Policy as code

First PublishedApr 24, 2026ByAtif Alam

Policy as code moves guardrails out of tribal knowledge into versioned rules that run in CI, pre-deploy, and optionally at admission time. It complements Security scanning (SAST, SCA, container scans) by focusing on Kubernetes and cloud shape — labels, capabilities, ingress exposure, required annotations.

Where checks run

Stage	Examples	Tradeoff
Pre-commit / local	`kubeconform`, `helm template \| conftest`	Fast feedback; may drift from cluster CRDs unless pinned
Pull request	OPA Conftest, Kyverno `test`, chart lint	Blocks bad YAML before merge
Pre-sync / CD	`kubectl apply --dry-run=server` in pipeline	Catches CRD/schema issues against live API
Admission	Kyverno, Gatekeeper	Strongest enforcement; must tune timeouts and failurePolicy

Conftest and Rego (OPA)

Conftest evaluates Rego policies against arbitrary structured files (Kubernetes YAML, Terraform JSON plans, Dockerfile metadata).

1
conftest test deployment.yaml -p policy/

Keep policies small and composable; test fixtures live beside rules.

Kyverno in CI

Kyverno can lint manifests with kyverno test using policy + resource fixtures — useful when your runtime enforcement engine is also Kyverno so the same rules run in CI and the cluster.

Schema validation

kubectl apply --dry-run=server — authoritative for what the API will accept (requires live cluster credentials in CI).
kubeconform — offline validation against OpenAPI schemas; pin Kubernetes version.

Signatures and supply chain

Pair policy checks with image signing (Cosign) and SBOM gates from the security scanning page — policy-as-code answers “is this manifest shaped correctly?” while signatures answer “is this artifact the one we built?”

Security scanning — SAST, SCA, container scanning, IaC scanning, SBOM.
GitOps — Where dry-runs and sync retries fit delivery.
Admission controllers — Webhooks and failure modes in-cluster.
Architecture review answers — Prompts this page deepens.