diff --git a/kyverno-integration/README.md b/kyverno-integration/README.md
new file mode 100644
index 0000000..11528a0
--- /dev/null
+++ b/kyverno-integration/README.md
@@ -0,0 +1,19 @@
+# Kyverno Stack
+
+Implementation of Kyverno for CNOE
+
+## Components
+
+The Stack installs `Kyverno` and `Kyverno Pod Security Policies - Restricted` implementation. By default users should use:
+  - `kyverno-pss-policies-audit.yaml` - for testing and understanding of the impact
+  - `kyverno-pss-policies-enforce.yaml` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for.
+    - If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability:
+      - [ArgoCD](exceptions/argocd.yaml)
+      - [Crossplane](exceptions/crossplane.yaml)
+      - [Backstage](exceptions/backstage.yaml)
+      - [Ingress-Nginx](exceptions/ingress-nginx.yaml)
+      - [Kind cluster](exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
+
+*NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform.
+
+## Installation
diff --git a/kyverno-integration/exceptions/argocd.yaml b/kyverno-integration/exceptions/argocd.yaml
new file mode 100644
index 0000000..b10e933
--- /dev/null
+++ b/kyverno-integration/exceptions/argocd.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: argocd-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - argocd
+        names:
+        # TODO: this should be more targeted than blanket *
+        - argocd-*
diff --git a/kyverno-integration/exceptions/backstage.yaml b/kyverno-integration/exceptions/backstage.yaml
new file mode 100644
index 0000000..5620a0e
--- /dev/null
+++ b/kyverno-integration/exceptions/backstage.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: backstage-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - backstage
+        names:
+        # TODO: this should be more targeted than blanket *
+        - backstage*
diff --git a/kyverno-integration/exceptions/crossplane.yaml b/kyverno-integration/exceptions/crossplane.yaml
new file mode 100644
index 0000000..ca9ca3c
--- /dev/null
+++ b/kyverno-integration/exceptions/crossplane.yaml
@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: crossplane-system-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - crossplane-system
+        names:
+        # TODO: this should be more targeted than blanket *
+        - crossplane*
+        - ess-plugin-*
+        - upbound-provider-*
diff --git a/kyverno-integration/exceptions/ingress-nginx.yaml b/kyverno-integration/exceptions/ingress-nginx.yaml
new file mode 100644
index 0000000..24ccaa7
--- /dev/null
+++ b/kyverno-integration/exceptions/ingress-nginx.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: ingress-nginx-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-host-ports
+    ruleNames:
+    - host-ports-none
+    - autogen-host-ports-none
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - ingress-nginx
+        names:
+        - ingress-nginx*
diff --git a/kyverno-integration/exceptions/kind.yaml b/kyverno-integration/exceptions/kind.yaml
new file mode 100644
index 0000000..6bb33ce
--- /dev/null
+++ b/kyverno-integration/exceptions/kind.yaml
@@ -0,0 +1,66 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: system-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - host-path
+    - autogen-host-path
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-privileged-containers
+    ruleNames:
+    - privileged-containers
+    - autogen-privileged-containers
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+    - adding-capabilities-strict
+    - autogen-adding-capabilities-strict
+    - adding-capabilities
+    - autogen-adding-capabilities
+  - policyName: disallow-capabilities
+    ruleNames:
+    - adding-capabilities
+    - autogen-adding-capabilities
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  - policyName: restrict-volume-types
+    ruleNames:
+    - restricted-volumes
+    - autogen-restricted-volumes
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        - StatefulSet
+        - DaemonSet
+        namespaces:
+        - kube-system
+        - local-path-storage
+        names:
+        # TODO: this should be more targeted than blanket *
+        - kube-*
+        - kindnet*
+        - local-path*
+        - coredns*
+        - etcd-*
diff --git a/kyverno-integration/kyverno-pss-policies-audit.yaml b/kyverno-integration/kyverno-pss-policies-audit.yaml
new file mode 100644
index 0000000..4881d8f
--- /dev/null
+++ b/kyverno-integration/kyverno-pss-policies-audit.yaml
@@ -0,0 +1,24 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-audit
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/nirmata/kyverno-policies
+    targetRevision: HEAD
+    path: pod-security/restricted
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
diff --git a/kyverno-integration/kyverno-pss-policies-enforce.yaml b/kyverno-integration/kyverno-pss-policies-enforce.yaml
new file mode 100644
index 0000000..e0fe7bb
--- /dev/null
+++ b/kyverno-integration/kyverno-pss-policies-enforce.yaml
@@ -0,0 +1,24 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/nirmata/kyverno-policies
+    targetRevision: HEAD
+    path: pod-security/enforce
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
diff --git a/kyverno-integration/kyverno.yaml b/kyverno-integration/kyverno.yaml
new file mode 100644
index 0000000..3fed2ae
--- /dev/null
+++ b/kyverno-integration/kyverno.yaml
@@ -0,0 +1,33 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: kyverno
+    repoURL: https://kyverno.github.io/kyverno/
+    targetRevision: 3.2.6
+    helm:
+      releaseName: kyverno
+      valuesObject:
+          kyverno.fullname: kyverno
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: kyverno
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    - CreateNamespace=true
+    automated:
+      selfHeal: true
+      prune: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s