pgAgroal Enterprise · How-to
Enforce policy guardrails
Apply policy-as-code so unsafe pgAgroal Enterprise configurations are blocked at admission, not just documented. You apply three Kyverno ClusterPolicies, roll them out in Audit mode, switch to Enforce once your fleet is clean, and validate the set with the bundled test suite.
The guardrails
pgAgroal Enterprise ships three Kyverno ClusterPolicy resources under policy/kyverno/:
require-pod-hardening.yaml— pgagroal pods run non-root, drop ALL capabilities, use the RuntimeDefault seccomp profile, disallow privilege escalation, and set CPU and memory requests plus limits.require-image-pinned.yaml— thePgagroalspec.imageis pinned by digest or version tag, with no:latestand no untagged images.require-secrets-by-reference.yaml— credential-like environment variables usesecretKeyRef, never an inline plaintextvalue.
Prerequisites
Install Kyverno into the cluster first — see the Kyverno installation guide. You also need kubectl with access to the target cluster.
Apply in Audit mode
The policies ship as validationFailureAction: Audit (report-only), so applying them is safe on a running fleet — they report violations without blocking admission. Apply the whole directory:
kubectl apply -f policy/kyverno/Review the policy reports to find existing resources that would be blocked once you switch to Enforce, and fix them first.
Switch to Enforce
Once your fleet is clean, set each policy to validationFailureAction: Enforce so violations are blocked at admission. Edit the manifests in policy/kyverno/ and re-apply, or patch them in place:
for p in require-pod-hardening require-image-pinned require-secrets-by-reference; do
kubectl patch clusterpolicy "$p" --type merge \
-p '{"spec":{"validationFailureAction":"Enforce"}}'
doneValidate with the test suite
The policies are validated with the Kyverno CLI against bundled fixtures under policy/kyverno/tests. The suite asserts each policy passes compliant resources and fails non-compliant ones — an unhardened pod, a plaintext-secret env var, and a :latest image. The same suite runs on every PR in the policy CI job.
kyverno test policy/kyverno/testsGatekeeper alternative
Teams standardized on OPA Gatekeeper can express the same intents as ConstraintTemplate and Constraint pairs (for example, K8sRequiredSecurityContext and K8sDisallowedTags). The Kyverno set is the supported default; the controls are identical.
Next steps
- Security and compliance — how these guardrails fit the broader hardening and audit-readiness posture.
- Install with Helm — stand up pgAgroal Enterprise before applying the guardrails.