Skip to content


In this multi-part exercise, you will install prepackaged turnkey OPA policies with the corresponding OPA templates and constraints. These policies are based on best practices for many fundamental areas of Kubernetes. You will use a GitOps pipeline with System Sync in order to apply the OPA resources to the project.



Open Policy Agent is a general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that let’s you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in Kubernetes.


Gatekeeper provides a Kubernetes admission controller built around the OPA engine to integrate OPA and the Kubernetes API service. Although there are other methods to integrate OPA with kubernetes, Gatekeeper has the following capabilities making it more kubernetes native.

  • An extensible, parameterized policy library
  • Native Kubernetes CRDs for instantiating the policy library (aka "constraints")
  • Native Kubernetes CRDs for extending the policy library (aka "constraint templates")
  • Audit functionality

System Sync

System Sync enables two-way or bidirectional synchronization to maintain the configuration in the system (system database) and Git repository. Any configuration changes performed in the Git repository get reflected in the system, and vice-versa is supported. To achieve this bidirectional sync, external and internal triggers are required. External triggers (Pipeline Triggers) notify whenever resources are modified in a Git repository, and internal triggers notify whenever resources are modified in an internal artifact store.

Turnkey Policies

The following outline lists the available prepackaged turnkey policies along with their corresponding constraints. These packages can be edited as needed to meet your specific requirements.

PSP Restricted

  • allow-privilege-escalation-container-custom
  • allowed-users-custom
  • app-armor-custom
  • flex-volumes-custom
  • forbidden-sysctls-custom
  • host-filesystem-custom
  • host-namespace-custom
  • host-network-ports-custom
  • linux-capabilities-custom
  • privileged-container-custom
  • proc-mount-custom
  • read-only-root-filesystem-custom
  • se-linux-custom
  • seccomp-custom
  • volume-types-custom


  • disallowed-tags-custom
  • replica-limits-custom
  • required-annotations-custom
  • required-labels-custom
  • required-probes-custom


  • allowed-repos-custom
  • block-nodeport-services-custom
  • https-only-custom
  • image-digests-custom

Operational Efficiency

  • container-limits-custom
  • container-resource-ratios-custom

What Will You Do

Part What will you do?
1 In this part, you will Configure and Setup an Environment in order to apply OPA policies
2 In this part, you will Apply OPA using a blueprint
3 In this part, you will Test OPA using a workload


This exercise assumes that you have access to the following:

  • An Org with Org Admin privileges
  • A provisioned or imported cluster
  • An account on GitHub for GitOps operations