The auditor asks: “How do you ensure no container runs as root?” Before: “We have internal documentation.” Now: “We have an OPA Gatekeeper policy that enforces it at the API server level.”
The Problem: Manual Compliance¶
Security policies in a wiki. Review during code review (if someone remembers). An audit once a year that finds dozens of violations. Reactive, slow, unreliable.
OPA Gatekeeper¶
Open Policy Agent (OPA) is a general-purpose policy engine. Gatekeeper is a Kubernetes-native integration — an admission controller that validates every request against defined policies.
Our Policies¶
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerNoPrivilege
metadata:
name: no-privileged-containers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
- No privileged containers
- No containers running as root
- Mandatory resource limits
- Mandatory labels (team, environment)
- Allowed container registries
- No hostPath volumes
Enforcement Modes¶
Warn: logs violations but lets the request through. Ideal for the migration period. Deny: blocks the request. For production enforcement. We recommend: deploy in warn mode, analyze violations, fix them, then switch to deny.
Compliance Must Be Automated¶
OPA Gatekeeper transforms compliance from a document into executable code. You show the auditor policies, audit logs, and dashboards — not a wiki page.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us