Policy-as-Data for Self-Healing SaaS: A Kubernetes-Native Approach
Amar Gurajapu
Principal Member of Technical Staff, Network Systems, AT&T, Middletown, New Jersey, United States
Anurag Agarwal
Senior Software Engineer, Network Systems, AT&T Middletown, New Jersey, United States
Download PDF
http://doi.org/10.37648/ijiest.v12i01.004
Abstract
We propose a scalable, Kubernetes-native approach to enforce security, configuration, and regulatory policies in multi-tenant SaaS. Each policy is stored as a versioned Custom Resource (Policy CR) in a Git repo (“Policy-as-Data”), synchronized via a GitOps agent, validated on create/update through a mutating admission webhook, and reconciled continuously by a self-healing controller. This closed-loop design minimizes manual intervention, provides drift detection, and enables automated remediation across hundreds of namespaces with minimal overhead.
Keywords: Policy-as-Data; GitOps; Kubernetes; Self-Healing; Admission Webhook; Custom Resource Definition (CRD); JSONPatch; SaaS
- Argo CD - Declarative GitOps CD for Kubernetes. (n.d.). Argo CD Documentation. Retrieved January 5, 2026, from https://argo-cd.readthedocs.io/en/stable/
- Bryan, P. C., & Nottingham, M. (2025). RFC 6902: JavaScript Object Notation (JSON) Patch. IETF. https://datatracker.ietf.org/doc/html/rfc6902
- Burns, B., Grant, B., Oppenheimer, D., Brewer, E., & Wilkes, J. (2016). Borg, Omega, and Kubernetes. Communications of the ACM, 59(5), 50–57. https://doi.org/10.1145/2890784
- Gazitt, O. (2022). Policy-as-Code or Policy-as-Data? Why choose? Aserto Blog. Retrieved January 5, 2026, from https://www.aserto.com/blog/policy-as-code-or-policy-as-data-why-choose
- Gurajapu, A. (2024). Towards a Futuristic Security Roadmap: Advanced Strategies. Journal of Computer Science and Technology Studies. https://doi.org/10.13140/rg.2.2.16748.01928
- Gurajapu, A. (2026a). Leveraging Artificial Intelligence to Bridge Execution Gaps in SAFe®-Scaled Agile Based Programs. World Journal of Advanced Engineering Technology and Sciences. https://doi.org/10.30574/wjaets.2026.18.1.1585
- Gurajapu, A. (2026b). Orchestrating Adaptive Resilience and Continuity Restoration in Cloud-Native Environments. International Journal of Inventions in Engineering & Science Technology, 12(01). https://doi.org/10.37648/ijiest.v12i01.001
- Gurajapu, A. (2026c). Shift-Left Security Validation of Containers via Kubernetes Admission Webhook. Frontiers in Computer Science and Artificial Intelligence. https://doi.org/10.32996/jcsts.2026.5.1.6
- Gurajapu, A. (2026d). Swap Kubernetes Secrets Without Application Disruption - Comparative Study and eBPFPowered Kernel Interception Framework. World Journal of Advanced Engineering Technology and Sciences. https://doi.org/10.30574/wjaets.2026.18.1.0005
- Kubernetes-sigs. (2025, November 16). GitHub - kubernetes-sigs/kubebuilder: Kubebuilder - SDK for building Kubernetes APIs using CRDs. GitHub. Retrieved January 5, 2026, from https://github.com/kubernetessigs/kubebuilder
- U., & _. (2019). Kubernetes: Up and Running, 2nd Edition. O’Reilly Online Learning. https://www.oreilly.com/library/view/kubernetes-up-and/9781492046523/
- Zhang, Q., Cheng, L., & Boutaba, R. (2010). Cloud computing: state-of-the-art and research challenges. Journal of Internet Services and Applications, 1(1), 7–18. https://doi.org/10.1007/s13174-010-0007-6