https://www.youngju.dev/blog 천천히 올바르게. AI Researcher & DevOps Engineer Youngju's tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering. ko fjvbn2003@gmail.com (Youngju Kim) fjvbn2003@gmail.com (Youngju Kim) Sat, 16 May 2026 00:00:00 GMT https://www.youngju.dev/blog/culture/2026-05-16-kubernetes-admission-policies-security-2026-kyverno-opa-gatekeeper-vap-falco-kubearmor-deep-dive.en https://www.youngju.dev/blog/culture/2026-05-16-kubernetes-admission-policies-security-2026-kyverno-opa-gatekeeper-vap-falco-kubearmor-deep-dive.en The full topology of Kubernetes security in 2026. Kyverno that became CNCF Graduated in November 2024, Rego-based OPA Gatekeeper, the built-in Validating Admission Policy that went GA in k8s 1.30 (CEL), the alpha Mutating Admission Policy in 1.32, Pod Security Admission replacing PSP, CNCF Graduated Falco, eBPF-based KubeArmor and Cilium Tetragon, Sigstore Policy Controller, Connaisseur, Trivy Operator, Polaris, Goldilocks, Kubescape (ARMO), kube-bench, kube-hunter, kube-score, Checkov — who blocks admission, who watches runtime, who verifies images, plus how Toss, Kakao, and Mercari actually run these stacks. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) kubernetessecurityadmission-controllerkyvernoopa-gatekeeperregocedarvalidating-admission-policycelpod-security-admissionfalcokubearmorcilium-tetragonebpfsigstorecosignconnaisseurtrivy-operatorpolarisgoldilockskubescapearmokube-benchkube-huntercheckov2026deep-diveenglish https://www.youngju.dev/blog/culture/2026-05-16-kubernetes-admission-policies-security-2026-kyverno-opa-gatekeeper-vap-falco-kubearmor-deep-dive.ja https://www.youngju.dev/blog/culture/2026-05-16-kubernetes-admission-policies-security-2026-kyverno-opa-gatekeeper-vap-falco-kubearmor-deep-dive.ja 2026 年の Kubernetes セキュリティ全体地図。2024 年 11 月に CNCF Graduated になった Kyverno、Rego ベースの OPA Gatekeeper、k8s 1.30 で GA したビルトイン Validating Admission Policy (CEL)、1.32 alpha の Mutating Admission Policy、PSP を置き換えた Pod Security Admission、CNCF Graduated の Falco、eBPF ベースの KubeArmor と Cilium Tetragon、Sigstore Policy Controller、Connaisseur、Trivy Operator、Polaris、Goldilocks、Kubescape (ARMO)、kube-bench、kube-hunter、kube-score、Checkov まで — 誰が admit を止め、誰がランタイムを見て、誰がイメージを検証するのか、Toss・Kakao・メルカリの実例まで一気に整理する。 Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) kubernetessecurityadmission-controllerkyvernoopa-gatekeeperregocedarvalidating-admission-policycelpod-security-admissionfalcokubearmorcilium-tetragonebpfsigstorecosignconnaisseurtrivy-operatorpolarisgoldilockskubescapearmokube-benchkube-huntercheckov2026deep-dive日本語 https://www.youngju.dev/blog/culture/2026-05-16-kubernetes-admission-policies-security-2026-kyverno-opa-gatekeeper-vap-falco-kubearmor-deep-dive https://www.youngju.dev/blog/culture/2026-05-16-kubernetes-admission-policies-security-2026-kyverno-opa-gatekeeper-vap-falco-kubearmor-deep-dive 2026년 쿠버네티스 보안의 전체 지형도. 2024년 11월 CNCF Graduated 가 된 Kyverno, Rego 기반 OPA Gatekeeper, k8s 1.30에서 GA 된 빌트인 Validating Admission Policy (CEL), 1.32 alpha 의 Mutating Admission Policy, PSP 를 대체한 Pod Security Admission, CNCF Graduated 가 된 Falco, eBPF 기반 KubeArmor 와 Cilium Tetragon, Sigstore Policy Controller, Connaisseur, Trivy Operator, Polaris, Goldilocks, Kubescape (ARMO), kube-bench, kube-hunter, kube-score, Checkov 까지 — 누가 admit 을 막고 누가 런타임을 보고 누가 이미지를 검증하는가, 토스·카카오·메르카리 사례까지 한 번에 정리한다. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) kubernetessecurityadmission-controllerkyvernoopa-gatekeeperregocedarvalidating-admission-policycelpod-security-admissionfalcokubearmorcilium-tetragonebpfsigstorecosignconnaisseurtrivy-operatorpolarisgoldilockskubescapearmokube-benchkube-huntercheckov2026deep-dive