Policy Enforcement and Admission Control

Policy Enforcement and Admission Control

GitOps deployments benefit from policy enforcement at multiple stages. Repository-level policies validate configurations before merge. Admission controllers enforce policies when GitOps agents apply configurations. This multi-layered approach ensures comprehensive security validation.

Open Policy Agent (OPA) Gatekeeper provides powerful policy enforcement for Kubernetes-based GitOps. Policies written in Rego language can enforce security requirements ranging from resource limits to network isolation. GitOps agents attempting to apply non-compliant resources receive immediate rejection with clear error messages.

# OPA Gatekeeper policies for GitOps security
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8srequiredsecuritycontrols
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredSecurityControls
      validation:
        openAPIV3Schema:
          type: object
          properties:
            allowedCapabilities:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredsecuritycontrols
        
        violation[{"msg": msg}] {
          # Require non-root containers
          container := input.review.object.spec.containers[_]
          not container.securityContext.runAsNonRoot
          msg := sprintf("Container %v must run as non-root", [container.name])
        }
        
        violation[{"msg": msg}] {
          # Require read-only root filesystem
          container := input.review.object.spec.containers[_]
          not container.securityContext.readOnlyRootFilesystem
          msg := sprintf("Container %v must have read-only root filesystem", [container.name])
        }
        
        violation[{"msg": msg}] {
          # Prohibit privileged containers
          container := input.review.object.spec.containers[_]
          container.securityContext.privileged
          msg := sprintf("Container %v cannot run in privileged mode", [container.name])
        }
        
        violation[{"msg": msg}] {
          # Require resource limits
          container := input.review.object.spec.containers[_]
          not container.resources.limits.memory
          msg := sprintf("Container %v must specify memory limits", [container.name])
        }
        
        violation[{"msg": msg}] {
          # Enforce allowed registries
          container := input.review.object.spec.containers[_]
          not allowed_registry(container.image)
          msg := sprintf("Container %v uses disallowed registry", [container.name])
        }
        
        allowed_registry(image) {
          startswith(image, "registry.internal.com/")
        }
        
        allowed_registry(image) {
          startswith(image, "public.ecr.aws/")
        }

---
# Constraint enforcing the security controls
apiVersion: templates.gatekeeper.sh/v1beta1
kind: K8sRequiredSecurityControls
metadata:
  name: must-have-security-controls
spec:
  match:
    kinds:
    - apiGroups: ["apps"]
      kinds: ["Deployment", "StatefulSet", "DaemonSet"]
    namespaces: ["production", "staging"]
  parameters:
    allowedCapabilities: ["NET_BIND_SERVICE"]

Policy violations should trigger clear alerts and potentially automated remediation. GitOps agents should report policy failures back to monitoring systems. Persistent violations might trigger rollbacks to known-good configurations. This automated enforcement ensures security policies remain effective even during rapid deployments.