What AI and cloud consulting services does Luca Berton offer?

Luca Berton provides expert consulting in AI/ML platform strategy, multi-tenant GPU orchestration on OpenShift AI, MLOps enablement, cloud infrastructure design, Kubernetes workshops, and Ansible & Python training.

What is Ansible Pilot?

Ansible Pilot is the leading resource for Ansible automation learning, featuring a YouTube channel with 6.1K subscribers and 1M+ views, plus AnsiblePilot.com with 648K total users.

How can I book a consultation with Luca Berton?

Schedule a free consultation through Calendly at calendly.com/lucaberton or visit lucaberton.com/contact.

Integrating Policy-as-Code in CI/CD Pipelines

Catch It Before Production

Shift-left security means finding misconfigurations in CI/CD — not in production incident reports. Policy-as-code tools make this automated, consistent, and fast.

The Policy-as-Code Stack

Kyverno: Kubernetes-Native Policies

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resource-limits
spec:
  validationFailureAction: Enforce
  rules:
  - name: check-limits
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "CPU and memory limits are required"
      pattern:
        spec:
          containers:
          - resources:
              limits:
                memory: "?*"
                cpu: "?*"

OPA/Gatekeeper: Flexible Policy Engine

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: no-latest-tag
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"]
    namespaces: ["production"]
  parameters:
    tags: ["latest"]
    exemptImages:
    - "registry.internal/infra/*"

Checkov: IaC Scanning

# Scan Terraform
checkov -d ./terraform/ --framework terraform --output json

# Scan Kubernetes manifests
checkov -d ./k8s/ --framework kubernetes --compact

# Scan Dockerfiles
checkov -d . --framework dockerfile

CI/CD Integration

# GitLab CI example
stages:
  - validate
  - build
  - deploy

security-scan:
  stage: validate
  image: bridgecrew/checkov:latest
  script:
    - checkov -d . --framework terraform,kubernetes,dockerfile
      --output cli --output junitxml
      --output-file-path console,checkov-results.xml
      --soft-fail-on LOW
      --hard-fail-on HIGH,CRITICAL
  artifacts:
    reports:
      junit: checkov-results.xml

kyverno-test:
  stage: validate
  image: ghcr.io/kyverno/kyverno-cli:latest
  script:
    - kyverno apply ./policies/ --resource ./k8s/
  allow_failure: false

Essential Policies

Every Kubernetes deployment should enforce:

No latest tags — pin image versions
Resource limits required — prevent noisy neighbors
No privileged containers — security baseline
Read-only root filesystem — prevent runtime modification
Non-root user — drop unnecessary privileges
Network policies exist — default deny
No host networking — container isolation
Liveness/readiness probes — health checking

Key Practices

Start with Audit mode — see what would fail before enforcing
Exempt system namespaces — kube-system needs special permissions
Version your policies — treat them like code
Document exceptions — when a policy is bypassed, record why
Report on compliance trends — track improvement over time

Implementing shift-left security? I help teams build secure CI/CD pipelines with policy-as-code. Get in touch.

Shift-Left Security: Integrating Policy-as-Code in CI/CD...

Catch It Before Production

The Policy-as-Code Stack

Kyverno: Kubernetes-Native Policies

OPA/Gatekeeper: Flexible Policy Engine

Checkov: IaC Scanning

CI/CD Integration

Essential Policies

Key Practices

Related Articles

Git Worktrees: Work on Multiple Branches at Once

Podman vs Docker in 2026: Which One Should You Use

Quay Robot Accounts for CI/CD Container Pulls

OpenClaw Docker: Connection Refused Fix