Gatekeeper: Kubernetes admission
Constraints and templates in-cluster.
OPA Gatekeeper integrates OPA into Kubernetes as a validating (and mutating) admission controller. Instead of running policy in CI, Gatekeeper evaluates every resource as it is created or updated in the cluster and rejects violations at admission — so a non-compliant pod never gets scheduled, no matter how it was submitted. It packages policy as Kubernetes CRDs: a ConstraintTemplate holds the Rego, and Constraints instantiate it with parameters and a scope.
apiVersion: templates.gatekeeper.sh/v1kind: ConstraintTemplatemetadata: { name: k8srequiredlabels }spec:crd:spec: { names: { kind: K8sRequiredLabels }, validation: { openAPIV3Schema: { properties: { labels: { type: array } } } } }targets:- target: admission.k8s.gatekeeper.shrego: |package k8srequiredlabelsviolation[{"msg": msg}] {required := input.parameters.labels[_]not input.review.object.metadata.labels[required]msg := sprintf("missing required label: %v", [required])}
apiVersion: constraints.gatekeeper.sh/v1beta1kind: K8sRequiredLabels # the kind the template definedmetadata: { name: must-have-owner }spec:match: { kinds: [{ apiGroups: [""], kinds: ["Namespace"] }] }parameters: { labels: ["owner"] }enforcementAction: deny # or dryrun / warn
Audit, dryrun, and rollout
Gatekeeper also audits existing resources against constraints (not just new ones), reporting violations already in the cluster — invaluable when adopting a policy on a running cluster. Roll out with enforcementAction: dryrun or warn first to see who fails without blocking, fix the workloads, then switch to deny. This is the same audit-before-enforce discipline as Pod Security; flipping straight to deny on a busy cluster breaks the next deploy.