Nirmata provides curated Policy Sets that map to various industry standards for running Kubernetes clusters following best practices.

All policies are available at https://github.com/nirmata/kyverno-policies

Writing Custom Policies

Refer to the official documentation to learn the policy constructs and syntax.

Policy Conventions

The Nirmata Policy Manager (NPM) relies heavily on policy annotations to display relevant information to users and to support certain workflows, such as displaying Remediation Suggestions and diffs. To ensure custom policies integrate seamlessly with NPM, adhere to the following conventions.

Display Policy Category


Use this annotation to display the Category in the Policy Reports page. Example,

policies.kyverno.io/category: Pod Security Standards (Baseline)

Sample policy: disallow-host-namespaces.yaml

Display Findings Description


Use this annotation to display more info about the policy in the findings details page. Example,

policies.kyverno.io/description: >-
      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
      network namespace) allow access to shared information and can be used to elevate
      privileges. Pods should not be allowed access to host namespaces. This policy ensures
      fields which make use of these host namespaces are unset or set to `false`.

Sample policy: disallow-host-namespaces.yaml

Display Findings Severity


Use this annotation to display the severity of a finding. Example,


Sample policy: disallow-host-namespaces.yaml

Display Fix Recommendations


Use this annotation to link to external/internal web pages that contain more information on the policy, its impact, and how to fix in case of violations. Example,

policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/"

Sample policy: disallow-host-namespaces.yaml

Provide Remediation Suggestion (Diff)


Use this annotation to link to a Kyverno mutate policy that is used for computing remediation diffs for violations. Example,

policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml"

Sample policy: disallow-host-namespaces.yaml

Adding Analyzer Binding to Kyverno JSON Policy

Add this binding to the match block: $analyzer.resource.type

Use the analyzer binding to let NCTL know what the policy is for. Example,

($analyzer.resource.type): terraform-config

Similarly, if the policy is for a terraform plan, terraform state, or dockerfile, the analyzer is terraform-plan, terraform-state, or dockerfile respectively.

Sample policy: enable-kms-encryption.yaml