Policy & Enforcement
Policy & Enforcement
Codify what "compliant" means for your fleet, then enforce it at the cluster edge.
PodArmor lets you define a security policy once and apply it two ways:
- Grade — every image you're licensed for is scored against your policy in real time, in the portal.
- Gate — a Kubernetes admission controller blocks non-compliant images at deploy time, using the exact same policy engine.
| Feature | Where | What it does |
|---|---|---|
| Security Policy | Portal → Policy | Define rules (CVE ceilings, no-KEV, EPSS caps, required hardening, license bans) and see every image pass/fail |
| Exemptions | Portal → Policy → Exemptions | Accept a documented residual for a specific CVE, with approver + reason + expiry |
| Admission Controller | Your cluster | Reject pods running images that fail your policy |
Because grading and gating share one engine, what you see in the portal is exactly what the cluster enforces — they can never drift.