Kubernetes has matured into the control plane of the modern cloud - but for most organizations, the real operational danger isn’t cluster downtime, it’s silent misconfigurations making their way into production. With PodSecurityPolicy now retired, teams are left balancing autonomy and safety across fast-moving engineering groups, distributed clusters, and increasingly strict compliance models.

This workshop dives into the heart of that challenge through two major open-source policy engines: Kyverno and OPA Gatekeeper. Across 90 minutes of guided, hands-on work, attendees learn how to design, test, and operationalize policy as code that actually scales - technically and culturally.

Instead of a feature comparison, we explore how both engines behave under real-world pressure: multi-team GitOps workflows, high-velocity CI/CD pipelines, developer onboarding, incident debugging, and those “why did this pass validation?” moments every platform engineer knows too well.

Participants will build and break policies, investigate misconfigurations, and apply production-tested patterns to create policies that are secure, maintainable, and developer-friendly. All exercises are based on practical lessons learned from complex cloud-native environments, without products, vendors, or commercial stacks.

What attendees will take away:
- A practical mental model of how Kyverno and Gatekeeper differ in policy design, evaluation models, mutating capabilities, and operational complexity
- Hands-on experience writing and testing policies that protect clusters from common failure modes: privilege escalation, unsafe defaults, weak security posture, and inconsistent configuration
- Strategies to make policy engines work with developers - enabling fast delivery without overwhelming them with friction or opaque rejections
- Opinionated but field-tested guidance for integrating policy engines into platform engineering, GitOps, and multi-cluster governance
- A curated starter suite of open-source policy patterns that attendees can bring directly into their Kubernetes environments

By the end, participants will understand not just how Kyverno and Gatekeeper work - but how to build a sustainable policy culture where safety is automated, invisible, and trusted.