OPA Gatekeeper for Kubernetes

We deploy Gatekeeper via Helm with high-availability configuration: multiple replicas, pod disruption budgets, and resource limits. The validating webhook is configured with failurePolicy: Fail for critical policies (if Gatekeeper is down, API requests are denied) and failurePolicy: Ignore for advisory policies. Namespace exemptions exclude system namespaces from enforcement. Audit mode runs on existing resources to identify retroactive violations.

We implement constraint templates from the Gatekeeper library and custom templates for your requirements: containers must not run as root, containers must have resource limits and requests, images must come from approved registries, pods must have liveness and readiness probes, no hostPath volumes, no privileged containers, required labels and annotations, and network policies must exist for every namespace. Each template is parameterized — the same template enforces different thresholds per namespace.

New policies roll out in three phases. Audit mode: Gatekeeper evaluates existing resources and reports violations without blocking anything. Warn mode: new deployments receive a warning but are allowed to proceed. Deny mode: non-compliant deployments are rejected by the API server. This phased rollout prevents policy deployment from breaking existing workloads. We track violation counts at each phase and only enable deny mode when violations reach zero or have documented exceptions.

Gatekeeper metrics are exported to Prometheus: total violations by constraint, enforcement actions (allowed/denied/warned), and webhook latency. Grafana dashboards show policy compliance across the cluster. Audit results are exposed as Kubernetes resources and can be queried with kubectl get constraints. Violation trends over time demonstrate improving compliance posture. Weekly reports summarize: new violations, remediated violations, and policy exceptions with expiration dates.