This post describes how a Compute Security team built kube-policies, a custom Kubernetes admission controller on top of Open Policy Agent (OPA) to replace Pod Security Policies with adaptive security guardrails.
•Kubernetes default configurations favor rapid deployment over security, and existing solutions like Gatekeeper and Kyverno did not fully meet the team's requirements.
•Validating policies follow three enforcement stages: monitoring (audit log annotations), warning (HTTP Warnings header), and deny (blocking non-compliant resources).
•Mutating policies run in dryrun (annotation-only) or patch (active mutation) mode to bring resources into compliance without user intervention.
•Policies are promoted gradually across development, staging, and production environments to minimize runtime disruptions before reaching full enforcement.
•A comprehensive testing strategy includes unit tests covering valid, invalid, edge-case, and malformed-input scenarios, with build pipelines that
