--- title: "Policy Library" diataxis: reference applies_to: product: "kyverno" audience: ["platform-engineer","devsecops"] last_updated: 2026-04-16 url: https://docs.nirmata.io/docs/policy-sets/ --- Nirmata provides curated Policy Sets that map to various industry standards for running Kubernetes clusters following best practices. All policies are available at [https://github.com/nirmata/kyverno-policies](https://github.com/nirmata/kyverno-policies) and are licensed under the **GNU Affero General Public License v3.0 (AGPL-3.0)**. See the [Licensing]({{< relref "/docs/reference/licensing/" >}}) page for details. ## Writing Custom Policies Refer to the official documentation to learn the policy constructs and syntax. * [Kyverno Policies](https://kyverno.io/docs/policy-types/) * [Kyverno JSON Policies](https://kyverno.github.io/kyverno-json/latest/intro/) ## Policy Conventions The [Nirmata Control Hub](/docs/control-hub/) relies heavily on policy annotations to display relevant information to users and to support certain workflows, such as displaying Remediation Suggestions and diffs. To ensure custom policies integrate seamlessly with Nirmata Control Hub, adhere to the following conventions. ### Display Policy Category `policies.kyverno.io/category` Use this annotation to display the Category in the Policy Reports page. Example, `policies.kyverno.io/category: Pod Security Standards (Baseline)` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Display Findings Description `policies.kyverno.io/description` Use this annotation to display more info about the policy in the findings details page. Example, ```yaml policies.kyverno.io/description: >- Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. ``` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Display Findings Severity `policies.kyverno.io/severity` Use this annotation to display the severity of a finding. Example, `policies.kyverno.io/severity:medium` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Display Fix Recommendations `policies.nirmata.io/remediation-docs` Use this annotation to link to external/internal web pages that contain more information on the policy, its impact, and how to fix in case of violations. Example, `policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/"` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Provide Remediation Suggestion (Diff) `policies.nirmata.io/remediation` Use this annotation to link to a Kyverno `mutate` policy that is used for computing remediation diffs for violations. Example, `policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml"` Sample policy: [disallow-host-namespaces.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml) ### Adding Analyzer Binding to Kyverno JSON Policy Add this binding to the `match` block: `$analyzer.resource.type` Use the analyzer binding to let NCTL know what the policy is for. Example, `($analyzer.resource.type): terraform-config` Similarly, if the policy is for a terraform plan, terraform state, or dockerfile, the analyzer is terraform-plan, terraform-state, or dockerfile respectively. Sample policy: [enable-kms-encryption.yaml](https://github.com/nirmata/kyverno-policies/blob/main/terraform/plan/s3-best-practices/enable-kms-encryption/enable-kms-encryption.yaml) --- ## Pod Security Standards The Pod Security Standards define three profiles to broadly cover the security spectrum. They are as follows - - Privileged - Baseline - Restricted Nirmata provides Kyverno policies mapped to each of the above controls from the Baseline and Restricted profiles. Refer to the official [Kubernetes documentation](https://kubernetes.io/docs/concepts/security/pod-security-standards/) to learn more about the profiles themselves. To install all the policies for Pod Security Standards, refer to the instructions provided in the [README](https://github.com/nirmata/kyverno-policies/tree/main/pod-security) guide. Click on the below profiles to dig deeper into the controls and their associated Kyverno policy. Nirmata also provides a reference to what a good resource looks like that conforms to these policies. --- ## RBAC Best Practices Kubernetes Role-Based-Access-Control (RBAC) is a security measure to ensure that the cluster users and workloads gets access to the required resources to execute their roles. Nirmata provides a collection of Kyverno policies that are aimed at implementing RBAC best practices. Refer to the official [Kubernetes documentation](https://kubernetes.io/docs/concepts/security/rbac-good-practices/) to learn about the practices in detail. To install all the policies for RBAC best practices, refer to the instructions provided in the [README](https://github.com/nirmata/kyverno-policies/tree/main/rbac-best-practices) guide. Click on the below profiles to dig deeper into the controls and their associated Kyverno policy. Nirmata also provides a reference to what a good resource looks like that conforms to these policies. --- ## Dockerfile Best Practices Dockerfile best practices are sets of guidelines that help in creating secure Docker images that can protect itself from attacks and vulnerabilities. Nirmata provides a collection of Kyverno policies that are aimed at implementing Dockerfile best practices. Refer to the official [Docker documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) to learn about the practices in detail. Click on the below profiles to dig deeper into the controls and their associated Kyverno policy. Nirmata also provides a reference to what a good resource looks like that conforms to