# Kubernetes Policy Enforcement Engines > Search results for `policy engine to enforce rules on Kubernetes resources` on awesome-repositories.com. 112 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/policy-engine-to-enforce-rules-on-kubernetes-resources **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/policy-engine-to-enforce-rules-on-kubernetes-resources).** ## Results - [kubernetes/kubernetes](https://awesome-repositories.com/repository/kubernetes-kubernetes.md) (123,197 ⭐) — Kubernetes is a distributed container orchestration platform that automates the deployment, scaling, and management of containerized applications across clusters of computing nodes. It functions as a declarative infrastructure controller, utilizing a control loop architecture that continuously monitors the current system state against user-defined configurations to ensure desired operational outcomes. The system relies on a centralized API-driven interface and a replicated key-value store to maintain a consistent source of truth for all cluster objects. The platform distinguishes itself throu - [casbin/casbin](https://awesome-repositories.com/repository/casbin-casbin.md) (19,848 ⭐) — Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a hig - [cert-manager/cert-manager](https://awesome-repositories.com/repository/cert-manager-cert-manager.md) (13,578 ⭐) — This project is a Kubernetes controller that automates the issuance, renewal, and lifecycle management of TLS certificates. It functions as a native extension to the cluster API, using custom resource definitions and reconciliation loops to maintain the desired state of certificates and trust bundles across distributed services. By integrating directly with the cluster's admission control and secret storage systems, it ensures that cryptographic identities are consistently provisioned and available for application workloads. The project distinguishes itself through its extensive support for a - [open-policy-agent/opa](https://awesome-repositories.com/repository/open-policy-agent-opa.md) (11,860 ⭐) — This project is a unified, cloud-native policy engine designed to decouple authorization and security logic from application codebases. It functions as a centralized authorization service that evaluates structured input data against declarative rules, enabling consistent policy enforcement across microservices, infrastructure, and continuous integration pipelines. The engine utilizes a specialized logic programming language to express complex constraints, which are compiled into an optimized intermediate representation for high-performance evaluation. By supporting both sidecar-based deployme - [datreeio/datree](https://awesome-repositories.com/repository/datreeio-datree.md) (6,339 ⭐) — Datree is a policy enforcement framework for Kubernetes that validates configurations against rules written in Rego, JSON Schema, or CEL. It operates as both a command-line tool for pre-deployment scanning and as a cluster-side admission webhook for real-time enforcement, integrating with CI/CD pipelines and continuous delivery tools like ArgoCD and FluxCD. The framework supports namespace-scoped policy mapping, allowing different policies to apply to different namespaces, and provides a skip annotation mechanism for selectively bypassing rules on individual resources or entire namespaces. It - [open-policy-agent/conftest](https://awesome-repositories.com/repository/open-policy-agent-conftest.md) (3,128 ⭐) — Conftest is a suite of tools designed for validating structured configurations, testing policy logic, and generating policy documentation. It serves as a configuration file validator that checks YAML, JSON, and Helm charts for security violations and compliance issues using declarative rules. The project functions as an Open Policy Agent testing tool, allowing structured configuration files to be validated against custom policies written in Rego. It includes a policy-as-code testing framework to ensure policy logic is correct and a utility to extract metadata from Rego code to create static m - [kubernetes/minikube](https://awesome-repositories.com/repository/kubernetes-minikube.md) (31,877 ⭐) — Minikube is a command-line tool designed for local Kubernetes development, enabling users to provision and manage full-featured container clusters directly on a workstation. It serves as a local orchestrator that automates the lifecycle of isolated environments, allowing developers to start, stop, pause, and delete clusters to support testing and integration workflows. The project distinguishes itself through its flexible architecture, which supports multiple virtualization drivers and container runtimes to accommodate diverse host environments. It provides deep integration between the host a - [kubernetes-sigs/kro](https://awesome-repositories.com/repository/kubernetes-sigs-kro.md) (2,928 ⭐) — kro is a Kubernetes resource orchestrator and API abstraction layer that enables the definition of simplified custom API surfaces. It allows users to map high-level inputs to complex templates of underlying Kubernetes objects, effectively grouping interdependent resources into single, manageable units. The project differentiates itself by automating the generation of custom resource definitions and dedicated controllers from resource graph specifications without requiring manual Go code. It employs a dependency manager that uses directed acyclic graphs to coordinate the