Kubernetes admission control via OPA Gatekeeper. ValidatingWebhookConfiguration that enforces ConstraintTemplate + Constraint policies on resource creation/updates, with periodic audit scanning for existing violations.
| Attribute | Example | Description |
|---|---|---|
namespace REQ |
opa |
Kubernetes namespace - used in all generated manifests, namespace.yaml, kustomization.yaml, monitoring.yaml |
cpu_request |
100m |
CPU request for controller manager → patch/resource.yaml |
mem_request |
256Mi |
Memory request for controller manager → patch/resource.yaml |
cpu_limit |
1000m |
CPU limit for controller manager → patch/resource.yaml |
mem_limit |
512Mi |
Memory limit for controller manager → patch/resource.yaml |
opa_failure_policy |
Ignore |
Webhook failure mode: Ignore (fail open) or Fail (fail closed) → patch/webhook-tuning.yaml |
opa_timeout |
3 |
Webhook timeout in seconds → patch/webhook-tuning.yaml |
opa_excluded_namespaces |
monitoring |
Newline-separated list of namespaces excluded from admission validation. OPA namespace + kube-system are always included automatically → patch/webhook-tuning.yaml |
Each sub-component generates a ConstraintTemplate + Constraint pair in the k8s/deploy/base/policies/ directory. If a sub-component is not added, the corresponding policy file is removed from the output.
Enforces: allowPrivilegeEscalation=false, privileged=false, readOnlyRootFilesystem=true, runAsNonRoot=true. Generates: policies/security-context.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
stacktic.io/group: backend |
Key:value label pairs that select which pods this policy targets |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
Enforces: CPU/memory requests and limits must be set, ephemeral-storage requests required. Generates: policies/resource-policy.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
stacktic.io/group: backend |
Key:value label pairs that select which pods this policy targets |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
Enforces: No hostNetwork, no hostPID, no hostIPC, no hostPath volumes. Generates: policies/pod-level-security.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
stacktic.io/group: backend |
Key:value label pairs that select which pods this policy targets |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
Enforces: All containers must define livenessProbe and readinessProbe. Generates: policies/probes.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
stacktic.io/group: backend |
Key:value label pairs that select which pods this policy targets |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
User-defined Rego logic injected as a ConstraintTemplate. Generates: policies/custom-policy.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
stacktic.io/group: backend |
Key:value label pairs that select which pods this policy targets |
policy REQ |
violation[{"msg": msg}] { ... } |
Raw Rego code inserted into the ConstraintTemplate |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
Enforces: No privileged=true, allowPrivilegeEscalation=false, no :latest image tags. Generates: policies/disallow.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
stacktic.io/group: backend |
Key:value label pairs that select which pods this policy targets |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
Enforces: Only images from approved registries allowed, optional :latest tag ban. Generates: policies/image-policies.yaml
| Attribute | Example | Impact |
|---|---|---|
images REQ |
gcr.io/my-project |
Newline-separated list of allowed container image registries |
disallow_latest |
true |
Boolean - when true, blocks containers using :latest tag |
Enforces: Requires label stacktic.io/imageSigned=true on resources. Generates: policies/image_signing.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
stacktic.io/group: backend |
Key:value label pairs that select which pods this policy targets |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
Enforces: Resources must have specified labels. Targets: Pod, Deployment, StatefulSet, DaemonSet, ReplicaSet. Generates: policies/prod_label_deny.yaml
| Attribute | Example | Impact |
|---|---|---|
labels REQ |
app.kubernetes.io/name: required |
Key:value pairs defining the required labels on targeted resources |
namespaces |
production |
Optional namespace filter - only enforce in these namespaces |
opa_action |
deny |
Enforcement action: deny, warn, or dryrun |
| Link | Direction | Generated Output |
|---|---|---|
| Prometheus → OPA | Inbound | Generates monitoring.yaml - 2 Services (webhook-metrics + audit-metrics on :8888) and 2 ServiceMonitor CRs for Prometheus scraping |
| File | Condition | Content |
|---|---|---|
| k8s/deploy/base/namespace.yaml | Always | Namespace definition |
| k8s/deploy/base/kustomization.yaml | Always | Kustomize resources, patches, policy file references |
| k8s/deploy/base/patch/resource.yaml | Always | CPU/memory requests and limits for controller manager |
| k8s/deploy/base/patch/webhook-tuning.yaml | Always | Failure policy, timeout seconds, excluded namespaces |
| k8s/deploy/base/monitoring.yaml | Prometheus linked | 2 Services + 2 ServiceMonitor CRs (webhook-metrics, audit-metrics on :8888) |
| k8s/deploy/base/policies/security-context.yaml | securitycontext sub-components exist | ConstraintTemplate + Constraint for container security context enforcement |
| k8s/deploy/base/policies/resource-policy.yaml | resource_policy sub-components exist | ConstraintTemplate + Constraint for CPU/memory/ephemeral-storage limits |
| k8s/deploy/base/policies/pod-level-security.yaml | pod_level_security sub-components exist | ConstraintTemplate + Constraint blocking hostNetwork/hostPID/hostIPC/hostPath |
| k8s/deploy/base/policies/probes.yaml | probes sub-components exist | ConstraintTemplate + Constraint requiring liveness and readiness probes |
| k8s/deploy/base/policies/custom-policy.yaml | custom sub-components exist | ConstraintTemplate + Constraint with user-defined Rego logic |
| k8s/deploy/base/policies/disallow.yaml | disallow sub-components exist | ConstraintTemplate + Constraint blocking privileged, escalation, :latest tags |
| k8s/deploy/base/policies/image-policies.yaml | image_policy sub-components exist | ConstraintTemplate + Constraint for approved registry allowlist |
| k8s/deploy/base/policies/image_signing.yaml | image_signing sub-components exist | ConstraintTemplate + Constraint requiring stacktic.io/imageSigned=true label |
| k8s/deploy/base/policies/prod_label_deny.yaml | label_deny sub-components exist | ConstraintTemplate + Constraint enforcing required labels on Pod/Deployment/StatefulSet/DaemonSet/ReplicaSet |
| k8s/deploy/base/secret/registry.json | Always | Docker registry credentials (SOPS encrypted) |
| day2/test.sh | Always | Policy validation test script |
| doc/README.md | Always | Component documentation |
| Port | Service | Protocol |
|---|---|---|
| 8443 | Admission webhook (ValidatingWebhookConfiguration) | HTTPS |
| 8888 | Metrics (webhook-metrics + audit-metrics) | HTTP |
| 9090 | Health check (readiness/liveness) | HTTP |
stacktic.io/group: backend)deny = block non-compliant resources | warn = warn but allow | dryrun = log violations only