Choosing a Kubernetes Policy Engine: OPA/Gatekeeper vs Kyverno vs Pod Security Admission

Calendar February 22, 2026
Security
Intermediate
Policy-Engine-Selection, Security-Architecture, Compliance-Planning
Opa, Gatekeeper, Kyverno, Pod-Security-Admission, Policy-Engine, Compliance, Decision-Framework
Kubectl, Gatekeeper, Kyverno, Opa

Choosing a Kubernetes Policy Engine#

Kubernetes does not enforce security best practices by default. A freshly deployed cluster allows containers to run as root, pull images from any registry, mount the host filesystem, and use the host network. Policy engines close this gap by intercepting API requests through admission webhooks and rejecting or modifying resources that violate your rules.

The three main options – Pod Security Admission (built-in), OPA Gatekeeper, and Kyverno – serve different needs. Choosing the wrong one leads to either insufficient enforcement or unnecessary operational burden.

Implementing Compliance as Code

Calendar February 22, 2026
Security
Intermediate
Policy-Engine-Deployment, Compliance-Automation, Audit-Trail-Generation, Control-Mapping
Compliance-as-Code, Opa, Gatekeeper, Kyverno, Checkov, Cis-Benchmark, Soc2, Pci-Dss, Hipaa, Audit, Policy-as-Code
Opa, Gatekeeper, Kyverno, Checkov, Terraform, Kubernetes, Conftest

Implementing Compliance as Code#

Compliance as code encodes compliance requirements as machine-readable policies evaluated automatically, continuously, and with every change. Instead of quarterly spreadsheet audits, a policy like “all S3 buckets must have encryption enabled” becomes a check that runs in CI, blocks non-compliant Terraform plans, and scans running infrastructure hourly. Evidence generation is automatic. Drift is detected immediately.

Step 1: Map Compliance Controls to Technical Policies#

Translate your compliance framework’s controls into specific, testable technical requirements. This mapping bridges auditor language and infrastructure code.

Pod Security Standards: Admission Control and Secure Pod Configuration

Calendar February 22, 2026
Security
Intermediate
Pod-Security-Configuration, Admission-Control-Setup, Security-Context-Hardening, Policy-Engine-Deployment
Pod-Security, Psa, Security-Context, Opa-Gatekeeper, Kyverno, Admission-Control
Kubectl, Opa-Gatekeeper, Kyverno

Pod Security Standards#

Kubernetes Pod Security Standards define three security profiles that control what pods are allowed to do. Pod Security Admission (PSA) enforces these standards at the namespace level. This is the replacement for PodSecurityPolicy, which was removed in Kubernetes 1.25.

The Three Levels#

Privileged – Unrestricted. No security controls applied. Used for system-level workloads like CNI plugins, storage drivers, and logging agents that genuinely need host access.

Baseline – Prevents known privilege escalations. Blocks hostNetwork, hostPID, hostIPC, privileged containers, and most host path mounts. Allows most workloads to run without modification.

Security Hardening a Kubernetes Cluster: End-to-End Operational Sequence

Calendar February 22, 2026
Kubernetes
Intermediate
Cluster-Hardening, Security-Assessment, Policy-Enforcement, Runtime-Security
Security, Hardening, Rbac, Pod-Security, Network-Policies, Audit-Logging, Falco, Kyverno, Image-Scanning, Etcd-Encryption
Kubectl, Kube-Bench, Trivy, Kyverno, Falco, Etcdctl

Security Hardening a Kubernetes Cluster#

This operational sequence takes a default Kubernetes cluster and locks it down. Phases are ordered by impact and dependency: assessment first, then RBAC, pod security, networking, images, auditing, and finally data protection. Each phase includes the commands, policy YAML, and verification steps.

Do not skip the assessment phase. You need to know what you are fixing before you start fixing it.

Phase 1 – Assessment#

Before changing anything, establish a baseline. This phase produces a prioritized list of findings that drives the order of remediation in later phases.