Policy at admission

Gatekeeper/Kyverno as the runtime backstop.

Advanced30 min · lesson 6 of 15

CI gates catch non-compliant configuration before it merges, but the cluster still needs a backstop for anything that arrives another way. Admission-time policy — Gatekeeper (OPA) and Kyverno — enforces compliance controls at runtime, rejecting non-compliant resources as they are created.

Enforce controls at the cluster door

An admission policy engine evaluates every resource on its way into the cluster and can reject the ones that violate a control: no privileged pods, images only from signed sources, required owner and data-classification labels, resource limits set, no host mounts. Gatekeeper uses the same Rego you write for CI, so one policy library enforces in both places; Kyverno uses declarative YAML policies for teams who prefer not to write Rego. Either way, the control is now enforced at the cluster door — a resource that would break compliance never starts, whether it came through the pipeline or a direct kubectl apply.

the same control, enforced at admission
# Gatekeeper constraint: every workload must carry a data-classification label
# (a common SOC 2 / ISO requirement) — reject those that do not.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata: { name: require-data-classification }
spec:
match: { kinds: [{ apiGroups: ["apps"], kinds: ["Deployment"] }] }
parameters:
labels: ["data-classification"]
# A Deployment without the label is rejected at admission — the control holds
# even for changes that never passed through CI.

Defense in depth and safe rollout

CI gates and admission policy are complementary: CI gives fast developer feedback and blocks the obvious cases early, while admission is the enforcing backstop that catches what bypasses the pipeline. Run the same controls at both points for defense in depth. As with every policy in the curriculum, roll admission enforcement out safely — start in audit/dryrun mode to measure what would be rejected, fix the legitimate cases, then flip to enforce, namespace by namespace. Each admission decision is also logged, so enforcement doubles as continuous evidence that the control operated on every resource the cluster admitted.

Compliance enforced at two points
1CI (Conftest)
fast feedback, block early
2admission (Gatekeeper/Kyverno)
runtime backstop
3audit/dryrun → enforce
measure, then reject
4decisions logged
enforcement = evidence
CI catches it early; admission catches what bypasses CI. Same controls, two points, rolled out audit-then-enforce.
A broad namespace exclusion is a compliance bypass
Admission policies that exclude namespaces (often kube-system) create a gap: anything an attacker or a careless team can place in an excluded namespace escapes the control. Keep exclusions minimal and deliberate, and remember that an over-scoped waiver quietly undermines the compliance guarantee the policy was meant to provide.