Implementing GitOps-Driven Policy Enforcement with Kyverno and Policy-as-Code

I’ve spent too many late nights debugging production clusters where someone accidentally pushed a container running as root or forgot to add resource limits. If you’re still manually auditing your YAML manifests, you’re doing it the hard way. Kubernetes policy management doesn't have to be a manual chore. By combining Kyverno with a GitOps security workflow, you can automate guardrails and stop non-compliant configurations before they even touch your API server.

Why Kyverno for Policy-as-Code?

There are a few options out there, but I keep coming back to Kyverno. Unlike OPA/Gatekeeper, which requires learning Rego—a language that feels like a hurdle for most DevOps engineers—Kyverno uses native Kubernetes YAML. If you can write a Pod spec, you can write a Kyverno policy.

Policy-as-Code isn't just about security; it's about shifting the burden of compliance from your team to the platform. When you define your policies as code, you gain the same benefits as your application code: version control, peer reviews, and automated testing.

Setting Up the GitOps Pipeline

In a standard GitOps flow, we use ArgoCD or Flux to sync our cluster state with a Git repository. To implement admission controller policies effectively, we need to treat our policies as just another manifest in our Git repo.

1. Install Kyverno

First, get Kyverno installed via Helm. I prefer pinning to a specific version to avoid surprises.

Bash
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace --version 3.1.2

2. Define the Policy

Instead of applying this via kubectl, we’ll store it in our Git repo. Here is a simple policy that ensures all images come from our private registry:

YAML
# policies/restrict-registry.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registry
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-registry
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Images must come from private.registry.com"
        pattern:
          spec:
            containers:
              - image: "private.registry.com/*"

3. Syncing with GitOps

If you’re using ArgoCD, add the policies/ directory to your Application definition. When you push this to your main branch, ArgoCD will sync the ClusterPolicy to your cluster, and the Kyverno admission controller will immediately begin enforcing it.

The Power of "Enforce" vs. "Audit"

One lesson I’ve learned the hard way: never jump straight to Enforce in production.

Kyverno allows you to set validationFailureAction to Audit. This is a lifesaver. When you’re rolling out a new policy, set it to Audit first. Kyverno will log violations without blocking deployments. You can then check the PolicyReport custom resource to see exactly which existing workloads would have broken if you had enforced the policy.

Bash
kubectl get policyreports -A

Once your logs are clean, switch the action to Enforce. This is the gold standard for GitOps security.

Best Practices for Scaling Policies

Don't just dump all your policies in one file. Organize your Git repo by environment or team. I typically structure my repo like this:

TEXT
/infrastructure
  /kyverno
    /base          # Global policies (e.g., must have labels)
    /prod          # Strict policies (e.g., no root, resource limits)
    /dev           # Lax policies (e.g., warning only)

By leveraging Kustomize overlays, you can apply stricter policies in production while allowing more flexibility in development environments. This approach keeps your cluster secure without frustrating your developers.

The Bottom Line

Automated Kubernetes policy management is no longer optional for teams running at scale. By moving your policies into Git, you turn security into a self-service feature. Your developers get immediate feedback when their manifests violate a policy, and your production environment stays clean.

Stop fighting fires and start defining the rules. Start with a simple Audit policy today, and build your way up to a fully automated enforcement pipeline.