jsPolicy is a Kubernetes admission-control engine from Loft Labs that lets you write validating, mutating, and controller policies in JavaScript or TypeScript instead of Rego. Policies are delivered as JsPolicy CRDs; the controller compiles the code (TypeScript is transpiled), bundles it, and executes it in a sandboxed V8 runtime embedded in the jsPolicy webhook server.
There are three policy types. Validating policies reject API requests that don’t match the rules. Mutating policies can patch objects before they are persisted. Controller policies watch existing resources and react on changes, which lets you use the same mental model for admission and for background reconciliation. Because the runtime is V8, policies can import a curated subset of helpers and even use parts of the npm ecosystem, and they are cached as compiled bundles so hot-path evaluation is fast.
It sits in the same category as Kyverno (YAML-native) and OPA/Gatekeeper (Rego). The pitch is simply: your platform team already knows JavaScript, and expressing policy as imperative code with normal control flow and unit tests is easier than Rego for most people. The latest tagged upstream release is v0.2.2 (2023-02-21), so evaluate its maintenance status before committing to it for production policy.