creation, readiness, a - [sigstore/policy-controller](https://awesome-repositories.com/repository/sigstore-policy-controller.md) (175 ⭐) — Sigstore Policy Controller - an admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign - [istio/istio](https://awesome-repositories.com/repository/istio-istio.md) (38,226 ⭐) — Istio is a service mesh infrastructure that provides a centralized control plane to manage, secure, and observe communication between distributed microservices. It functions as a policy-driven network traffic controller, enabling developers to route, balance, and secure service-to-service traffic without requiring modifications to application code. The system enforces zero-trust security by utilizing mutual transport layer authentication to verify cryptographic identities for every network request. The project distinguishes itself through a sidecar-less proxy architecture, which offloads netw - [luxas/kubernetes-on-arm](https://awesome-repositories.com/repository/luxas-kubernetes-on-arm.md) (602 ⭐) — Kubernetes ported to ARM boards like Raspberry Pi. - [kilo-org/kilocode](https://awesome-repositories.com/repository/kilo-org-kilocode.md) (15,616 ⭐) — Kilocode is an autonomous engineering platform designed to orchestrate AI agents for complex software development tasks. It functions as a comprehensive system for automating coding, testing, and repository management by integrating directly with your codebase and terminal. The platform provides a unified gateway for model orchestration, allowing for the management of agentic workflows, event-driven automation, and persistent session state across distributed development environments. The platform distinguishes itself through its federated task management and policy-based access control, which - [fosrl/pangolin](https://awesome-repositories.com/repository/fosrl-pangolin.md) (21,255 ⭐) — Pangolin is a zero-trust remote access platform designed to provide secure, identity-aware connectivity to private network resources. It functions as a cloud-native network controller that orchestrates encrypted tunnels, traffic routing, and access policies across distributed environments. By leveraging WireGuard for secure data transport, the platform enables authenticated access to internal web applications, terminal sessions, and remote desktops without exposing services to the public internet. The platform distinguishes itself through a declarative infrastructure model that synchronizes n - [appwrite/appwrite](https://awesome-repositories.com/repository/appwrite-appwrite.md) (56,318 ⭐) — Appwrite is a backend-as-a-service platform that provides a unified development environment for building full-stack applications. It integrates essential infrastructure components—including authentication, databases, storage, and serverless functions—into a single, centralized interface to simplify application development and resource management. The platform distinguishes itself through a container-based microservices architecture that ensures consistent execution across diverse infrastructure. It features a versatile connectivity layer that links frontend applications with third-party servi - [hallresearch-ai/ai_governance_policy_resources](https://awesome-repositories.com/repository/hallresearch-ai-ai-governance-policy-resources.md) (0 ⭐) — This repository collects resources on AI governance, policy, regulation, institutions, incidents, accountability, labor, civil society critique, and the social consequences of AI deployment. - [google-gemini/gemini-cli](https://awesome-repositories.com/repository/google-gemini-gemini-cli.md) (105,341 ⭐) — This project provides a command-line interface for managing autonomous agent workflows, task orchestration, and system-level automation. It includes a comprehensive framework for defining agent skills, managing persistent memory, and delegating tasks to specialized subagents. Users can configure complex planning modes, execute shell commands with safety constraints, and integrate external tools through standardized protocols. The platform supports non-interactive execution via a headless mode and provides an event-driven hook framework for custom lifecycle automation. It features centralized - [flosell/iam-policy-json-to-terraform](https://awesome-repositories.com/repository/flosell-iam-policy-json-to-terraform.md) (817 ⭐) — Small tool to convert an IAM Policy in JSON format into a Terraform aws_iam_policy_document - [openhands/openhands](https://awesome-repositories.com/repository/openhands-openhands.md) (77,330 ⭐) — OpenHands is an autonomous agent framework designed for software engineering workflows. It provides a modular platform for orchestrating AI agents that reason, plan, and execute tasks within isolated, containerized development environments. By integrating with standard version control and development tools, the system enables agents to autonomously navigate codebases, implement features, and resolve issues through iterative reasoning and tool execution. The platform distinguishes itself through a model-agnostic orchestrator that connects diverse language models to a unified tool registry. It - [powershell/powershell](https://awesome-repositories.com/repository/powershell-powershell.md) (53,943 ⭐) — PowerShell is a cross-platform task automation and configuration management framework. It functions as an object-oriented shell environment and a dynamic scripting language, enabling users to