Skip to content
Sandeep Kumar ChaudharySandeep
Back to BlogKubernetes & DevOps

How to Enforce Policy in Kubernetes with Kyverno and OPA

By Sandeep Kumar ChaudharyJul 12, 20266 min read
How to Enforce Policy in Kubernetes with Kyverno and OPA — Kubernetes & DevOps guide by Sandeep Kumar Chaudhary, full stack developer

TL;DR

A complete, up-to-date breakdown of enforce policy for developers and founders. It covers the core ideas, the trade-offs that matter, a practical workflow, real numbers, and the questions people ask most — written to be skimmed, applied, and shared.

Key takeaways

  • Shift security left with policy-as-code (OPA Gatekeeper or Kyverno), signed images, and SBOMs rather than bolting on scans at the end.
  • Do not add a service mesh until you actually need mTLS, fine-grained traffic policy, or deep observability across services.
  • Package applications with Helm or Kustomize, but keep environment-specific values out of the chart and in overlays or values files.
  • Right-size autoscaling with HPA for pods, Cluster Autoscaler or Karpenter for nodes, and KEDA for event-driven and scale-to-zero workloads.
  • Measure your platform with DORA metrics and treat developer experience as the product, running the internal platform like any other product.

This is a practical, up-to-date guide to Enforce Policy — what it is, why it matters in 2026, and how to apply it in real projects. It is written for developers and founders who want clear answers and proven best practices, not filler.

Whether you're just starting out or leveling up, treat this as a working reference you can return to. Every section is built to be skimmed, applied, and shared.

Autoscaling from pods to nodes

Kubernetes scales along several independent axes and you usually combine them. The Horizontal Pod Autoscaler adds or removes Pod replicas based on CPU, memory, or custom metrics, while the Vertical Pod Autoscaler tunes per-Pod resource requests. When there is no room to place new Pods, the Cluster Autoscaler grows the node pool, and the increasingly popular open-source Karpenter provisions right-sized nodes quickly and consolidates them for cost. For event-driven and bursty workloads, KEDA scales on queue depth or other external signals and can even scale workloads to zero. Correct autoscaling depends entirely on setting sensible resource requests and limits, since the scheduler and every autoscaler reason about those numbers.

Service mesh: Istio and Linkerd

A service mesh moves cross-cutting concerns like mutual TLS, retries, timeouts, traffic splitting, and detailed telemetry out of application code and into a dedicated infrastructure layer. Istio is the most feature-rich option, historically deploying an Envoy sidecar proxy next to every Pod, and its newer ambient mode splits duties between a per-node proxy and an optional per-workload layer to cut sidecar overhead. Linkerd takes a deliberately simpler, lighter path with a purpose-built Rust micro-proxy and a strong focus on operational simplicity. Meshes are powerful but add real complexity, so CNCF surveys still show them used by a minority of clusters. The pragmatic rule is to adopt a mesh only when you concretely need zero-trust mTLS, fine-grained traffic control, or golden-signal observability across many services.

Common pitfalls and anti-patterns

The most frequent mistake is adopting Kubernetes for its own sake when a simpler managed platform would serve a small team better; the operational tax is real. Teams routinely omit resource requests and limits, which cripples scheduling and invites cascading out-of-memory kills and noisy neighbors. Others treat clusters as pets, applying changes by hand until no one can reproduce the environment, which is exactly what GitOps exists to prevent. Over-engineering is common too, such as installing a service mesh or a sprawling portal before there is any pain to justify it. Finally, neglecting continuous upgrades is dangerous because Kubernetes deprecates APIs and supports each release for only about fourteen months, so falling behind compounds quickly.

DevSecOps and shifting security left

DevSecOps folds security into the delivery pipeline instead of treating it as a final gate, which is essential when GitOps can push changes to production in minutes. In Kubernetes this means policy-as-code admission controllers like OPA Gatekeeper or Kyverno that reject non-compliant manifests, image scanning with tools such as Trivy or Grype, and runtime threat detection with Falco. Supply-chain integrity has become central, with Sigstore and cosign used to sign images and generate SBOMs, and the SLSA framework describing build-integrity levels. Secrets should live in a manager like HashiCorp Vault or External Secrets rather than in Git, and workloads should run with least-privilege RBAC and restrictive Pod Security Standards. The aim is guardrails that are automated and default-on rather than manual reviews that slow everyone down.

How the control plane and reconciliation work

A Kubernetes cluster splits into a control plane and a set of worker nodes. The control plane runs the API server, which is the single front door for all changes; etcd, a distributed key-value store that holds cluster state; the scheduler, which decides which node a Pod lands on; and controllers that drive reconciliation. Every controller runs a loop that observes actual state, compares it to desired state, and takes corrective action, which is why a killed Pod gets recreated automatically. On each worker node, the kubelet talks to the container runtime through the Container Runtime Interface, typically containerd or CRI-O, while kube-proxy or a CNI plugin handles networking. This reconciliation model is the foundation everything else, including GitOps, builds on.

GitOps with Argo CD and Flux

GitOps applies version-control discipline to operations by making a Git repository the single source of truth for cluster state. An in-cluster agent, most often Argo CD or Flux, continuously compares what is running against what is committed and reconciles any drift, so deployments become a matter of merging a pull request rather than running imperative kubectl commands. Argo CD leans toward a rich UI and application-centric model, while Flux is more modular and controller-based, and both are CNCF graduated projects aligned to the vendor-neutral OpenGitOps principles. This gives you an auditable history, easy rollback by reverting a commit, and consistent multi-cluster delivery. GitOps is now the mainstream way to run continuous delivery on Kubernetes.

Enforce Policy: Key Facts and Data

According to recent industry research and the official documentation linked below:

  • Argo CD and Flux are both CNCF graduated GitOps projects, and the OpenGitOps working group has published a set of vendor-neutral GitOps principles that most tooling now aligns to.
  • Kubernetes is a CNCF graduated project originally open-sourced by Google in 2014 based on its internal Borg system, and it has become the de facto standard for container orchestration.
  • Backstage was created at Spotify, donated to the CNCF in 2020, and has become one of the most widely adopted open-source frameworks for building internal developer portals.

Quick-Reference Summary

A map of what this guide covers:

TopicWhat you'll learn
Autoscaling from pods to nodesKubernetes scales along several independent axes and you usually combine them.
Service mesh: Istio and LinkerdA service mesh moves cross-cutting concerns like mutual TLS
Common pitfalls and anti-patternsThe most frequent mistake is adopting Kubernetes for its own sake when a simpler managed platform would serve a small team better
DevSecOps and shifting security leftDevSecOps folds security into the delivery pipeline instead of treating it as a final gate
How the control plane and reconciliation workA Kubernetes cluster splits into a control plane and a set of worker nodes.
GitOps with Argo CD and FluxGitOps applies version-control discipline to operations by making a Git repository the single source of truth for cluster state.

How to Get Started with Enforce Policy

A simple path that works:

  1. Learn the fundamentals of Enforce Policy from primary sources, not just tutorials.
  2. Build one small, real project end to end.
  3. Get feedback, refactor, and add tests.
  4. Ship it publicly and document what you learned.
  5. Repeat with a slightly harder project each time.

Build It with a World-Class Full Stack Developer

Sandeep Kumar Chaudhary is a full stack world-class developer. If you want to turn this into a real, production-ready product, get in touch — message directly on WhatsApp at +9779802348957 for a fast, no-pressure consult.

You can also explore the projects already shipped to thousands of users, or start a conversation here.

Final Thoughts

Shift security left with policy-as-code (OPA Gatekeeper or Kyverno), signed images, and SBOMs rather than bolting on scans at the end. The developers and teams who win in 2026 pair strong fundamentals with consistent shipping. Start small, stay curious, build in public, and revisit this guide as your skills grow.

Sources and Further Reading

#kubernetes#platform engineering#internal developer platform#gitops

Frequently Asked Questions

What is enforce policy?

A service mesh moves cross-cutting concerns like mutual TLS, retries, timeouts, traffic splitting, and detailed telemetry out of application code and into a dedicated infrastructure layer. Istio is the most feature-rich option, historically deploying an Envoy sidecar proxy next to every Pod, and its newer ambient mode splits duties between a per-node proxy and an optional per-workload layer to cut sidecar overhead. This guide covers enforce policy end to end — core concepts, best practices, concrete data, and a step-by-step approach you can apply right away.

How does autoscaling work in Kubernetes?

Kubernetes scales on several axes that you typically combine. The Horizontal Pod Autoscaler changes the number of Pod replicas based on metrics, the Cluster Autoscaler or Karpenter adds and removes nodes when Pods cannot be placed, and KEDA scales workloads on external event sources and can scale to zero. All of these depend on well-set resource requests and limits, so getting those numbers right is the real prerequisite.

What does DevSecOps mean in a Kubernetes context?

It means embedding security throughout the delivery pipeline rather than as a final checkpoint, which matters because GitOps can ship to production quickly. Concretely, teams enforce policy-as-code with OPA Gatekeeper or Kyverno, scan images with tools like Trivy, sign artifacts with Sigstore and cosign, detect runtime threats with Falco, and keep secrets in a manager like Vault. The aim is automated, default-on guardrails and least-privilege access rather than manual gates.

Do I actually need Kubernetes for my project?

Probably not if you are a small team running a handful of services, where a managed platform as a service or serverless option will cost far less operationally. Kubernetes pays off when you have many services, need portability across clouds or on-prem, or require fine-grained control over scaling, networking, and scheduling. A useful rule is to reach for it when the complexity you are managing exceeds the complexity Kubernetes itself adds.

Should I use Argo CD or Flux for GitOps?

Both are CNCF graduated projects that reliably reconcile clusters from Git, so either is a safe choice. Argo CD offers a polished web UI and an application-centric model that many teams find easier to adopt and demo, while Flux is more modular, controller-driven, and composes well when you want GitOps as building blocks. Pick Argo CD if you value a strong UI out of the box, and Flux if you prefer a lightweight, Kubernetes-native toolkit you assemble yourself.

Sandeep Kumar Chaudhary

Sandeep Kumar Chaudhary

Full Stack Software Developer· Nepal's SEO, AEO, GEO & AIO expert and share-market educator. More about me