https://backend-engineering-strategy-tools.github.io/site/tags/gatekeeper/Recent content in Gatekeeper on Backend Engineering Strategy ToolsHugo -- gohugo.ioen-usMon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/Mon, 08 Jun 2026 00:00:00 +0000https://backend-engineering-strategy-tools.github.io/site/public-notes/policy-as-code/kubernetes-policy/<p>Kubernetes has three distinct policy enforcement mechanisms. They sit at the same point in the request lifecycle — the admission controller — but differ in language, capability, and operational complexity.</p> <table> <thead> <tr> <th></th> <th>Kyverno</th> <th>Gatekeeper (OPA)</th> <th>ValidatingAdmissionPolicy</th> </tr> </thead> <tbody> <tr> <td>Language</td> <td>YAML/JMESPath</td> <td>Rego</td> <td>CEL</td> </tr> <tr> <td>Native to K8s</td> <td>No (CRD)</td> <td>No (CRD)</td> <td>Yes (built-in)</td> </tr> <tr> <td>Validate</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Mutate</td> <td>Yes</td> <td>Limited</td> <td>Yes (1.32+)</td> </tr> <tr> <td>Generate</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>Image verify</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>GA since</td> <td>—</td> <td>—</td> <td>K8s 1.30</td> </tr> <tr> <td>Good for</td> <td>Full-featured, K8s-native feel</td> <td>Rego-first teams, policy-as-data</td> <td>Simple rules, no extra install</td> </tr> </tbody> </table> <h2 id="validatingadmissionpolicy-vap">ValidatingAdmissionPolicy (VAP) </h2><p>Added in Kubernetes 1.26, <strong>GA in 1.30</strong>. Policies are built into the API server — no admission controller to deploy or maintain. Policy is written in <strong>CEL</strong> (Common Expression Language), a simple expression language also used in Kubernetes&rsquo; <code>x-kubernetes-validations</code> CRD validation.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicy</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">failurePolicy</span>: <span style="color:#ae81ff">Fail</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchConstraints</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">resourceRules</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;apps&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">apiVersions</span>: [<span style="color:#e6db74">&#34;v1&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">operations</span>: [<span style="color:#e6db74">&#34;CREATE&#34;</span>, <span style="color:#e6db74">&#34;UPDATE&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">resources</span>: [<span style="color:#e6db74">&#34;deployments&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">validations</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">expression</span>: &gt;<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> object.spec.template.spec.securityContext.runAsNonRoot == true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">message</span>: <span style="color:#e6db74">&#34;Pods must run as non-root&#34;</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">admissionregistration.k8s.io/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ValidatingAdmissionPolicyBinding</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;require-run-as-non-root-binding&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">policyName</span>: <span style="color:#e6db74">&#34;require-run-as-non-root&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validationActions</span>: [<span style="color:#ae81ff">Deny]</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchResources</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">namespaceSelector</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">matchLabels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">enforce-policy</span>: <span style="color:#e6db74">&#34;true&#34;</span> </span></span></code></pre></div><p>The <code>ValidatingAdmissionPolicyBinding</code> scopes where a policy applies — cluster-wide, specific namespaces, or by label selector.</p> <h3 id="cel-basics">CEL basics </h3><p>CEL expressions have access to <code>object</code> (the incoming resource), <code>oldObject</code> (for updates), <code>request</code> (metadata, user, etc.), and <code>params</code> (a referenced ConfigMap or CRD for parameterisation).</p> <pre tabindex="0"><code># Simple field check object.spec.replicas &lt;= 10 # Nested optional field (use ?. for optional traversal) object.spec.template.spec.?securityContext.?runAsNonRoot == optional.of(true) # List comprehension — all containers must have limits object.spec.template.spec.containers.all(c, has(c.resources) &amp;&amp; has(c.resources.limits) ) # String operations object.metadata.name.startsWith(&#34;prod-&#34;) </code></pre><h3 id="mutatingadmissionpolicy">MutatingAdmissionPolicy </h3><p>Added in Kubernetes 1.32 (alpha). Brings CEL-based mutation — set defaults, inject labels, patch fields — without Kyverno or a webhook. Still early; not production-ready yet.</p> <h2 id="gatekeeper">Gatekeeper </h2><p>OPA running as a Kubernetes admission controller. Policies are written in Rego and stored as <code>ConstraintTemplate</code> CRDs. The separation between template (the Rego logic) and constraint (the enforcement configuration + parameters) is the key design pattern.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">templates.gatekeeper.sh/v1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ConstraintTemplate</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">k8srequiredlabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">crd</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">names</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">validation</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">openAPIV3Schema</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">properties</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">array</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">items</span>: {<span style="color:#f92672">type</span>: <span style="color:#ae81ff">string}</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">targets</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">target</span>: <span style="color:#ae81ff">admission.k8s.gatekeeper.sh</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">rego</span>: |<span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> package k8srequiredlabels </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> violation[{&#34;msg&#34;: msg}] { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> provided := {label | input.review.object.metadata.labels[label]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> required := {label | label := input.parameters.labels[_]} </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> missing := required - provided </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> count(missing) &gt; 0 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> msg := sprintf(&#34;missing required labels: %v&#34;, [missing]) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> }</span> </span></span><span style="display:flex;"><span>--- </span></span><span style="display:flex;"><span><span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">constraints.gatekeeper.sh/v1beta1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">kind</span>: <span style="color:#ae81ff">K8sRequiredLabels</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">metadata</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">require-team-label</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">spec</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">match</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">apiGroups</span>: [<span style="color:#e6db74">&#34;&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">kinds</span>: [<span style="color:#e6db74">&#34;Namespace&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#f92672">parameters</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">labels</span>: [<span style="color:#e6db74">&#34;team&#34;</span>, <span style="color:#e6db74">&#34;environment&#34;</span>] </span></span></code></pre></div><p>Gatekeeper also supports <strong>audit mode</strong> — it continuously evaluates existing resources against policies and surfaces violations without blocking. Useful for measuring compliance against policies you&rsquo;re not yet ready to enforce.</p> <h3 id="gatekeeper-vs-kyverno">Gatekeeper vs Kyverno </h3><p>Kyverno is better if your team does not know Rego and wants policies that look like Kubernetes manifests. Gatekeeper is better if you are already invested in OPA/Rego and want a single policy language across K8s and non-K8s surfaces (via Conftest).</p> <p>The K8s-native VAP is the right default for simple validation rules on new clusters — no extra install, but it does not cover mutation (until 1.32+), generation, or image verification.</p> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://open-policy-agent.github.io/gatekeeper/" target="_blank" rel="noopener" >Gatekeeper documentation</a></li> <li><a class="link" href="https://github.com/open-policy-agent/gatekeeper-library" target="_blank" rel="noopener" >Gatekeeper library</a> — ready-made ConstraintTemplates</li> <li><a class="link" href="https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/" target="_blank" rel="noopener" >ValidatingAdmissionPolicy docs</a></li> <li><a class="link" href="https://kubernetes.io/docs/reference/using-api/cel/" target="_blank" rel="noopener" >CEL in Kubernetes</a></li> <li><a class="link" href="https://backend-engineering-strategy-tools.github.io/site/public-notes/kubernetes/kyverno/" >Kyverno</a> — separate note</li> </ul>