A multi-tenancy and policy-based framework for Kubernetes.

Capsule implements a multi-tenant and policy-based environment in your Kubernetes cluster. It is designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.

• Capsule @ GitHub.

AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents. Covers 10/10 OWASP Agentic Top 10.

Runtime governance for AI agents — the only toolkit covering all 10 OWASP Agentic risks with 9,500+ tests. Governs what agents do, not just what they say — deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE — Python · TypeScript · .NET · Rust · Go

Related contents:

• Introducing the Agent Governance Toolkit: Open-source runtime security for AI agents @ Microsoft Open Source Blog.
• Microsoft's Newest Open-Source Project: Runtime Security For AI Agents @ Phoronix.
• Episode 661: Sink Your Claws In @ Linux Unplugged.

The policy-and-trust layer for MCP tool servers. Turn YAML configs into validated, policy-enforced MCP tools.

Heddle turns declarative configs into Model Context Protocol servers with trust enforcement, credential brokering, and tamper-evident audit logging built in.

Unified Policy Observability. Monitoring and Observability Tool for the PolicyReport CRD with an optional UI.

Policy Reporter was created to make the results of your Kyverno validation policies more visible and observable. By default, Kyverno provides the option to create your validation policies in audit or enforce mode. While enforce blocks to applying a manifests that violate the given policy, audit creates PolicyReports that provide information about all resources that pass or fail your policies. Because Policy Reports are simple Custom Resource Definitions you can access them with kubectl get/describe.

• Policy Reporter @ GitHub. -Policy Reporter UI @ GitHub.

Cedar is a language for defining permissions as policies, and a specification for evaluating those policies. Use Cedar to define who is authorized to do what within your application. Cedar is open source.

• Cedar @ GitHub.

Related contents:

• Cedar: A New Approach to Policy Management for Kubernetes @ Cloud Native computing foundation.
• Cedar Joins CNCF as a Sandbox Project @ InfoQ.

IAM Least Privilege Policy Generator.

Policy Sentry is an AWS IAM Least Privilege Policy Generator, auditor, and analysis database. It compiles database tables based on the AWS IAM Documentation on Actions, Resources, and Condition Keys and leverages that data to create least-privilege IAM policies.

• Policy Sentry @ GitHub.

Policy-based control for cloud native environments. Flexible, fine-grained control for administrators across the stack.

Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

• Open Policy Agent @ GitHub.

Related contents:

• Guardrails for Your Cloud: A Simple Guide to OPA and Terraform @ Sami Banerjee's Medium.
• Getting Open Policy Agent Up and Running @ The New Stack.
• Simplify Kubernetes Security With Kyverno and OPA Gatekeeper @ The New Stack.
• Automating policy enforcements for infrastructure using Open Policy Agent (OPA) in Terraform — Part 1 @ Ashay Maheshwari's Medium.
• Terraform governing with OPA @ DevOpsOnTheTrail.
• Blueprinting Security in CI/CD: Building Trust Through Open Source @ CD Foundation.
• From Kubernetes Gatekeeper to Full-Stack Governance with OPA @ Pulumi.
• Governing infrastructure as code using pattern-based policy as code @ AWS Security Blog.

Kubernetes Native Policy Management.

Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.

• Kyverno @ GitHub.

Related contents:

• Vos politiques de conformité sur Kubernetes avec Kyverno @ Zwindler's Reflection :fr:.
• Understanding Kyverno: Enhancing Kubernetes Security with Policy Enforcement @ Jyothi Ram's blog.
• Using the Kyverno CLI to Write Policy Test Cases @ The New Stack.
• Simplify Kubernetes Security With Kyverno and OPA Gatekeeper @ The New Stack.
• Announcing Kyverno Release 1.15! @ CNCF.
• Optimizing Kyverno CLI performance: My LFX mentorship journey @ CNCF.
• GitOps architecture, patterns and anti-patterns @ Platform Engineering.
• GitOps policy-as-code: Securing Kubernetes with Argo CD and Kyverno @ CNCF.
• Automating Confidential Containers (CoCo) infrastructure with Kyverno @ CNCF.