diff --git a/tetrate/check-compliance-policy/check-compliance-policy.yaml b/tetrate/check-compliance-policy/check-compliance-policy.yaml
new file mode 100644
index 00000000..63f5bd2c
--- /dev/null
+++ b/tetrate/check-compliance-policy/check-compliance-policy.yaml
@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-istiod-fips-compliance
+  annotations:
+    policies.kyverno.io/title: "Ensure Istiod Compliance Policy"
+    policies.kyverno.io/category: "Security"
+    policies.kyverno.io/severity: "high"
+    policies.kyverno.io/subject: "Deployment"
+    policies.kyverno.io/description: "Ensures that Istiod deployments have COMPLIANCE_POLICY=fips-140-2 set in the environment variables."
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: check-compliance-policy
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment
+              namespaces:
+                - istio-system
+      validate:
+        message: "Istiod containers must have COMPLIANCE_POLICY=fips-140-2 set in their environment variables."
+        pattern:
+          spec:
+            template:
+              spec:
+                containers:
+                  - name: discovery
+                    env:
+                      - name: COMPLIANCE_POLICY
+                        value: fips-140-2
diff --git a/tetrate/check-compliance-policy/e2e/bad-resouces.yaml b/tetrate/check-compliance-policy/e2e/bad-resouces.yaml
new file mode 100644
index 00000000..4e098df6
--- /dev/null
+++ b/tetrate/check-compliance-policy/e2e/bad-resouces.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istiod
+  template:
+    metadata:
+      labels:
+        app: istiod
+    spec:
+      containers:
+        - name: discovery
+          env:
+            - name: COMPLIANCE_POLICY
+              value: some-other-value
\ No newline at end of file
diff --git a/tetrate/check-compliance-policy/e2e/good-resouce.yaml b/tetrate/check-compliance-policy/e2e/good-resouce.yaml
new file mode 100644
index 00000000..dfe594d3
--- /dev/null
+++ b/tetrate/check-compliance-policy/e2e/good-resouce.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istiod
+  template:
+    metadata:
+      labels:
+        app: istiod
+    spec:
+      containers:
+        - name: discovery
+          env:
+            - name: COMPLIANCE_POLICY
+              value: fips-140-2
\ No newline at end of file
diff --git a/tetrate/check-image-FIPS-compliant copy/check-image-FIPS-compliant.yaml b/tetrate/check-image-FIPS-compliant copy/check-image-FIPS-compliant.yaml
new file mode 100644
index 00000000..d6904b82
--- /dev/null
+++ b/tetrate/check-image-FIPS-compliant copy/check-image-FIPS-compliant.yaml	
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-fips-compliant-images
+  annotations:
+    policies.kyverno.io/title: "Enforce FIPS Compliant Images"
+    policies.kyverno.io/category: "Security"
+    policies.kyverno.io/severity: "high"
+    policies.kyverno.io/subject: "Pod, Deployment, StatefulSet, DaemonSet"
+    policies.kyverno.io/description: "Ensures that container images are pulled from the FIPS-compliant registry fips-containers.istio.tetratelabs.com."
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: check-fips-registry
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+                - Deployment
+                - StatefulSet
+                - DaemonSet
+      validate:
+        message: "Container images must be pulled from fips-containers.istio.tetratelabs.com"
+        pattern:
+          spec:
+            template:
+              spec:
+                containers:
+                  - image: "fips-containers.istio.tetratelabs.com/*"
\ No newline at end of file
diff --git a/tetrate/check-image-FIPS-compliant copy/e2e/bad-resouces.yaml b/tetrate/check-image-FIPS-compliant copy/e2e/bad-resouces.yaml
new file mode 100644
index 00000000..2ff8a9b7
--- /dev/null
+++ b/tetrate/check-image-FIPS-compliant copy/e2e/bad-resouces.yaml	
@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: non-fips-deployment
+  namespace: default
+spec:
+  selector:  
+    matchLabels:
+      app: non-fips
+  template:
+    metadata:
+      labels:
+        app: non-fips
+    spec:
+      containers:
+        - name: app-container
+          image: docker.io/istio/proxyv2:1.20.0
\ No newline at end of file
diff --git a/tetrate/check-image-FIPS-compliant copy/e2e/good-resouce.yaml b/tetrate/check-image-FIPS-compliant copy/e2e/good-resouce.yaml
new file mode 100644
index 00000000..f52fc722
--- /dev/null
+++ b/tetrate/check-image-FIPS-compliant copy/e2e/good-resouce.yaml	
@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: non-fips-deployment
+  namespace: default
+spec:
+  selector:  
+    matchLabels:
+      app: non-fips
+  template:
+    metadata:
+      labels:
+        app: non-fips
+    spec:
+      containers:
+        - name: app-container
+          image: fips-containers.istio.tetratelabs.com/istio/proxyv2:1.20.0
\ No newline at end of file