interact with system interfaces and manage infrastructure through a unified command-line interface. By executing as a managed application on the common language runtime, it provides direct access to native libraries and system APIs. The system is distinguished by its object-based pipeline, which processes structured data objects rather than raw text, allowing for precise property manipulation across comm - [open-policy-agent/gatekeeper](https://awesome-repositories.com/repository/open-policy-agent-gatekeeper.md) (4,228 ⭐) — 🐊 Policy Controller for Kubernetes - [lgug2z/komorebi](https://awesome-repositories.com/repository/lgug2z-komorebi.md) (14,754 ⭐) - [kyverno/kyverno](https://awesome-repositories.com/repository/kyverno-kyverno.md) (7,841 ⭐) — Kyverno is a Kubernetes policy engine and cloud native governance tool. It functions as a policy-as-code framework that validates, mutates, and generates resources to enforce security and governance standards within a cluster. The project distinguishes itself through a declarative policy model that utilizes native Kubernetes custom resource definitions, allowing policies to be managed as standard cluster objects without custom code. It provides specific security capabilities for container image verification and signature validation to ensure only trusted images are deployed. Its broader capa - [clickhouse/clickhouse](https://awesome-repositories.com/repository/clickhouse-clickhouse.md) (48,229 ⭐) — ClickHouse is a high-performance, columnar analytical database designed for real-time query execution and large-scale data aggregation. It functions as a distributed data warehouse capable of processing petabytes of information, while also providing an embedded engine that integrates directly into applications for native query capabilities without external dependencies. The system is built to handle high-throughput ingestion and complex analytical workloads, delivering millisecond-level latency for interactive dashboards and operational monitoring. The platform distinguishes itself through ad - [chan9390/aws-mfa-enforce](https://awesome-repositories.com/repository/chan9390-aws-mfa-enforce.md) (0 ⭐) — Serverless function to automate enforcement of Multi-Factor Authentication (MFA) to all AWS IAM users with access to AWS Management Console. - [hashicorp/nomad](https://awesome-repositories.com/repository/hashicorp-nomad.md) (16,211 ⭐) — Nomad is a distributed workload orchestrator and infrastructure automation platform designed to manage the lifecycle of applications across large-scale, heterogeneous environments. It functions as a multi-cloud orchestration engine, providing a unified control plane to deploy, scale, and govern containers, virtual machines, and legacy applications. By utilizing declarative job specifications, the system ensures infrastructure convergence and maintains the desired state across distributed data centers and geographic regions. The platform distinguishes itself through a flexible, plugin-based ar - [facebook/react](https://awesome-repositories.com/repository/facebook-react.md) (245,669 ⭐) — React is a JavaScript library for building user interfaces based on a component-driven architecture and unidirectional data flow. - [gordonbondon/kubernetes-typed](https://awesome-repositories.com/repository/gordonbondon-kubernetes-typed.md) (26 ⭐) — mypy plugin to type check Kubernetes resources - [victoriametrics/victoriametrics](https://awesome-repositories.com/repository/victoriametrics-victoriametrics.md) (16,343 ⭐) — VictoriaMetrics is a high-performance, scalable time series database and observability platform designed for long-term storage and analysis of metric, log, and trace data. It functions as a unified backend for monitoring ecosystems, offering full compatibility with industry-standard protocols and query languages. The system is built to handle massive data volumes through a distributed architecture that supports horizontal scaling and efficient data lifecycle management. The platform distinguishes itself through a storage engine that utilizes consistent hashing for data sharding and log-struct - [fingerprintjs/fingerprintjs](https://awesome-repositories.com/repository/fingerprintjs-fingerprintjs.md) (27,334 ⭐) — Fingerprint is a visitor identification and fraud detection platform that generates persistent, unique identifiers by analyzing browser and device attributes. By extracting technical signals from the client environment, it enables reliable user tracking across sessions without relying on traditional cookies. The platform distinguishes itself through its focus on high-accuracy identification and security-first architecture. It employs edge-side proxying to bypass ad-blockers and privacy restrictions, ensuring consistent data collection. To maintain data integrity, it uses cryptographic payload - [nats-io/nats-server](https://awesome-repositories.com/repository/nats-io-nats-server.md) (20,076 ⭐) — NATS Server is a high-performance, lightweight messaging system designed for cloud-native applications, edge computing, and distributed microservices. It functions as a distributed publish-subscribe broker that routes messages using hierarchical, dot-separated subject strings, enabling decoupled communication between services without requiring centralized broker lookups. The system supports core messaging patterns including asynchronous publish-subscribe, request-reply, and load-balanced queue processing. The