Policy Enforcement and Admission Control
Policy Enforcement and Admission Control
GitOps deployments benefit from policy enforcement at multiple stages. Repository-level policies validate configurations before merge. Admission controllers enforce policies when GitOps agents apply configurations. This multi-layered approach ensures comprehensive security validation.
Open Policy Agent (OPA) Gatekeeper provides powerful policy enforcement for Kubernetes-based GitOps. Policies written in Rego language can enforce security requirements ranging from resource limits to network isolation. GitOps agents attempting to apply non-compliant resources receive immediate rejection with clear error messages.
# OPA Gatekeeper policies for GitOps security
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredsecuritycontrols
spec:
crd:
spec:
names:
kind: K8sRequiredSecurityControls
validation:
openAPIV3Schema:
type: object
properties:
allowedCapabilities:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredsecuritycontrols
violation[{"msg": msg}] {
# Require non-root containers
container := input.review.object.spec.containers[_]
not container.securityContext.runAsNonRoot
msg := sprintf("Container %v must run as non-root", [container.name])
}
violation[{"msg": msg}] {
# Require read-only root filesystem
container := input.review.object.spec.containers[_]
not container.securityContext.readOnlyRootFilesystem
msg := sprintf("Container %v must have read-only root filesystem", [container.name])
}
violation[{"msg": msg}] {
# Prohibit privileged containers
container := input.review.object.spec.containers[_]
container.securityContext.privileged
msg := sprintf("Container %v cannot run in privileged mode", [container.name])
}
violation[{"msg": msg}] {
# Require resource limits
container := input.review.object.spec.containers[_]
not container.resources.limits.memory
msg := sprintf("Container %v must specify memory limits", [container.name])
}
violation[{"msg": msg}] {
# Enforce allowed registries
container := input.review.object.spec.containers[_]
not allowed_registry(container.image)
msg := sprintf("Container %v uses disallowed registry", [container.name])
}
allowed_registry(image) {
startswith(image, "registry.internal.com/")
}
allowed_registry(image) {
startswith(image, "public.ecr.aws/")
}
---
# Constraint enforcing the security controls
apiVersion: templates.gatekeeper.sh/v1beta1
kind: K8sRequiredSecurityControls
metadata:
name: must-have-security-controls
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment", "StatefulSet", "DaemonSet"]
namespaces: ["production", "staging"]
parameters:
allowedCapabilities: ["NET_BIND_SERVICE"]
Policy violations should trigger clear alerts and potentially automated remediation. GitOps agents should report policy failures back to monitoring systems. Persistent violations might trigger rollbacks to known-good configurations. This automated enforcement ensures security policies remain effective even during rapid deployments.