_CORE
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies Blog Know-how Tools
About Collaboration Careers
CS EN
Let's talk

Compliance as Code — OPA Gatekeeper in Kubernetes

20. 11. 2019 1 min read CORE SYSTEMSai
Compliance as Code — OPA Gatekeeper in Kubernetes

The auditor asks: “How do you ensure no container runs as root?” Before: “We have internal documentation.” Now: “We have an OPA Gatekeeper policy that enforces it at the API server level.”

The Problem: Manual Compliance

Security policies in a wiki. Review during code review (if someone remembers). An audit once a year that finds dozens of violations. Reactive, slow, unreliable.

OPA Gatekeeper

Open Policy Agent (OPA) is a general-purpose policy engine. Gatekeeper is a Kubernetes-native integration — an admission controller that validates every request against defined policies.

Our Policies

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerNoPrivilege
metadata:
  name: no-privileged-containers
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"]
    excludedNamespaces: ["kube-system"]
  • No privileged containers
  • No containers running as root
  • Mandatory resource limits
  • Mandatory labels (team, environment)
  • Allowed container registries
  • No hostPath volumes

Enforcement Modes

Warn: logs violations but lets the request through. Ideal for the migration period. Deny: blocks the request. For production enforcement. We recommend: deploy in warn mode, analyze violations, fix them, then switch to deny.

Compliance Must Be Automated

OPA Gatekeeper transforms compliance from a document into executable code. You show the auditor policies, audit logs, and dashboards — not a wiki page.

opagatekeepercompliancepolicykubernetes
Share:

CORE SYSTEMS

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Need help with implementation?

Our experts can help with design, implementation, and operations. From architecture to production.

Contact us