A community-driven library of reusable policies for OPA Gatekeeper enabling Kubernetes resource validation and mutation to enforce compliance and security standards.
📚 The OPA Gatekeeper policy library
This tool is used by Kubernetes administrators and security teams to enforce governance, risk, and compliance policies within their clusters by validating and mutating resources automatically. It helps ensure that cluster configurations adhere to organizational security standards and automates policy enforcement to reduce manual auditing efforts.
Policies should be customized before applying mutation policies to fit specific organizational needs. Contribution guidelines emphasize versioning and testing to maintain policy stability. Using the gator CLI for testing is recommended to ensure policy correctness before deployment.
Create a kustomization.yaml file referencing the gatekeeper-library repository
Optionally specify subfolders or commit SHA for selective policy installation
Define your constraints in a constraints.yaml file in the same directory
Run `kustomize build . | kubectl apply -f -` to install policies and constraints
Alternatively, navigate to a policy directory and apply template.yaml and constraint.yaml using kubectl
Optionally apply sync.yaml when running Gatekeeper with OPA cachekustomize build . | kubectl apply -f -
Installs all specified policies and constraints defined in kustomization.yaml and constraints.yaml
kubectl apply -f template.yaml
Applies a specific Gatekeeper ConstraintTemplate to the Kubernetes cluster
kubectl apply -f samples/ingress-https-only/constraint.yaml
Applies a sample constraint that enforces HTTPS-only ingress
kubectl apply -f library/general/httpsonly/sync.yaml
Applies sync configuration when Gatekeeper is running with OPA cache (optional)
gator verify ./...
Runs test cases defined in suite.yaml files to verify ConstraintTemplates in the library