If you’re running Argo CD, you already have your cluster state living in Git. Kyverno extends that same structure to policy enforcement as well. Together, they enable a fully GitOps-driven approach to security and governance. Here’s why the two work so well together:
GitOps policy-as-code: Securing Kubernetes with Argo CD and Kyverno… The application owner maintains the ultimate responsibility for verifying everything via remote attestation, including: Verification of container images by using signed container images at a min – https://confidentialcontainers.org/docs/features/signed-images/ Verification of the pod specification … …
… TL;DR Kyverno 1.18 delivers: Stronger security controls for HTTP-based policy execution and multiple CVE mitigations Significant CLI enhancements for testing and applying modern policy types Policy engine improvements for performance, observability, and scalability Enhancements to the policies Helm… …
… Security architecture Security is treated as a cross-cutting concern integrated throughout the entire platform lifecycle — not a layer applied after deployment. The approach spans supply chain integrity, policy enforcement, runtime protection, and secret management. …
… They still use policy, but they treat policy as a layer inside the sandbox, not as the boundary itself. Why? Because you can’t write a complete security policy for something when you don’t know what it’s going to do next. …
… The chart is pulled directly from the Kyverno Helm repository. apiVersion: v2 name: kyverno-policies description: Helm Chart for Kyverno Policies type: application version: 1.0.0 dependencies: - name: kyverno-policies version: "3.7.1" repository: https://kyverno.github.io/kyverno/ kyverno-policies/… …
… Cloud Custodian acts as an automated safety net, ensuring all machine-deployed infrastructure follows security and compliance rules while catching costly misconfigurations before they become security gaps or budget overruns. …
… The timing problem in policy-as-code Policy-as-code tooling has matured significantly within the CNCF ecosystem. Tools like Open Policy Agent OPA , Kyverno , and Conftest give platform teams powerful, declarative ways to define and enforce governance rules across Kubernetes environments. …
… Falco, a CNCF graduated project and the de facto standard for cloud native runtime security, has long brought policy-driven detection to containers, Kubernetes, and hosts. …
… Maintainers are particularly worried about: Security vulnerabilities License compliance. …
… Role separation : Decouple infrastructure from application routing for better security and multi-tenancy. Rich policy integration : Combine L7 routing with Cilium Network Policies and Hubble observability. …