Kubernetes policy enforcement tools like OPA, Kyverno, and Conftest typically operate at CI/CD pipelines and admission controllers — but by then, developers have lost context and remediation is costly. The post introduces the concept of an 'enforcement locus' and argues for adding a review-time enforcement layer: surfacing policy violations as inline annotations directly within pull requests, client-side, without CI or cluster access. This complements rather than replaces existing tooling, forming a defense-in-depth governance model. The post also explores how AI agents could extend this further — explaining violations in context, generating fix suggestions, and enabling natural language policy authoring — making governance faster, more collaborative, and more developer-friendly.
Table of contents
The timing problem in policy-as-codeRethinking the enforcement locusThe missing layer: Review-time enforcementAn experiment in review-time enforcementWhat changes when feedback moves earlier?Limitations and where this fitsPractical guidance for platform teamsWhy this matters for the CNCF ecosystemThe road ahead: AI agents as policy reasoning partnersSort: