https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/tags/policy/Recent content in Policy onHugo -- gohugo.ioen-USFri, 26 Sep 2025 10:00:00 +0000https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/enforcement/opa-gatekeeper/Tue, 02 Sep 2025 10:00:00 +0000https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/enforcement/opa-gatekeeper/Gatekeeper is an admission controller that enforces policies in Kubernetes clusters. This article describes how it can be leveraged to ensure resources follow best practices related to the use of Chainguard Containers. Prerequisites To follow the examples in this guide, you will need the following: kubectl — the command line interface tool for Kubernetes — installed on your local machine. Administrative access to a Kubernetes cluster where OPA Gatekeeper is already installed.https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-non-default-capabilities-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-non-default-capabilities-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers with extra capabilities. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running with one or many Linux capabilities from defined set of safe capabilities flags. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access.https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-privileged-containers-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-privileged-containers-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers with elevated privileges. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running without the privileged: true setting. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access. You can set up a local cluster using kind or use an existing cluster.https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-run-as-root-user-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-run-as-root-user-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers as the root user in a Kubernetes cluster. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running as a non-root user. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access.https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/maximum-image-age-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/maximum-image-age-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a ClusterImagePolicy that checks the maximum age of a container image verifying that isn’t older than 30 days. For that, we’ll attempt to create two distroless images one older than 30 days and a fresh one. Prerequisites To follow along with this guide, you will need the following:https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-unsafe-sysctls-with-policy-controller/Wed, 01 Mar 2023 13:11:29 +0829https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-unsafe-sysctls-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to only allow pods that use sysctls to modify kernel behaviour to run with the safe set of parameters. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec that uses sysctls, and only allow admission into a cluster if the pod is running a safe set parameters. Prerequisites To follow along with this guide, you will need the following:https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/using-policy-controller-to-verify-signed-chainguard-images/Wed, 22 Feb 2023 13:11:29 +0829https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/using-policy-controller-to-verify-signed-chainguard-images/This guide demonstrates how to use the Sigstore Policy Controller to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a ClusterImagePolicy that checks for a keyless Cosign image signature, and then test the admission controller by running a signed nginx image. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access. You can set up a local cluster using kind or use an existing cluster.https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/enforcement/kyverno/Fri, 26 Sep 2025 10:00:00 +0000https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/chainguard/chainguard-images/staying-secure/enforcement/kyverno/Kyverno is an admission controller that enforces policies in Kubernetes clusters. This article describes how it can be leveraged to ensure resources follow best practices related to the use of Chainguard Containers. Prerequisites To follow the examples in this guide, you will need the following: kubectl — the command line interface tool for Kubernetes — installed on your local machine. Administrative access to a Kubernetes cluster where Kyverno is already installed.https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/critical-cve-policy/Wed, 12 Apr 2023 15:22:20 +0100https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/critical-cve-policy/While Common Vulnerabilities and Exposures (CVEs) are undesirable at any time, the software security standards of certain industries strictly regulate the allowance of high or critical CVEs. For example, in the payment industry, the PCI Security Standards Council requires that all vulnerabilities with a Common Vulnerability Scoring System (CVSS) score higher than 4 are addressed. For engineers and security professionals working in these contexts, it’s essential to know if container images have high or critical CVEs before deploying them.https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/Thu, 12 Jan 2023 15:56:52 -0700https://deploy-preview-3155--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/The Sigstore Policy Controller supports the Rego Policy Language, which is a declarative policy language that is used to evaluate structured input data such as Kubernetes manifests and JSON documents. This feature enables users to apply policies that can evaluate Kubernetes admission requests and object metadata to make comprehensive decisions about the workloads that are admitted to their clusters. Rego support also enables users to enhance existing cloud-native policies by adding additional software supply chain security checks.