platform distinguishes itself through a decentralized architecture that eliminates t - [drizzle-team/drizzle-orm](https://awesome-repositories.com/repository/drizzle-team-drizzle-orm.md) (34,835 ⭐) — Drizzle ORM is a TypeScript-native database toolkit providing type-safe SQL query building, schema management, and automated migrations across PostgreSQL, MySQL, SQLite, and SingleStore. - [decentology/web2-to-web3-resources](https://awesome-repositories.com/repository/decentology-web2-to-web3-resources.md) (26 ⭐) — At Decentology one of our goals is to make blockchain more accessible for mainstream users. As part of this, we're creating this repository to gather resources for people who are interested in learning, growing, and/or exploring the web3 space. Through these resources, we hope to reduce barriers… - [prestodb/presto](https://awesome-repositories.com/repository/prestodb-presto.md) (16,711 ⭐) — Presto is a distributed SQL query engine designed for high-performance analytical processing across heterogeneous data sources. It functions as a data federation platform and massively parallel processing engine, allowing users to execute interactive queries against diverse storage systems without requiring data migration. By mapping remote metadata and structures to a unified relational namespace, it enables seamless cross-platform analysis through a standard SQL interface. The engine distinguishes itself through a pluggable connector architecture and a shared-nothing distributed processing - [kubernetes/examples](https://awesome-repositories.com/repository/kubernetes-examples.md) (6,651 ⭐) — Welcome to the official Kubernetes Examples repository! This curated collection, stewarded by SIG Apps, provides high-quality, educational examples for running a diverse range of applications and workloads on Kubernetes. - [kedacore/keda](https://awesome-repositories.com/repository/kedacore-keda.md) (10,314 ⭐) — KEDA is a Kubernetes event-driven autoscaler and cloud event scaling engine. It functions as a custom metrics provider that monitors external event sources—including message brokers, databases, and cloud metrics—to dynamically adjust the replica counts of containerized workloads. The project is distinguished by its scale-to-zero workflow, which reduces workloads to zero replicas during inactivity and automatically restarts them when new events are detected. It operates as a multi-cloud event trigger system, using a pluggable scaler interface to integrate with a wide array of third-party servi - [crossplane/crossplane](https://awesome-repositories.com/repository/crossplane-crossplane.md) (11,791 ⭐) — Crossplane is a Kubernetes-based control plane framework that functions as a cloud resource orchestrator and infrastructure-as-code platform. It enables the management of heterogeneous infrastructure by extending the Kubernetes API to provision and maintain external cloud services through declarative configuration. By utilizing custom resource controllers, it continuously reconciles the state of external infrastructure with defined desired states, ensuring consistent deployment and lifecycle management across multiple cloud providers. The platform distinguishes itself through its composition- - [lima-vm/lima](https://awesome-repositories.com/repository/lima-vm-lima.md) (21,320 ⭐) — Lima is a virtualization engine designed to provision and manage lightweight Linux, macOS, and FreeBSD virtual machines. It functions as a comprehensive virtual machine manager that leverages native hypervisors and system emulation to provide isolated environments for container development, cross-architecture testing, and secure sandboxing. The project distinguishes itself through its template-driven provisioning system, which allows users to define and automate environment configurations via local files or remote URL schemes. It integrates deeply with host systems by providing automated file - [oakes/odoyle-rules](https://awesome-repositories.com/repository/oakes-odoyle-rules.md) (569 ⭐) — A rules engine for Clojure(Script) - [linkerd/linkerd2](https://awesome-repositories.com/repository/linkerd-linkerd2.md) (11,424 ⭐) — This project is a service mesh platform designed to manage, secure, and observe service-to-service communication within Kubernetes clusters. It functions as a control plane that orchestrates transparent sidecar proxies, which intercept and manage network traffic to provide reliable connectivity for microservices. By automating the injection of these proxies, the platform ensures that infrastructure-level policies are applied consistently across all workloads without requiring manual configuration changes. The platform distinguishes itself through its focus on zero-trust security and cross-clu - [kubernetes/autoscaler](https://awesome-repositories.com/repository/kubernetes-autoscaler.md) (8,771 ⭐) — The Kubernetes Cluster Autoscaler is a mechanism that automatically adjusts the number of nodes in a cluster to match the resource demands of pending pods. It functions as a cloud infrastructure scaler that manages the desired capacity of scaling groups to ensure sufficient compute resources for workloads. The system manages cloud infrastructure automation by adjusting node counts when resources are insufficient or nodes are underutilized. It includes a manager for scaling groups using mixed instance policies to balance on-demand and spot instances for cost and availability. The project also - [remix-run/react-router](https://awesome-repositories.com/repository/remix-run-react-router.md) (56,460 ⭐) — React Router is a navigation and data-loading framework that maps URL patterns to nested component hierarchies. It functions as a full-stack router, coordinating server-side resource fetching with client-side hydration to synchronize application state across different environments. By providing a declarative interface for routing, it manages navigation and state transitions while ensuring consistent page structures through root layout management. The framework distinguishes itself through its focus on type safety and incremental adoption. It automatically generates static type definitions for - [yara-rules/rules](https://awesome-repositories.com/repository/yara-rules-rules.md) (4,712 ⭐) — This project is a community-curated repository of YARA rules used to detect malware, webshells, and other malicious patterns in files. It serves as a dataset of signatures for identifying known malware families, software packers, and threat intelligence indicators. The collection provides specialized detection capabilities for identifying exploit kits and anti-analysis evasion techniques, such as anti-debugging and anti-virtualization methods. It also includes signatures for cryptographic algorithm detection and the identification of unauthorized remote administration tools on servers. The r - [kubernetes-sigs/metrics-server](https://awesome-repositories.com/repository/kubernetes-sigs-metrics-server.md) (6,651 ⭐) — Metrics Server is a lightweight, single-purpose daemon that collects CPU and memory usage data from every node and pod in a Kubernetes cluster and exposes those metrics through a standard Kubernetes API endpoint. It registers as an aggregated extension API server behind the Kubernetes apiserver, making resource utilization data available to the Horizontal Pod Autoscaler and Vertical Pod Autoscaler for automatic replica count and resource request adjustments. The project distinguishes itself by operating as a focused, in-cluster resource metrics collector that polls kubelet summary endpoints a - [cisofy/lynis](https://awesome-repositories.com/repository/cisofy-lynis.md) (15,284 ⭐) — Lynis is an automated security auditing and system hardening framework designed for UNIX-based operating systems. It functions as a command-line utility that inspects local system configurations to identify security vulnerabilities, configuration weaknesses, and compliance gaps. By executing a series of modular tests, the tool generates actionable reports and remediation suggestions to assist in strengthening system defenses. The project distinguishes itself through a highly modular architecture that relies on shell-script-based execution and native system inspection. Users can define custom - [adamchainz/django-permissions-policy](https://awesome-repositories.com/repository/adamchainz-django-permissions-policy.md) (117 ⭐) — Set the Permissions-Policy HTTP header on your Django app. - [smallstep/certificates](https://awesome-repositories.com/repository/smallstep-certificates.md) (8,245 ⭐) — This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider - [aquasecurity/tfsec](https://awesome-repositories.com/repository/aquasecurity-tfsec.md) (7,013 ⭐) — tfsec is a static analysis tool and infrastructure as code linter designed to detect security misconfigurations and compliance violations in Terraform infrastructure code. It functions as a cloud security posture tool and policy enforcement engine that evaluates configurations against established security benchmarks. The tool provides multi-cloud security auditing for providers including AWS, Azure, Google Cloud, and Kubernetes, as well as specialized scanning for DigitalOcean, OpenStack, CloudStack, and GitHub configurations. It identifies insecure settings such as public access or unencrypt - [cockroachdb/cockroach](https://awesome-repositories.com/repository/cockroachdb-cockroach.md) (32,207 ⭐) — Cockroach is a distributed SQL database designed to scale horizontally across multiple nodes while maintaining strict ACID compliance and global data consistency. It functions as a relational database engine that automatically partitions data into ranges, rebalancing them across a cluster to accommodate growing storage and throughput requirements. By utilizing a distributed consensus protocol, the system ensures that all nodes agree on the order of operations, providing fault tolerance and continuous availability even in the event of hardware failures. The system distinguishes itself through - [goauthentik/authentik](https://awesome-repositories.com/repository/goauthentik-authentik.md) (22,035 ⭐) — Authentik is a centralized identity and access management platform designed to serve as a unified authentication authority. It enables enterprise single sign-on across diverse applications and services, providing a cloud-native identity provider that manages user sessions and security protocols from a single location. The platform distinguishes itself through a policy-driven flow engine and a visual orchestration interface. This allows administrators to design complex, custom authentication workflows by chaining modular verification stages and conditional logic. These workflows can be further - [mhlabs/iam-policies-cli](https://awesome-repositories.com/repository/mhlabs-iam-policies-cli.md) (13 ⭐) — A CLI tool for building simple to complex IAM policies