Kyverno

Kyverno is a new CNCF incubating project that is designed to be a Kubernetes native version of OPA, something that can be more convenient but also less powerful and with a reduced number of integrations with other systems.

Policies are expressed with custom resources that are loaded by the Kyverno Admission Controller, like this example for disallowing the use of bind mounts:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-bind-mounts
spec:
  validationFailureAction: audit
  rules:
  - name: validate-hostPath
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Host path volumes are not allowed"
      pattern:
        spec:
          =(volumes):
          - X(hostPath): "null"