Policy Control with Open Policy Agent (OPA)

Open Policy Agent (OPA) is a general-purpose policy engine that decouples policy decisions from your application logic. In Kubernetes, it is commonly used with Gatekeeper to enforce policies on cluster resources.

OPA Use Cases:

Enforcing label requirements on namespaces or deployments
Restricting access to certain container images
Ensuring resource requests/limits are set

Sample Rego Policy (require CPU limits):

package kubernetes.admission

deny[msg] {
  input.request.kind.kind == "Pod"
  not input.request.object.spec.containers[_].resources.limits.cpu
  msg := "CPU limit is required for all containers"
}

Deploying OPA with Gatekeeper:

kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml

← Prev Next →