--- title: "Policy Control Points" description: "Identity-aware policy enforcement, runtime authorization, reporting, and exceptions — built on Kyverno + Kyverno AuthZ." diataxis: explanation applies_to: product: "kyverno" audience: ["platform-engineer"] last_updated: 2026-04-16 url: https://docs.nirmata.io/docs/controllers/ --- > **Applies to:** Enterprise Kyverno 1.10 and later Policy Control Points apply centrally configured policies and exceptions, and generate audit and compliance data. All control points share the same behavior but are delivered in different form factors based on where they operate in your stack. ## Policy Control Points - [Kubernetes Control Point]({{< relref "n4k/" >}}) — Enterprise-grade Kyverno distribution with LTS and SLAs - [Pipeline Control Point]({{< relref "/docs/nctl/" >}}) — Policy enforcement for CI/CD pipelines using nctl - [Terraform Control Point]({{< relref "ntc/" >}}) — Policy enforcement for Terraform Cloud workspaces - [Cloud Control Point]({{< relref "nch-cloud/" >}}) — Cloud posture management for AWS, GCP, and Azure using Nirmata Control Hub - [AI Control Point]({{< relref "mcp-ai-gateways/" >}}) — Identity-aware governance for LLM access — model access control, session budgets, cost attribution, and audit trails *(In Private Preview)* - [Authz Control Point]({{< relref "authorization-service/" >}}) — Runtime authorization using Kyverno AuthZ *(In Private Preview)* --- ## Enterprise Kyverno ## Key Features [Nirmata Enterprise for Kyverno](https://nirmata.com/kyverno-enterprise/) is Nirmata's enterprise-grade distribution of [Kyverno](https://kyverno.io/). It is fully compatible with Kyverno OSS and provides the reliability, security hardening, and SLAs of an enterprise-grade solution. **Key Features**

Hardened and Optimized Distribution

Enterprise-grade hardened distribution of Kyverno with enhanced security, performance optimizations, and production-ready secure configurations for mission-critical environments.

0-CVE Images

Regular security scanning, patching, and updates to ensure that all container images are free from known vulnerabilities.

24x7 Support

Round-the-clock emergency support from Kyverno experts via phone, email, and messaging channels for production and business-critical workloads.

Enhanced Command Line Interface

Enhanced CLI to scan Kubernetes manifests, Terraform, Dockerfiles, and other JSON payloads with SARIF support for reporting integrations.

Curated Policy Sets

300+ pre-built policies covering common security concerns, compliance requirements, and best practices to improve your Kubernetes cluster security posture.

Long-Term Version Compatibility

Two years of Long-Term Support (LTS) with critical fixes and CVE support across Kyverno and Kubernetes versions, ensuring stable and secure deployments.

Prioritized Fixes & Features

Fast-track your issues and feature requests with prioritized support from the Nirmata team, ensuring your needs are addressed promptly while maintaining upstream compatibility.

Training & Support

Quarterly training sessions, upgrade assistance, and best practice assessments to help teams master Kyverno and optimize their policy implementations.

