_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

Compliance as Code — OPA Gatekeeper in Kubernetes

20. 11. 2019 Updated: 24. 03. 2026 1 min read CORE SYSTEMSai
This article was published in 2019. Some information may be outdated.
Compliance as Code — OPA Gatekeeper in Kubernetes

The auditor asks: “How do you ensure no container runs as root?” Before: “We have internal documentation.” Now: “We have an OPA Gatekeeper policy that enforces it at the API server level.”

The Problem: Manual Compliance

Security policies in a wiki. Review during code review (if someone remembers). An audit once a year that finds dozens of violations. Reactive, slow, unreliable.

OPA Gatekeeper

Open Policy Agent (OPA) is a general-purpose policy engine. Gatekeeper is a Kubernetes-native integration — an admission controller that validates every request against defined policies.

Our Policies

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerNoPrivilege
metadata:
  name: no-privileged-containers
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"]
    excludedNamespaces: ["kube-system"]
  • No privileged containers
  • No containers running as root
  • Mandatory resource limits
  • Mandatory labels (team, environment)
  • Allowed container registries
  • No hostPath volumes

Enforcement Modes

Warn: logs violations but lets the request through. Ideal for the migration period. Deny: blocks the request. For production enforcement. We recommend: deploy in warn mode, analyze violations, fix them, then switch to deny.

Compliance Must Be Automated

OPA Gatekeeper transforms compliance from a document into executable code. You show the auditor policies, audit logs, and dashboards — not a wiki page.

opagatekeepercompliancepolicykubernetes
Share:

CORE SYSTEMS

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

Need help with implementation?

Our experts can help with design, implementation, and operations. From architecture to production.

Contact us
Need help with implementation? Schedule a meeting

Related articles

GitOps with Flux — Git as the Single Source of Truth

Implementing GitOps with Flux CD for Kubernetes. Declarative infrastructure, automatic reconciliation, and rollback.

Kubernetes 1.13 — Storage, kubeadm, and CoreDNS Go GA

Kubernetes 1.13 brings three important GA milestones. What this means for production deployments.

Kubernetes 1.15 — Custom Resources and Extensibility

Kubernetes 1.15 brings CRD improvements, cluster lifecycle stability, and further steps toward an extensible platform.

Kubernetes RBAC: access control in a container cluster

Kubernetes 1.6 introduces RBAC (Role-Based Access Control) — granular access control for API resources. How to...