Policy Engines
This section is under construction - stay tuned for additional guidance and best practices for integrating policy engines with Crossplane.

An effective way to manage Crossplane is to enforce governance through policies. Any Kubernetes-compatible policy engine–such as Open Policy Agent Gatekeeper or Kyverno–is installable alongside Crossplane. This allows users to write custom policies to enforce against Crossplane resources.


Kyverno’s Kubernetes-native policy engine is compatible with Crossplane. It works by running an admission controller on the cluster, after which you can author policies as Kubernetes resources.

Open Policy Agent Gatekeeper

Open Policy Agent (OPA) Gatekeeper is another policy engine you can use with Crossplane. You author policies using Rego.

Applying policies to a control plane

Don’t apply custom policies directly to the control plane. Policies are part of the total control plane configuration and their definition should live in the Git repository source of truth for your control plane. You can deploy them to your control plane using a CD engine.