## Frequently Asked Questions **What is the difference between Nirmata Enterprise for Kyverno and Kyverno?** Nirmata Enterprise for Kyverno is an enterprise distribution of Kyverno. It is fully compatible with Kyverno, but uses secure defaults, and optimized configuration settings, suitable for production deployments. For example, RBAC best practices and etcd offloading are enabled by default. The Nirmata distribution also provides 0-CVE images with optional FIPS support. **Why use a distribution?** Nirmata provides long term support by back-porting cirtical fixes to prior versions which may not be supported in the community. Nirmata will also fast track critical fixes and features for enterprise customers by first releasing changes in its distribution, and then merging changes into the next open source release. Since open source release timelines are decided in coordination with the community, Nirmata manages its own distribution to meet enterprise support SLAs and other customer committments. **Will I get locked-in?** No. Nirmata Enterprise for Kyverno is fully compatible with Kyverno and designed to be a drop-in replacement. You can migrate back to Kyverno anytime, if you choose not to continue with the Nirmata distribution. **Can Nirmata support Kyverno OSS?** Nirmata can assist, but cannot gaurantee SLAs on the open source distribution. ## Licensing Nirmata Enterprise for Kyverno is **commercial software** available under a paid Nirmata subscription. Use is governed by the [Nirmata Terms of Use](https://nirmata.com/terms-of-use/). [Kyverno](https://kyverno.io) itself is an open-source project licensed under Apache 2.0 — Nirmata Enterprise for Kyverno is a separately licensed commercial distribution built on top of it. See the [Licensing]({{< relref "/docs/reference/licensing/" >}}) page for details. ## Learn More Contact [Nirmata Customer Success](https://nirmata.com/contact-us) for more information on the Kyverno enterprise edition. --- ## Nirmata Terraform Controller ## Overview The Nirmata Terraform Controller (Nirmata Terraform Controller) enables policy enforcement for Terraform Cloud (TFC) workloads by validating Terraform plans against Kyverno policies. Nirmata Terraform Controller runs inside a Kubernetes cluster, synchronizes Kyverno policies that are versioned in Git and applied to the same cluster, and exposes endpoints that can be invoked by Terraform Cloud Agents during plan execution. This document provides installation‑focused guidance for setting up Nirmata Terraform Controller in a Kubernetes environment. It excludes integration and implementation workflows, which are covered in a separate document. ## Prerequisites - **Kubernetes:** v1.23 or later - **Helm:** v3.8 or later - **Network connectivity:** Terraform Cloud Agent must be able to send requests to the Nirmata Terraform Controller `/scan` or `/runtask` endpoint. - **Kyverno policies:** Maintain the policies in Git and ensure they are applied to the cluster where Nirmata Terraform Controller is deployed. Nirmata Terraform Controller reads and processes the policies from the same cluster. ## Installation ### Installation Using Helm Repository (Recommended) ##### Add the Nirmata Helm repository ```bash helm repo add nirmata https://nirmata.github.io/terraform-cloud-run-task helm repo update ```text ##### Install with API key for standalone mode (TFC agent hooks) ```bash helm install ntc nirmata/nirmata-terraform-controller --set secrets.apiKey="$(openssl rand -base64 32)" --namespace ntc --create-namespace ```text ##### Or install with an existing internal secret ```bash helm install ntc nirmata/nirmata-terraform-controller --set secrets.existingSecret="my-ntc-secret" --namespace ntc --create-namespace ```text ### From OCI Registry ```bash helm install ntc oci://ghcr.io/nirmata/charts/nirmata-terraform-controller --set secrets.apiKey="your-api-key" --namespace ntc --create-namespace ```text ## Nirmata Terraform Controller Helm Configuration Options You can customize policy behavior during installation using Helm values. ### Defaults - Audit mode enabled - Policy reports enabled ### Configuration Options #### Disable policy reports ```yaml policyReports: enabled: false ```text Configure Policy Mode ```yaml env: auditMode: true # Audit mode (default) # auditMode: false # Enforce mode ```text Helm Install Example ```bash helm install ntc nirmata/nirmata-terraform-controller \ --set policyReports.enabled=false \ --set env.auditMode=false ``` ## Endpoints Nirmata Terraform Controller exposes the following API endpoints: | Endpoint | Method | Description | |----------------|--------|----------------------------------------------| | `/healthcheck` | GET | Health check endpoint | | `/scan` | POST | Direct plan scanning (API Key auth) | | `/runtask` | POST | TFC webhook endpoint (HMAC auth) | ## Verifying the Installation # Check pods are running kubectl get pods -n ntc -l app.kubernetes.io/name=nirmata-terraform-controller # View logs kubectl logs -f deployment/ntc-nirmata-terraform-controller -n ntc # Test health endpoint curl http:///healthcheck ## Uninstalling helm uninstall ntc --namespace ntc kubectl delete namespace ntc ## Licensing The Nirmata Terraform Controller is **commercial software** available under a paid Nirmata subscription. Use is governed by the [Nirmata Terms of Use](https://nirmata.com/terms-of-use/). See the [Licensing]({{< relref "/docs/reference/licensing/" >}}) page for details. --- ## Nirmata Control Hub ## Introduction Cloud Controller is an innovative admission controller designed for cloud environments, introduced by Nirmata to bring robust governance and security capabilities to any cloud or cloud service. Inspired by Kubernetes admission controllers like Kyverno, Cloud Controller fills a critical gap in cloud-native operations by enforcing policy-as-code standards directly in cloud resource configurations. This capability enables organizations to prevent misconfigurations from reaching production environments, ensuring that resources adhere to defined policies for security and compliance. As a core component of the Nirmata Control Hub, Cloud Controller provides a unified solution for managing security and governance across pipelines, clusters, and cloud environments. With admission control, continuous background scanning, and event-driven reporting, Cloud Controller helps teams maintain a consistent and secure posture across their entire cloud infrastructure. ## Key Features * **Cloud Admission Control:** Cloud Controller introduces admission control for cloud environments, allowing you to prevent misconfigurations before they impact production. It enforces policies at the moment resources are created or modified, ensuring compliance from the start. * **Comprehensive Multi-Cloud Compatibility:** Designed to work with any cloud provider and service, Cloud