is there currently is very stable, and we're going to see more of it. In-tree is going to be faster and more reliable, and it provides a great baseline, but you're probably going to need to expand beyond that. A few suggestions:
As Kubernetes continues to evolve, Policy as Code is becoming the industry standard for cluster governance. The integration of CEL, the rise of declarative admission policies, and the maturity of tools like OPA/Gatekeeper, Polaris, and Kyverno are making policy enforcement more accessible, reliable, and scalable than ever before.
Watch the whole session on the CNCF YouTube channel: A Practical Guide To Kubernetes Policy as Code - Jim Bugwadia, Rita Zhang, Andy Suderman & Joe Betz
.