kyverno
Safeguard articles tagged "kyverno" — guides, analysis, and best practices for software supply chain and application security.
7 articles
Kubernetes Admission Controllers for Security
Admission controllers are the policy chokepoint between a validated API request and a running workload. Used well, they enforce your entire security posture. Here is how validating webhooks, Kyverno, OPA, and the new CEL-based policies fit together.
Kubernetes admission controllers for security
How Kubernetes admission controllers work, why defaults leave clusters exposed, and how Pod Security Admission, OPA Gatekeeper, and Kyverno close the gap.
Kyverno vs OPA Gatekeeper: A Buyer Comparison for 2026
A practical comparison of Kyverno 1.13 and OPA Gatekeeper 3.18 for Kubernetes policy enforcement, covering language, performance, ecosystem, and operational fit.
Kyverno ImageValidatingPolicy 2026: A Production Walkthrough
Kyverno 1.18 ships ImageValidatingPolicy as the new policy type for cosign signature, attestation, and SBOM verification. We migrated a 60-cluster fleet and graded the new model.
Kubernetes Admission Controller Policy Patterns in 2026
A field guide to the admission control patterns that survived contact with production clusters: validating webhooks, image policy, mutating defaults, and what to skip.
Best Kubernetes Admission Controllers for Supply Chain Security
Kyverno, OPA Gatekeeper, Sigstore policy-controller, Ratify, or plain CEL? A field guide to admission controllers that actually block unsigned and vulnerable images.
K8s Admission Controllers for Supply Chain Policy
How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.