Kubernetes is powerful and flexible, but with that power comes the responsibility of ensuring your Kubernetes clusters are secure, compliant, and well-managed. Enter Policy as Code (PaC), a paradigm shift that treats infrastructure policies as code, bringing benefits like maintainability, efficiency, and inspectability to your Kubernetes environment.

This topic took center stage at the most recent KubeCon London, where the session on “A Practical Guide to Kubernetes Policy as Code” drew a standing-room-only crowd—a clear sign that interest in Kubernetes policy management is surging as more organizations embrace Kubernetes at scale.

As Andy Suderman, CTO of Fairwinds and co-chair of the Policy Working Group, aptly puts it, “policy underpins just about everything that you might care about in your Kubernetes cluster.” From Role-Based Access Control (RBAC) to network policies and resource quotas, policy is the invisible backbone of your Kubernetes operations. Jimmy Ray, another member of the Policy Working Group, defines Policy as Code as “the use of code artifacts to manage and apply rules and conditions,” a straightforward concept with profound implications.

Why embrace Policy as Code? The advantages mirror those of Infrastructure as Code: improved maintainability, enhanced efficiency through automation, collective inspection via code reviews, and clear visibility into how policies function within your system. Kubernetes itself offers various built-in mechanisms to enforce these policies.

The Evolution of Kubernetes Policy Enforcement

Joe Betz, Staff Engineer at Google and SIG API Machinery lead, took the audience through the evolution of policy enforcement in Kubernetes. The introduction of admission webhooks in Kubernetes v1.8 was a pivotal moment, providing a foundational extension point to intercept write requests to the control plane. While incredibly powerful, webhooks introduced complexities in development, maintenance, upgrades, and availability, making them critical components to manage carefully.

“You can intercept all write requests coming into the control plane and that gives you the ability to control what is happening in your cluster,” Betz explained.

However, many of these webhooks were performing relatively simple validation tasks. This led to the exploration of embedding logic directly into the Kubernetes API server using the Common Expression Language (CEL), which offers YAML embeddability, a familiar C-style syntax, and low execution overhead.

“The vast majority of webhooks were doing really simple stuff,” Betz noted. “If it’s really simple logic, why not just put it straight into the Kubernetes API server in the first place?” Today, CEL is widely used for CRD validation and forms the backbone of Kubernetes’ new policy primitives: Validating Admission Policy (VAP) and Mutating Admission Policy (MAP). VAP validates incoming requests, while MAP, currently in alpha, enables object mutation through patches.

Stepping Up Policy Management with OPA Gatekeeper

Rita Zhang, Principal Engineer at Microsoft and chair of SIG Auth, introduced OPA Gatekeeper, a CNCF-graduated project that brings enterprise-grade policy enforcement to Kubernetes. Gatekeeper is a dynamic, flexible admission and mutation webhook, designed to let users write policies once and run them across multiple environments.

“We want to make sure you can write the language of your choice,” said Zhang, highlighting Gatekeeper’s support for both Rego and CEL.

Gatekeeper also enables policy authors and deployers to work independently through the use of Constraint Templates and Constraints. It offers valuable features such as audit of existing resources, a CLI tool (Gator) for CI/CD pipelines, Prometheus metrics, integration with external data sources, and even Pub/Sub notifications for policy violations. Zhang emphasized that Gatekeeper isn’t competing with Kubernetes’ built-in policy mechanisms. “We do not want to compete with VAP—we love VAP,” she said, underscoring Gatekeeper’s aim to complement and extend built-in tools.

Kyverno: Simplifying and Expanding Kubernetes Policy

Jim Bugwadia, co-chair of the Policy Working Group and a maintainer of Kyverno, presented a different vision. Unlike other tools that focus mainly on validation, Kyverno was designed from the start by Nirmata to cover a broader range of policy use cases—including mutation, generation, cleanup, and image validation.

“Policy as Code is not just about validation or enforcing security,” said Bugwadia. “It’s about automation as well. It’s about reducing the overload of additional controllers.”

Kyverno’s goal is to simplify policy management for Kubernetes administrators without requiring them to learn new policy languages. It now supports generating both VAP and MAP policies from Kyverno definitions using CEL where applicable. This approach gives users the performance and stability of native Kubernetes features, while extending functionality through Kyverno’s powerful toolset.

What Sets Kyverno Apart

• Extended Policy Capabilities: Beyond validation, Kyverno includes resource mutation, generation, cleanup, and image validation.
• Flexible Evaluation Modes: Policies can target Kubernetes resources or arbitrary JSON/YAML payloads.
• Webhook Configuration Options: Offers fine-tuned control over webhook behavior.
• Policy Autogeneration: Automatically generates policies for Kubernetes workloads and admission policies.
• Enhanced CEL Integration: Includes advanced CEL features like image registry lookups.
• Background Scanning: Applies policies to existing resources for retroactive compliance.
• Fine-Grained Exceptions: Supports per-image policy exceptions.
• Standardized Reporting: Adheres to Policy Working Group formats for audit and reporting.
• Image Signature Verification: Integrates with Notary and Cosign to validate image signatures and attestations.
• Cross-Platform Potential: Kyverno policies can be adapted for non-Kubernetes use cases with minimal changes.

Kyverno from Nirmata empowers platform engineers, security teams, operators and DevOps teams to collaborate more effectively while using familiar Kubernetes-native tools and workflows.

Final Thoughts and Guidance

Andy Suderman closed the session by reinforcing the Kubernetes community’s commitment to Policy as Code. He encouraged attendees to invest in learning CEL, as it is fast becoming a core technology across many Kubernetes features. While built-in policies offer a robust starting point, extensions like Kyverno and Gatekeeper remain crucial for complex scenarios.

“Everybody wants to use mutation for everything. Try to keep it to a minimum—it’s expensive and it can be risky,” Suderman advised.

The discussion concluded with considerations around CI/CD integration and how modern GitOps platforms like Argo CD and Flux now support server-side apply to better coexist with mutation policies.

The key takeaway: Kubernetes now provides a solid foundation for Policy as Code, but knowing when and how to extend it—through tools like Kyverno—is essential for success at scale.

Ready to Get Started with Policy as Code?

Whether you’re just beginning your journey or looking to deepen your expertise, the Nirmata team is here to help. We’re proud maintainers of Kyverno—a powerful policy engine purpose-built for Kubernetes—and we’re passionate about helping platform teams succeed with secure, automated, and scalable policy management.

Reach out to us to learn more, get hands-on guidance, or explore how Policy as Code can accelerate your Kubernetes strategy. While you’re here, get your data sheet on Nirmata Control Hub—automate Kubernetes security and operations through Policy as Code. Also, check out our very popular blog post on Kyverno versus OPA/Gatekeeper when it comes to policy management. Lastly, you can start a free trial for yourself and see what all the buzz is about.