Delivering policy securely

Version, test, and enforce guardrails.

Advanced12 min · lesson 12 of 12

Delivering policy safely means treating the policy repo like any critical codebase and wiring it into the systems it governs. The pipeline for the policies themselves: opa fmt --check and regal lint for style, opa check for compilation, opa test --coverage for correctness, then publish a signed bundle (or push to the Conftest/Gatekeeper distribution path). Policy that gates production must itself be reviewed, tested, and versioned.

.gitlab-ci.yml
policy-ci:
script:
- opa fmt --list policy/ && test -z "$(opa fmt --list policy/)" # formatted
- regal lint policy/
- opa check --strict policy/
- opa test policy/ --coverage --threshold 90
- opa build -b policy/ -o bundle.tar.gz --signing-key key.pem # signed bundle
# publish bundle.tar.gz to the bundle server / OCI registry on merge

Enforce in the right place

The same policies then run at the enforcement points: Conftest in application CI (block bad config/IaC pre-merge), Gatekeeper at admission (block bad resources in-cluster), and the decision API for services. Defense in depth means the same rule can gate both the pipeline and the cluster — a public bucket is caught in the Terraform plan and, if it slips through, at the cloud. Version policies, roll out with dryrun/warn, and monitor decisions.

Policy from repo to enforcement
1policy repo
fmt, lint, test, cover
2signed bundle
versioned artifact
3distribute
Conftest / Gatekeeper / API
4enforce
CI + admission + runtime
Test and sign policy like code, distribute it as a versioned bundle, and enforce it at every layer that can catch a violation.
Untested or unenforced policy is theatre
Two failure modes make policy-as-code decorative: policy that is not tested (so a broken rule silently allows everything) and policy that is evaluated but not enforced (warn instead of deny, or a decision the caller ignores). Gate the policy repo on tests and coverage, confirm each enforcement point actually blocks on a violation, and roll out with audit first. A guardrail you have not verified stops nothing.