Skip to main content
pgAgroal Enterprise docs · Enforce policy guardrails

pgAgroal Enterprise · How-to

Enforce policy guardrails

Apply policy-as-code so unsafe pgAgroal Enterprise configurations are blocked at admission, not just documented. You apply three Kyverno ClusterPolicies, roll them out in Audit mode, switch to Enforce once your fleet is clean, and validate the set with the bundled test suite.

The guardrails enforce the same hardening the operator already applies, so the cluster rejects drift before it reaches production. This keeps the controls verifiable, aligned with our audit-readiness goals.

The guardrails

pgAgroal Enterprise ships three Kyverno ClusterPolicy resources under policy/kyverno/:

  • require-pod-hardening.yaml — pgagroal pods run non-root, drop ALL capabilities, use the RuntimeDefault seccomp profile, disallow privilege escalation, and set CPU and memory requests plus limits.
  • require-image-pinned.yaml — the Pgagroal spec.image is pinned by digest or version tag, with no :latest and no untagged images.
  • require-secrets-by-reference.yaml — credential-like environment variables use secretKeyRef, never an inline plaintext value.

Prerequisites

Install Kyverno into the cluster first — see the Kyverno installation guide. You also need kubectl with access to the target cluster.

Apply in Audit mode

The policies ship as validationFailureAction: Audit (report-only), so applying them is safe on a running fleet — they report violations without blocking admission. Apply the whole directory:

kubectl apply -f policy/kyverno/

Review the policy reports to find existing resources that would be blocked once you switch to Enforce, and fix them first.

Switch to Enforce

Once your fleet is clean, set each policy to validationFailureAction: Enforce so violations are blocked at admission. Edit the manifests in policy/kyverno/ and re-apply, or patch them in place:

for p in require-pod-hardening require-image-pinned require-secrets-by-reference; do
  kubectl patch clusterpolicy "$p" --type merge \
    -p '{"spec":{"validationFailureAction":"Enforce"}}'
done
Keep the change in source control rather than patching live clusters by hand, so the enforcement state stays traceable to a reviewed commit.

Validate with the test suite

The policies are validated with the Kyverno CLI against bundled fixtures under policy/kyverno/tests. The suite asserts each policy passes compliant resources and fails non-compliant ones — an unhardened pod, a plaintext-secret env var, and a :latest image. The same suite runs on every PR in the policy CI job.

kyverno test policy/kyverno/tests

Gatekeeper alternative

Teams standardized on OPA Gatekeeper can express the same intents as ConstraintTemplate and Constraint pairs (for example, K8sRequiredSecurityContext and K8sDisallowedTags). The Kyverno set is the supported default; the controls are identical.

Next steps