First OPA Gatekeeper

Policy as code.

Overview

OPA Gatekeeper turns Kubernetes admission control into policy-as-code. The first install establishes a workflow where Rego rules in Git enforce cluster policy at admission time, and the same rules run in CI before code merges.

• Policy as code. Rego policies version-controlled in the same repo as the manifests they govern. The audit trail is one Git history.
• Constraint Templates and Constraints. Templates are reusable primitives; Constraints instantiate them per resource type. The split avoids per-cluster reinvention.
• Audit and enforce modes. Audit mode logs violations without blocking; enforce mode rejects them at admission. Move from one to the other deliberately.
• OPA Conftest for CI. The same Rego runs against manifests in CI. Violations fail the pull request before they reach the cluster.

The approach

The rollout is gradual on purpose. Three habits keep policy-as-code from becoming the team that breaks every Friday: install in audit mode, ship Conftest first, and document why each policy exists.

• helm install gatekeeper. Standard install via the official chart. Configuration as code; do not hand-edit cluster state.
• Constraint Templates as a library. Reusable primitives for common policies (no privileged containers, image registries allowlist, required labels).
• Audit mode first. Test new policies in audit mode for at least a week. Catches false positives that would otherwise block legitimate deploys.
• Conftest in CI plus documentation. Shift-left so violations fail at PR time, not at deploy time. Each policy carries a one-paragraph rationale.

Why this compounds

Each enforced policy raises the cluster’s baseline posture and adds one fewer thing for review to catch. The compounding works because policies are reused across clusters, not rewritten per environment.

• Stronger security. Enforced policies prevent misconfigured workloads from reaching the cluster, full stop.
• Compliance alignment. Policy-as-code matches frameworks like NIST 800-53 and SOC2 controls. Auditors read the Rego, not screenshots.
• Reusable Template library. Standard Constraint Templates port between clusters and teams. The library is institutional knowledge.
• Year-one investment, year-two habit. The first policy takes effort. By the tenth, new policies are mostly modifications of an existing template.