Skip to content

Policy-as-Code Template Library

48 production-ready policies for Kubernetes security and governance. Reduce the Rego learning curve. Copy, customize, deploy.

Template Library Overview

This library contains 28 Kyverno policies and 20 OPA/Gatekeeper constraint templates covering pod security, image validation, RBAC, resource governance, network security, mutation, and generation. Each template includes complete YAML/Rego, customization variables, validation commands, and real-world use cases.

What You Get

This library provides ready-to-use policies for common security scenarios:

  • 48 Total Policies: 28 Kyverno + 20 OPA/Gatekeeper
  • Complete Implementation: Full YAML/Rego with production-ready configuration
  • Customization Tables: Variables, defaults, and purpose for each parameter
  • Validation Commands: Test policies before enforcement
  • Real-World Use Cases: 4-6 production scenarios per policy
  • Testing Guidance: Audit mode, policy reports, troubleshooting

Template Categories

Decision Guide →

Choose between OPA and Kyverno based on team expertise, policy complexity, and operational requirements.

Kyverno Templates →

28 production-ready Kyverno policies for Kubernetes admission control, mutation, and resource generation.

Pod Security → (5 Policies)

  • Pod Security Standards Enforcement
  • Host Namespace Restrictions
  • Privilege Escalation Prevention
  • Seccomp Profile Enforcement
  • AppArmor Profile Requirements

Image Validation → (5 Policies)

  • Image Digest Requirements
  • Registry Allowlist and Tag Validation
  • Cosign Image Signature Verification
  • Base Image Enforcement
  • CVE Scanning Gates

Resource Management → (5 Policies)

  • Resource Limits and Requests Enforcement
  • CPU and Memory Ratio Enforcement
  • Ephemeral Storage Limits
  • PVC Size Constraints
  • HPA Configuration Requirements

Network Security → (5 Policies)

  • Require Network Policies
  • Egress Restrictions
  • Ingress Class Requirements
  • Ingress TLS Requirements
  • Service Type Restrictions

Mutation & Generation (7 Policies)

  • Mutation Policies → - Default Label Injection, Namespace Label Propagation, Logging Sidecar Injection, Monitoring Sidecar Injection
  • Generation Policies → - Automatic ResourceQuota Generation, Default-Deny NetworkPolicy Generation, Automatic PodDisruptionBudget Generation

Labels & Metadata → (1 Policy)

  • Mandatory Labels and Annotations

OPA/Gatekeeper Templates →

20 production-ready OPA constraint templates with complete Rego implementation for advanced policy enforcement.

Pod Security → (5 Policies)

  • Privileged Container Prevention
  • Host Namespace Restrictions
  • Required Capabilities Drop
  • Security Context Requirements
  • Privilege Escalation Prevention

Image Security → (5 Policies)

  • Registry Allowlist
  • Tag Requirements
  • Digest Enforcement
  • Image Signature Verification Annotations
  • Base Image Enforcement

RBAC (5 Policies)

  • Service Account Restrictions
  • Role Binding Namespace Enforcement
  • Cluster-Admin Prevention
  • Privileged Verbs Restrictions
  • Wildcard Resource Prevention

Resource Governance → (5 Policies)

  • Resource Limits and Requests Enforcement
  • Resource Quota Requirements
  • LimitRange Requirements
  • Ephemeral Storage Limits
  • Storage Class Restrictions

JMESPath Patterns →

Advanced Kyverno pattern library for complex validation logic using JMESPath.

  • Pattern fundamentals (projection, filtering, multi-select)
  • Cross-field validation (requests vs limits, label dependencies)
  • Complex conditions (nested logic, transformations)
  • Advanced patterns → (aggregation, arithmetic, string manipulation)
  • Enterprise examples → (registry policies, cost controls, HA requirements)
  • Testing guide → (kyverno jp CLI, debugging, validation)

CI/CD Integration →

Automated policy validation in development pipelines:

  • GitHub Actions pre-flight validation
  • ArgoCD policy gating
  • Pre-commit hooks

Usage Guide →

Template customization workflow, validation best practices, and quick start guides:

  • Customization workflow
  • Validation best practices
  • Quick start guides
  • Troubleshooting

Policy Engine Comparison

Choose the right policy engine for your team:

Feature Kyverno OPA/Gatekeeper
Policies 28 (validation, mutation, generation) 20 (validation only)
Language YAML + JMESPath Rego (Go-like DSL)
Learning Curve < 1 hour 4-8 hours
Best For Kubernetes-native teams, fast adoption Multi-platform policies, complex logic
Mutation ✅ Native support ❌ Validation only
Generation ✅ Auto-create resources ❌ Validation only

See Decision Guide → for detailed comparison and recommended starter paths.

Quick Start

Deploy in Audit Mode First

Always start with audit (Kyverno) or dryrun (OPA) mode. Monitor violations for 48 hours before switching to enforcement. Existing workloads may violate policies.

Kyverno Quick Start (5 minutes)

# 1. Install Kyverno
helm repo add kyverno https://kyverno.github.io/kyverno/
helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace

# 2. Apply a policy (starts in audit mode)
kubectl apply -f https://raw.githubusercontent.com/adaptive-enforcement-lab/docs/main/kyverno-pod-security.yaml

# 3. Monitor violations
kubectl get polr -A  # PolicyReports
kubectl get cpolr    # ClusterPolicyReports

# 4. Switch to enforcement after validation
kubectl patch clusterpolicy require-pod-security \
  --type merge \
  -p '{"spec":{"validationFailureAction":"enforce"}}'

OPA/Gatekeeper Quick Start (10 minutes)

# 1. Install Gatekeeper
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

# 2. Deploy constraint template (policy logic)
kubectl apply -f https://raw.githubusercontent.com/adaptive-enforcement-lab/docs/main/opa-pod-security.yaml

# 3. Deploy constraint (starts in dryrun mode)
kubectl apply -f constraint.yaml

# 4. Monitor violations
kubectl get constraints
kubectl get k8sblockprivileged -o yaml

# 5. Switch to enforcement after validation
kubectl patch k8sblockprivileged block-privileged \
  --type merge \
  -p '{"spec":{"enforcementAction":"deny"}}'

Comments