Automating RBI Compliance with Policy as Code in a High-Velocity Fintech Platform
Executive summary
Razorpay was founded in 2014 and over the past decade, the company has grown exponentially, setting new benchmarks in the fintech industry. Today, it supports millions of businesses and has reached more than 300 million end consumers across India. With an annualized Total Payment Volume (TPV) of $180 billion, Razorpay has firmly established itself as the market leader in digital payment processing and launched more than 40 products every year, driving innovation and scaling new heights. Today, the fintech major powers payments for 80 of India’s 100 unicorns.
Operating at this immense magnitude within India’s highly regulated financial ecosystem requires compliance standards of the highest caliber. To satisfy the Reserve Bank of India’s (RBI) strict Payment Aggregator (PA) Master Directions while maintaining developer velocity and 99.99% system availability, Razorpay partnered with Nirmata to adopt an enterprise version of Kyverno—a CNCF graduated policy engine. By implementing a unified “Policy as Code” framework, Razorpay automated complex regulatory guardrails across its vast infrastructure, moving from reactive, point-in-time auditing to real-time, continuous compliance enforcement.
By the numbers
7,000+
Kubernetes Nodes Secured
100%
Real-Time Compliance Enforcement
40+
Products Launched Annually
Challenge
As an authorized Payment Aggregator, Razorpay operates under the strict oversight of the Reserve Bank of India (RBI). The RBI PA Master Directions mandate absolute operating resilience, which introduces several highly specific, non-negotiable security requirements:
- Data Localization: Strict localization and isolated boundary enforcement ensuring all transactional processing systems and logs reside strictly within geographic borders.
- Zero-Trust Access & Microsegmentation: Absolute isolation of core transaction-processing clusters, demanding continuous enforcement of least-privilege access and secure segregation of duties.
- Continuous Auditability: The regulator no longer accepts static, historical “point-in-time” screenshots or spreadsheet approvals. Systems must prove continuous compliance at any given second.
+--------------------------------------------------------------------------+
| THE MANUAL IMPOSSIBILITY PARADOX |
| |
| Traditional Audit: |
| [Manual Code Review] -> [Spreadsheets] -> [Slow Ticket Approvals] |
| (Result: Human errors, deployment bottlenecks, drift risk) |
| |
| Razorpay Reality: |
| [7,000+ Nodes] * [Dozens of Commits/Day] * [Elastic Scaling Events] |
| (Result: Mathematically impossible to audit manually without outages) |
+--------------------------------------------------------------------------+
Historically, validating these requirements fell on manual architectural reviews, complex deployment checklists, and manual engineering approvals. However, as Razorpay scaled to support an average of 7,000+ Kubernetes nodes processing millions of transactions, this manual approach ran into the Manual Impossibility Paradox:
- The Velocity Bottleneck: With developers launching dozens of products and configurations every day, manually verifying YAML files and infrastructure parameters grinded engineering velocity to a halt.
- The Elasticity Challenge: During peak shopping festivals or flash sales, Razorpay’s traffic experiences extreme, volatile surges. The infrastructure dynamically provisions hundreds of node resources and pods in minutes. Static reviews cannot scale to secure ephemeral containers that spin up and down on-demand.
- The AI-Era Threat Landscape: Modern security threats evolve at breakneck speed. Malicious actors leverage automated scanners to identify infrastructure drift or unpatched CVEs within minutes. Relying on quarterly manual patching windows was a major risk; Razorpay needed automated, secure supply chain validation (image verification) to block vulnerabilities before they ever reached runtime.
Solution
To overcome these obstacles, Razorpay partnered with Nirmata to integrate Kyverno natively into its Kubernetes architecture. Selecting Kyverno was a strategic decision driven by its design: as a Kubernetes-native policy engine, it manages policies as declarative custom resources (YAML) exactly like application manifests, avoiding the steep learning curve of non-native policy languages.
The core of Razorpay’s solution is a Dual-Front Defense architecture, securing the infrastructure from code commit to container runtime:
1. Proactive Controls
Proactive controls are executed in the IaC and GitOps pipelines. Infrastructure as Code (IaC) templates, and Kubernetes manifests, are vetted pre-deployment with Kyverno policies. Dynamic cloud policies ensure that AWS/cloud boundaries, S3 buckets, and ledger access mechanisms are strictly locked down and compliant with data residency rules before clusters are provisioned.