Controller offers flexibility for diverse environments. Its policies can be applied universally, giving organizations consistent security and governance across all cloud platforms. * **Continuous Background Scanning:** Beyond initial admission control, Cloud Controller performs ongoing scans of cloud resources, identifying and alerting teams to misconfigurations and potential vulnerabilities as environments evolve. This continuous monitoring enhances long-term compliance and security. * **Event-Driven Reporting:** Cloud Controller generates detailed reports based on events, similar to Kyverno's report formats, and integrates with the working group policy API. These reports provide insights into policy compliance, security posture, and operational effectiveness. * **Integration with Nirmata Control Hub:** As part of the Nirmata Control Hub, Cloud Controller enables centralized visibility into pipeline, cluster, and cloud security. By consolidating governance data in one platform, it empowers teams to proactively manage their security and compliance postures across all stages of the deployment lifecycle. ## AWS Asset Discovery ### AWS Organisation and Account Discovery The AWS Organisation and Account Discovery feature introduces a new custom resource called `AWSOrgConfig`. This feature allows users to create an `AWSOrgConfig` for an Organisation Unit or root Org. The cloud controller will then discover all the child OUs for the configured org, create an `AWSOrgConfig` for them, and discover the AWS accounts within those OUs, creating `AWSAccountConfig` for them. The discovery process is recursive, ensuring that all child orgs and child accounts at all levels are discovered. #### Example `AWSOrgConfig` ```yaml apiVersion: nirmata.io/v1alpha1 kind: AWSOrgConfig metadata: name: root spec: customAssumeRoleName: DevTestAccountAccessRole orgID: r-zyre orgName: Root regions: - us-west-1 roleARN: arn:aws:iam:::role/ scanInterval: 1h services: - EKS - ECS - EC2 - Lambda - RDS ```text #### Field Descriptions - **orgID**: The ID of the organisation unit or root to be configured, assigned by AWS. - **orgName**: The name of the organisation as desired by the user. It is recommended to keep it the same as the AWS assigned name. - **regions**: The regions from which resources need to be scanned in the discovered child AWS accounts. - **scanInterval**: The frequency of the scan. - **services**: The services in which resources need to be scanned. - **roleARN**: This is the critical role that needs to be created in the management account. It must have permissions to fetch accounts, fetch OUs, describe them, and can be assumed by the IAM role bound to the Service account of the cloud scanner through the pod identity agent. - **customAssumeRoleName**: The name of the IAM role that must be present in the discovered accounts, with permissions to fetch resources in the specified services. It is similar to the role for the scanner. ## Licensing Nirmata Control Hub is **commercial software** available under a paid Nirmata subscription. Use is governed by the [Nirmata Terms of Use](https://nirmata.com/terms-of-use/). See the [Licensing]({{< relref "/docs/reference/licensing/" >}}) page for details. ## Pricing Information Contact [Nirmata Customer Support](https://nirmata.com/contact-us) for pricing details. --- ## AI Control Point > **In Private Preview** — AI Control Point is available to select customers. [Contact us to learn more](https://nirmata.com/request-a-demo/). ## Overview **Nirmata AIControl** is the enforcement layer for AI — governing how developers and agents access large language models across your organization. It sits between your developers and LLM providers, evaluating Kyverno CEL policies on every request before a token is consumed. Where billing dashboards tell you what happened yesterday, AIControl governs what is allowed right now — who can call which model, how much they can spend, and who approved any exception. ## What It Does | Capability | Description | |---|---| | **Identity-aware model access** | Enforce which models each developer, team, or AD group can call — before the request reaches the provider | | **Session budget enforcement** | Set spending limits per developer or team; degrade to a cheaper model or escalate to a manager when a budget is exhausted | | **Cost attribution** | Tag every LLM call to a developer, team, and work item in real time | | **Audit trail** | Full log of every request, policy decision, exception, and approval | | **Human-in-the-loop (HITL) workflows** | Route budget exceptions to a manager for approval via Slack or other integrations | | **Multi-provider coverage** | Govern Claude, Gemini, and OpenAI through a single policy layer via LiteLLM | ## How It Fits In AIControl uses the same Kyverno CEL policy language as the rest of the Nirmata platform — the policies your team already uses for Kubernetes admission control now govern your AI layer. Policies are version-controlled in Git and reviewed like any other infrastructure change. It deploys alongside LiteLLM with zero code changes to developer workflows — one configuration change routes requests through the governance layer. ## Part of the Nirmata Control Family AIControl is one of several Policy Control Points in the Nirmata platform, all powered by the same Kyverno policy engine: **Kubernetes Control Point → Pipeline Control Point → Terraform Control Point → Cloud Control Point → AI Control Point** ## Get Access AI Control Point is currently available in private preview for select customers. [Contact Us to Learn More →](https://nirmata.com/request-a-demo/) --- ## Authz Control Point > **In Private Preview** — This feature is available to select customers. [Contact us to learn more](https://nirmata.com/request-a-demo/). ## Overview The Nirmata Authorization Service provides runtime, identity-aware authorization for Kubernetes and cloud services, built on Kyverno AuthZ. It enables policy-driven access control decisions with full audit trails — going beyond admission control to govern every API call in real time. ## What's Included - **Identity-aware authorization** — decisions based on user identity, group membership, and contextual attributes - **Kyverno AuthZ integration** — leverage your existing Kyverno policies for runtime authorization - **Kubernetes SubjectAccessReview webhook** — drop-in replacement for standard RBAC with policy-enriched decisions - **Full audit trail** — every authorization decision logged with policy context - **Exception handling** — manage authorization exceptions through Nirmata Control Hub - **Integration with external identity providers** — OIDC, SAML, and cloud IAM support ## Get Access The Authorization Service is currently available in private preview for select customers. [Contact Us to Learn More →](https://nirmata.com/request-a-demo/)