- TechOps Examples
- Posts
- Using Kyverno policies with ArgoCD
Using Kyverno policies with ArgoCD
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.
IN TODAY'S EDITION
🧠 Use Case
Using Kyverno policies with ArgoCD
🚀 Top News
👀 Remote Jobs
Canonical is hiring a Cloud Solutions Architect
Remote Location: Worldwide
KloudMate is hiring a DevOps and Cloud Engineer
Remote Location: India
📚️ Resources
📢 Reddit Threads
🛠️ TOOL OF THE DAY
soci-snapshotter - A containerd snapshotter plugin which enables standard OCI images to be lazily loaded without requiring a build-time conversion step.
🧠 USE CASE
Using Kyverno policies with ArgoCD
In an ideal world of Kubernetes, we all wish for guardrails which:
✔️ add-network-policy
✔️ add-networkpolicy-dns
✔️ add-ns-quota
✔️ add-rolebinding
✔️ add-safe-to-evict
❌ disallow-cri-sock-mount
❌ disallow-default-namespace
❌ disallow-empty-ingress-host
❌ disallow-helm-tiller
❌ disallow-latest-tag
and so on…
As Kubernetes deployments grow more complex, keeping things governed and compliant starts to feel like a real challenge.
Kyverno, a Kubernetes-native policy engine, complements ArgoCD, the popular GitOps tool, to enforce policies across your deployment pipelines.
Rather than talking at 10,000 feet, let’s pick a real-world use case of ‘disallowing the latest tag in container images.’
Setting up Kyverno is already well-documented—refer to this guide to know more.
Stage 1: Organize Files and Folders for Policy-as-Code
Organizing files and folders is critical to managing policies effectively in a GitOps workflow.
Use the following structure:

manifests/: Contains application resources like Deployments, Services, and ConfigMaps managed by ArgoCD.
policies/: Contains Kyverno policies for version-controlled governance, applied during resource creation or updates.
Stage 2: Create a Kyverno Policy to Disallow the Latest Tag
Save the following policy as disallow-latest-tag.yaml
:

Apply the policy:
kubectl apply -f disallow-latest-tag.yaml
Stage 3: Configure ArgoCD for Policy Management
To integrate Kyverno policies into your GitOps workflow, create an ArgoCD application for policies:

This ensures policies are deployed automatically and stay in sync with the repository.
Stage 4: Test the Integration
Deploy a non-compliant application (e.g., using
nginx:latest
) and observe the policy violation.Sample Error Message:
Error: Using a mutable image tag e.g. 'latest' is not allowed.
Fix the deployment to use a specific tag (e.g.,
nginx:1.21.0
) and verify successful deployment.
You can replicate the same for other policies.
You may even like: