🗂️ Navigation
📁 Infrastructure as Code
📋 Pulumi Crossguard
🔧 Pulumi Kubernetes Guard

Pulumi Kubernetes Guard

A policy pack of rules to enforce Kubernetes best practices.

Visit Website →

Overview

Pulumi Kubernetes Guard is a configurable library that you can use to enforce Kubernetes best practices for your own Pulumi stacks or organization. It is part of Pulumi's Policy as Code offering, CrossGuard, and can be used to check for common issues like running containers as root, not setting resource limits, or exposing services insecurely. Policies can be set to 'advisory' to warn developers or 'mandatory' to block deployments.

✨ Key Features

  • Enforce Kubernetes security best practices
  • Check for cost optimization and reliability configurations
  • Align with Pod Security Standards (PSS)
  • Configurable enforcement levels (advisory, mandatory, disabled)
  • Integrates directly into `pulumi up` and `pulumi preview`

🎯 Key Differentiators

  • Policy written in general-purpose languages (TypeScript)
  • Validates resources before they are sent to the Kubernetes API server
  • Unified policy approach for both Kubernetes and the underlying cloud infrastructure

Unique Value: Enforce Kubernetes best practices using familiar programming languages, catching and preventing misconfigurations before they are deployed to the cluster.

🎯 Use Cases (4)

Disallowing containers from running as the root user Requiring CPU and memory limits for all pods Preventing the use of hostPath volumes Ensuring all services are of type ClusterIP unless explicitly allowed

✅ Best For

  • Enforcing Pod Security Standards in a CI/CD pipeline before deploying applications to a Kubernetes cluster.

💡 Check With Vendor

Verify these considerations match your specific requirements:

  • Runtime security monitoring in Kubernetes (use Falco or similar)
  • Policy enforcement for non-Kubernetes resources

🏆 Alternatives

Kyverno OPA Gatekeeper Datree

Unlike admission controllers like Gatekeeper or Kyverno which run inside the cluster, Kubernetes Guard runs client-side, providing earlier feedback to developers and working with any Kubernetes cluster without requiring cluster-side setup.

💻 Platforms

API

✅ Offline Mode Available

🔌 Integrations

Pulumi CLI Pulumi Cloud Kubernetes

💰 Pricing

Contact for pricing
Free Tier Available

Free tier: The policy pack itself is open-source and free.

Visit Pulumi Kubernetes Guard Website →

🔄 Similar Tools in Pulumi Crossguard

Pulumi AWS Guard

Codifies best practices for AWS, allowing enforcement across Pulumi stacks....

Contact

Pulumi Azure Compliance Policies

Enforces common security and compliance policies (PCI DSS, ISO 27001, CIS) for Azure....

Contact

Pulumi Open Policy Agent (OPA) Integration

Enforce security, compliance, and best practices using the Rego language....

Contact

Pulumi Snyk Integration

Integrates Snyk's container scanning capabilities directly into the Pulumi workflow....

Contact

Pulumi Vault Provider

Manage Vault resources like policies, secrets, and auth methods using Pulumi....

Contact

Pulumi Best Practices Pack

A pre-built policy pack from Pulumi that enforces foundational security and governance....

Contact