Kyverno is a policy engine built for Kubernetes: policies as Kubernetes resources (no new language to learn!), validate, mutate, or generate any resource, match resources using label selectors and wildcards, validate and mutate using overlays (like Kustomize!), generate and synchronize defaults across namespaces, block or report violations, test using kubectl.

K8s webhook handling profiles for tolerations, nodeSelector and nodeAffinity

Blog posts written by engineers at Plex Systems

Konstraint is a CLI tool to assist with the creation and management of constraints when using Gatekeeper.

cloud native software supply chain ☁️🔗. Contribute to liatrio/rode development by creating an account on GitHub.

Contains a valid OPA unit testing environment. Contribute to k8spin/opa-k8s-development development by creating an account on GitHub.

conftest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, or Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.

Kyverno is a policy engine designed for Kubernetes.

Kubernetes supports declarative management of objects using configurations written in YAML or JSON. Often, parts of the configuration will need to vary based on the runtime environment. For portability, and for separation of concerns, its best to maintain environment specific configurations separately from workload configurations.

A tool for scanning Kubernetes cluster for risky permissions in Kubernetes's Role-based access control (RBAC) authorization model.

Kubernetes allows decoupling complex logic such as policy decision from the inner working of API Server by means of "admission controllers”. Admission control is a custom logic executed by a webhook. Kubernetes policy controller is a mutating and a validating webhook which gets called for matching Kubernetes API server requests by the admission controller. It uses Open Policy Agent (OPA) is a policy engine for Cloud Native environments hosted by CNCF as a sandbox level project.