these best practices. --- ## Compliance Compliance policy packs mapped to industry standards and regulatory frameworks for Kubernetes. ## Standards Covered - **CIS Kubernetes Benchmark** — Center for Internet Security controls - **NIST 800-53** — National Institute of Standards and Technology controls - **ISO 27001** — Information security management controls - **NSA/CISA Kubernetes Hardening Guidance** — Government hardening recommendations - **SOC 2** — Service Organization Control 2 requirements - **PCI-DSS** — Payment Card Industry Data Security Standard All compliance policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/compliance). --- ## Terraform Kyverno JSON policies for scanning Terraform IaC artifacts with `nctl scan terraform`. ## What's Covered - S3 bucket encryption and access control - IAM role and policy validation - Security group rules - Resource tagging enforcement - Cost control guardrails All Terraform policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/terraform). --- ## GitHub Actions Kyverno JSON policies for scanning GitHub Actions workflow files with `nctl scan github-actions`. ## What's Covered - Pin action versions to full commit SHAs (not mutable tags) - Restrict workflow permissions to least-privilege - Detect secret exposure in environment variables - Enforce branch protection for workflow triggers - Validate workflow file structure and syntax All GitHub Actions policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/github-actions). --- ## AI Policies Kyverno policies for governing AI agents, MCP servers, and LLM-integrated workloads. ## What's Covered - **Prompt guardrails** — Enforce safe prompt patterns and block prohibited inputs - **Skill authorization** — Control which nctl AI skills can be invoked - **AI Policy Pack** — Bundled policies for LLM workload governance - **MCP server policies** — Access control and audit rules for MCP-compatible gateways All AI policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/ai). --- ## Image Verification Kyverno policies for enforcing container image supply chain security. ## What's Covered - **Cosign verification** — Require images to be signed with Cosign - **Notary verification** — Enforce Notary v2 signatures - **Attestation checks** — Validate SBOM and vulnerability scan attestations - **Registry restrictions** — Allow images only from trusted registries All image verification policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/VerifyImage). --- ## Cost Management Kyverno policies for controlling cloud and Kubernetes infrastructure costs. ## What's Covered - **Resource quotas** — Require CPU and memory requests/limits on all workloads - **Instance type restrictions** — Block expensive GPU or high-memory node selectors - **HPA guardrails** — Cap maximum replica counts to prevent runaway scaling - **Service restrictions** — Disallow LoadBalancer services without approval - **Namespace budgets** — Enforce LimitRange and ResourceQuota on namespaces All cost management policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/cost-management). --- ## Multitenancy Kyverno policies for enforcing multi-tenant cluster security and isolation standards. ## What's Covered - **Namespace resource quotas** — Require ResourceQuota on every namespace - **LimitRange enforcement** — Ensure default limits are set per namespace - **Network isolation** — Require a default-deny NetworkPolicy in each namespace - **Tenant labeling** — Enforce required labels for tenant identification All multitenancy policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/multitenancy-benchmarks). --- ## Workload Security Kyverno policies for hardening Kubernetes workload runtime security beyond the Pod Security Standards. ## What's Covered - **Security context enforcement** — Require non-root users, read-only root filesystems - **Capability restrictions** — Drop all capabilities, allowlist only what's needed - **Volume security** — Restrict sensitive host path mounts - **Network security** — Enforce endpoint protection and egress controls - **RBAC restrictions** — Prevent over-privileged service account bindings All workload security policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/workload-security). --- ## Cloud / EKS Kyverno policies for cloud-managed Kubernetes clusters, focused on AWS EKS and cloud controller security. ## What's Covered - **EKS best practices** — Node group security, IAM roles for service accounts (IRSA) - **AWS cloud controller** — Policies for cloud controller manager configuration - **Managed node group hardening** — Enforce secure launch templates - **IRSA enforcement** — Require workloads to use IAM Roles for Service Accounts - **EKS add-on validation** — Ensure required add-ons are present and configured All cloud and EKS policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/eks-best-practices). --- ## Best Practices Kyverno policies enforcing general Kubernetes operational best practices. ## What's Covered - **Required labels** — Enforce standard labels (app, version, owner) on workloads - **Liveness and readiness probes** — Require health probes on all containers - **Image tag policy** — Disallow the `latest` tag, require explicit versioning - **Anti-affinity rules** — Encourage pod anti-affinity for high-availability workloads - **Resource naming** — Enforce naming conventions across namespaces All best practices policies are available in the [Nirmata policy library on GitHub](https://github.com/nirmata/kyverno-policies/tree/main/best-practices-k8s).