Implementing Compliance as Code

Calendar February 22, 2026
Security
Intermediate
Policy-Engine-Deployment, Compliance-Automation, Audit-Trail-Generation, Control-Mapping
Compliance-as-Code, Opa, Gatekeeper, Kyverno, Checkov, Cis-Benchmark, Soc2, Pci-Dss, Hipaa, Audit, Policy-as-Code
Opa, Gatekeeper, Kyverno, Checkov, Terraform, Kubernetes, Conftest

Implementing Compliance as Code#

Compliance as code encodes compliance requirements as machine-readable policies evaluated automatically, continuously, and with every change. Instead of quarterly spreadsheet audits, a policy like “all S3 buckets must have encryption enabled” becomes a check that runs in CI, blocks non-compliant Terraform plans, and scans running infrastructure hourly. Evidence generation is automatic. Drift is detected immediately.

Step 1: Map Compliance Controls to Technical Policies#

Translate your compliance framework’s controls into specific, testable technical requirements. This mapping bridges auditor language and infrastructure code.

Pod Security Standards: Admission Control and Secure Pod Configuration

Calendar February 22, 2026
Security
Intermediate
Pod-Security-Configuration, Admission-Control-Setup, Security-Context-Hardening, Policy-Engine-Deployment
Pod-Security, Psa, Security-Context, Opa-Gatekeeper, Kyverno, Admission-Control
Kubectl, Opa-Gatekeeper, Kyverno

Pod Security Standards#

Kubernetes Pod Security Standards define three security profiles that control what pods are allowed to do. Pod Security Admission (PSA) enforces these standards at the namespace level. This is the replacement for PodSecurityPolicy, which was removed in Kubernetes 1.25.

The Three Levels#

Privileged – Unrestricted. No security controls applied. Used for system-level workloads like CNI plugins, storage drivers, and logging agents that genuinely need host access.

Baseline – Prevents known privilege escalations. Blocks hostNetwork, hostPID, hostIPC, privileged containers, and most host path mounts. Allows most workloads to run without modification.