2. Preventive Controls
Preventive controls block deployment and prevent misconfigurations by securing the internal workloads where transaction computations occur. Kyverno serves as the ultimate gatekeeper at the Kubernetes API Server layer, implementing three key pillars:
- Validation (The Gatekeeper): Kyverno intercepts all resource admission requests. If a pod deployment attempts to run as root, requests wildcard (*) cluster RBAC bindings, or misses strict compliance metadata, Kyverno blocks the deployment instantly, providing clear, actionable error logs directly to the developer’s console.
- Mutation & Generation (Beyond Blocking): True automation means making compliance the default path. When a developer creates a new namespace, Kyverno automatically mutates deployment parameters to inject secure default settings. It auto-generates dynamic, namespace-isolated NetworkPolicies and Istio authorization contexts, achieving automated microsegmentation without requiring developers to write complex networking configurations manually.
- Cryptographic Supply Chain Security (Sigstore Cosign Integration): To secure the software supply chain, Kyverno is configured to verify container image signatures at admission. Only images built within secure CI/CD pipelines and cryptographically signed using tools like Cosign are allowed to execute, successfully stopping untrusted, unpatched, or compromised dependencies from running in production.
Developer Git Push
│
▼
[Proactive IaC Scanning]
│
▼ (K8s API Server)
┌─────────────────────────────────────────────────────────┐
│ KYVERNO ADMISSION CONTROLLER │
│ │
│ Validate: Block root access / wildcard RBAC │
│ Mutate: Inject security defaults and compliance labels │
│ Verify: Cryptographically validate image signatures │
│ Generate: Auto-provision isolated NetworkPolicies │
└─────────────────────────────────────────────────────────┘
│
▼ (Passed Security Checks)
[Secured Live Workload] (Active on 7,000+ Elastic Nodes)
3. Detective Controls
Detective controls periodically scan Kubernetes clusters and cloud configurations to detect drift or policy bypass. These continuous checks also ensure that if IaC policies are updated, for example to comply with the latest standards, prior configurations are audited and flagged for updates.
Impact
Transitioning to Policy as Code using Kyverno revolutionized how Razorpay maintains secure, resilient systems without hindering innovation:
- Autonomous Scaling in Extreme Conditions: During volatile spike traffic, Razorpay’s autoscalers dynamically expand and contract clusters. Because Kyverno processes policy checks at the Kubernetes admission level in milliseconds, thousands of new containers are secured at birth, inheriting strict RBI zero-trust policies instantly without introducing latency to payment pipelines.
- Continuous Regulatory Evidence & Audit-Readiness: Razorpay replaced manual audit evidence gathering with automated pipelines. By capturing Kyverno compliance events, the platform provides real-time, continuous compliance dashboards. When auditors request evidence of microsegmentation or data isolation, Razorpay provides automated, unalterable system logs showing active enforcement instead of outdated spreadsheet checklists.
- Frictionless Developer Experience: Because policies are defined in clean, native YAML, developers understand policy violations immediately. They no longer wait on security committees for approvals. Instead, compliance guardrails are embedded seamlessly into their daily inner-loop workflows, allowing Razorpay to continue launching 40+ products annually with robust security by design.
- Zero-Trust Supply Chain Verification: By blocking unsigned container runtimes, the security team is assured that only actively patched, approved images run within the production cluster, mitigating risks posed by zero-day exploits and rapid AI-driven attacks.
Future plans
Looking forward, Razorpay plans to deepen its partnership with Nirmata and expand usage of CNCF projects to scale Policy as Code across next-generation cloud-native architectures:
- Open Source Contribution: Actively working with the cloud-native community to share patterns, reusable Kyverno policy templates tailored for strict financial regulatory compliance, and best-practices for massive-scale container platforms.
- Automated Agentic Audit Loop: Using AI agents to periodically evaluate runtime posture, test policies, and automatically audit Kubernetes and cloud configurations and gather evidence.
- Multi-Cluster Unified Compliance Dashboard: Expanding Kyverno policy management and OpenReports.io to cover a multi-cloud control plane, offering a centralized pane of glass for audit compliance health across all production environments.