PodArmor docs
Policy & Enforcement

Policy & Enforcement

Codify what "compliant" means for your fleet, then enforce it at the cluster edge.

PodArmor lets you define a security policy once and apply it two ways:

  • Grade — every image you're licensed for is scored against your policy in real time, in the portal.
  • Gate — a Kubernetes admission controller blocks non-compliant images at deploy time, using the exact same policy engine.
FeatureWhereWhat it does
Security PolicyPortal → PolicyDefine rules (CVE ceilings, no-KEV, EPSS caps, required hardening, license bans) and see every image pass/fail
ExemptionsPortal → Policy → ExemptionsAccept a documented residual for a specific CVE, with approver + reason + expiry
Admission ControllerYour clusterReject pods running images that fail your policy

Because grading and gating share one engine, what you see in the portal is exactly what the cluster enforces — they can never drift.