(Note: The Policy Working Group has completed its mission and is no longer active. This article reflects its work, accomplishments, and insights into how a working group operates.)
Kubernetes policies are fundamental to managing and securing clusters, yet their development and standardization across the ecosystem often happens behind the scenes. The Policy Working Group tackled this challenge head-on, working to create a cohesive architecture for both existing policy implementations and future proposals.
The group's mission was ambitious: develop a universal policy framework that serves developers and end-users equally. Through collaboration, they brought much-needed clarity and consistency to Kubernetes policy management, ensuring the landscape remains coherent as the technology evolves.
We spoke with three former co-chairs of the Policy Working Group to understand their work:
Interviewed by Arujjwal Negi.
Meet the Co-Chairs
Tell us about yourself and how you got involved in Kubernetes.
Jim Bugwadia: I'm co-founder and CEO at Nirmata, which provides automation solutions for cloud-native security and compliance. We've worked with Kubernetes since 2014. After building a policy engine for our commercial platform, we donated it to CNCF as the Kyverno project. I joined the Policy Working Group to help standardize policy management for Kubernetes and eventually became co-chair.
Andy Suderman: I'm CTO of Fairwinds, a managed Kubernetes-as-a-Service provider. I started with Kubernetes in 2016 while building a web conferencing platform. I've authored and maintained several open-source projects including Goldilocks, Pluto, and Polaris—a JSON-schema-based policy engine that launched Fairwinds into the policy space and my involvement with the working group.
Poonam Lamba: I'm a Product Manager for Google Kubernetes Engine at Google. My Kubernetes journey began in 2017 building an SRE platform for a large enterprise on a private Kubernetes cloud. I was captivated by its potential to transform application deployment and management. Since then, I've built policy and compliance products for GKE, led GKE CIS benchmarks, contributed to the Gatekeeper project, and served as Policy Working Group co-chair for over two years.
The following responses represent collective insights from the former co-chairs.
Working Groups vs. SIGs
What distinguishes a working group from a SIG?
Working groups are temporary and laser-focused on specific cross-cutting issues or projects that span multiple SIGs. They have defined lifespans and disband once their objectives are met. Unlike SIGs, working groups don't own code or maintain long-term responsibility for particular areas of the Kubernetes project.
(For more on SIGs, see the list of Special Interest Groups)
Which SIGs did the Policy Working Group collaborate with?
We worked closely with SIG Auth throughout our existence, and more recently with SIG Security after its formation. Collaboration took several forms: periodic updates during SIG meetings, participation in community forums, and continuous communication to align our work with the broader Kubernetes ecosystem. This approach kept us coordinated with related efforts across the community.
The Policy Working Group's Mission
Why was the group created?
Kubernetes relies on a highly declarative, fine-grained, and extensible configuration management system to support diverse use cases. A single configuration manifest contains portions relevant to different stakeholders—developers care about certain aspects, security teams focus on others, and operations teams have their own concerns. Policies governing these complex configurations are essential for Kubernetes success.
The Policy Working Group was created to research and standardize policy definitions and related artifacts, bringing consistency to how policies are defined and implemented across the ecosystem given the diverse requirements of Kubernetes deployments.
What projects did the group work on?
Our initiatives included:
- A Kubernetes Enhancement Proposal (KEP) for the Policy Reports API to standardize policy report generation and consumption
- A CNCF survey to understand policy usage patterns and community needs
- A paper guiding users toward PCI-DSS compliance for containers
- A paper on the benefits of shifting security left in the development and deployment process
What were the main objectives and key accomplishments?
Our charter was to standardize policy management for Kubernetes and educate the community on best practices.
We updated the Kubernetes documentation, produced whitepapers on Kubernetes Policy Management and Kubernetes GRC, and created the Policy Reports API to standardize reporting across tools. Popular tools like Falco, Trivy, Kyverno, and kube-bench now support the Policy Reports API. A major milestone was promoting this API to SIG-level status.
As ValidatingAdmissionPolicy and MutatingAdmissionPolicy approached GA, we focused on guiding the community through tradeoffs and appropriate usage patterns for these built-in API objects versus CNCF policy management solutions like OPA/Gatekeeper and Kyverno.
Navigating Challenges
What major challenges did the group face?
- Finding consistent time to contribute was difficult given professional commitments outside the working group.
- Our consensus-driven model ensured all voices were heard but sometimes slowed decision-making.
- Occasional differences of opinion required careful navigation to maintain a collaborative environment.
- Newcomers struggled to contribute effectively without consistent meeting attendance, as our complex work required ongoing context.
How did you address these challenges?
There are no easy answers, but more contributors and maintainers help tremendously. The CNCF community is welcoming to beginners, so if you're hesitating to get involved, attend a working group or SIG meeting and listen in.
Understanding discussions often takes several meetings—don't be discouraged. We emphasized this and encouraged new members to review documentation as an entry point.
We valued and encouraged differences of opinion within the Policy Working Group. We adhered to CNCF core values and resolved disagreements respectfully. We also timeboxed decisions and assigned clear responsibilities to maintain momentum.
The Policy Working Group and the co-chairs who participated in this discussion hope these insights illuminate the group's aims and operations. Learn more about working groups here.
