Using Kyverno policies with ArgoCD

In partnership with

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

Before we begin... a big thank you to today's sponsor.

  • VMs. Kubernetes. PaaS. You can DO anything.

  • Try DIGITAL OCEAN — Free $200 credit.

  • Simple, scalable, affordable cloud computing - Always know what you'll pay with monthly caps and flat pricing.

IN TODAY'S EDITION

🧠 Use Case
  • Using Kyverno policies with ArgoCD

🚀 Top News

👀 Remote Jobs

📚️ Resources

📢 Reddit Threads

Unlock Windsurf Editor, by Codeium.

Introducing the Windsurf Editor, the first agentic IDE. All the features you know and love from Codeium’s extensions plus new capabilities such as Cascade that act as collaborative AI agents, combining the best of copilot and agent systems. This flow state of working with AI creates a step-change in AI capability that results in truly magical moments.

🛠️ TOOL OF THE DAY

soci-snapshotter -  A containerd snapshotter plugin which enables standard OCI images to be lazily loaded without requiring a build-time conversion step.

🧠 USE CASE

Using Kyverno policies with ArgoCD

In an ideal world of Kubernetes, we all wish for guardrails which:

✔️ add-network-policy
✔️ add-networkpolicy-dns
✔️ add-ns-quota
✔️ add-rolebinding
✔️ add-safe-to-evict
disallow-cri-sock-mount
disallow-default-namespace
disallow-empty-ingress-host
disallow-helm-tiller
disallow-latest-tag

and so on…

As Kubernetes deployments grow more complex, keeping things governed and compliant starts to feel like a real challenge.

Kyverno, a Kubernetes-native policy engine, complements ArgoCD, the popular GitOps tool, to enforce policies across your deployment pipelines.

Rather than talking at 10,000 feet, let’s pick a real-world use case of ‘disallowing the latest tag in container images.’

Setting up Kyverno is already well-documented—refer to this guide to know more.

Stage 1: Organize Files and Folders for Policy-as-Code

Organizing files and folders is critical to managing policies effectively in a GitOps workflow.

Use the following structure:

  • manifests/: Contains application resources like Deployments, Services, and ConfigMaps managed by ArgoCD.

  • policies/: Contains Kyverno policies for version-controlled governance, applied during resource creation or updates.

Stage 2: Create a Kyverno Policy to Disallow the Latest Tag

Save the following policy as disallow-latest-tag.yaml:

Apply the policy:

kubectl apply -f disallow-latest-tag.yaml

Stage 3: Configure ArgoCD for Policy Management

To integrate Kyverno policies into your GitOps workflow, create an ArgoCD application for policies:

This ensures policies are deployed automatically and stay in sync with the repository.

Stage 4: Test the Integration
  1. Deploy a non-compliant application (e.g., using nginx:latest) and observe the policy violation.

    Sample Error Message:

Error: Using a mutable image tag e.g. 'latest' is not allowed.
  1. Fix the deployment to use a specific tag (e.g., nginx:1.21.0) and verify successful deployment.

You can replicate the same for other policies.

You may even like:

Looking to promote your company, product, service, or event to 27,000+ TechOps Professionals? Let's work together.