OPA Gatekeeper
What is OPA Gatekeeper?
OPA GatekeeperOPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
Gatekeeper is the Kubernetes-native packaging of the Open Policy Agent. Operators install ConstraintTemplates that contain Rego policies and ConstraintTemplate-typed CRDs whose instances are the actual Constraints (for example, K8sRequiredLabels). Gatekeeper runs as a validating and mutating admission webhook and also audits existing cluster state against Constraints. Policies can target any resource and are decoupled from the schemas they protect, so the same engine governs Pods, Ingresses, Custom Resources, and cloud-managed objects. Gatekeeper integrates with the wider OPA ecosystem (Conftest, Styra, Terraform), enabling shift-left checks in CI alongside cluster enforcement.
● Examples
- 01
A Constraint requiring every Deployment to declare an owner label.
- 02
Gatekeeper audit reporting all pre-existing pods that violate a new Restricted Pod Security Constraint.
● Frequently asked questions
What is OPA Gatekeeper?
OPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources. It belongs to the Cloud Security category of cybersecurity.
What does OPA Gatekeeper mean?
OPA Gatekeeper is a CNCF policy controller that uses Open Policy Agent and the Rego language to enforce admission and audit policies on Kubernetes resources.
How does OPA Gatekeeper work?
Gatekeeper is the Kubernetes-native packaging of the Open Policy Agent. Operators install ConstraintTemplates that contain Rego policies and ConstraintTemplate-typed CRDs whose instances are the actual Constraints (for example, K8sRequiredLabels). Gatekeeper runs as a validating and mutating admission webhook and also audits existing cluster state against Constraints. Policies can target any resource and are decoupled from the schemas they protect, so the same engine governs Pods, Ingresses, Custom Resources, and cloud-managed objects. Gatekeeper integrates with the wider OPA ecosystem (Conftest, Styra, Terraform), enabling shift-left checks in CI alongside cluster enforcement.
How do you defend against OPA Gatekeeper?
Defences for OPA Gatekeeper typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OPA Gatekeeper?
Common alternative names include: Gatekeeper, OPA.
● Related terms
- cloud-security№ 602
Kyverno
Kyverno is a CNCF Kubernetes policy engine that validates, mutates, and generates resources using policies written as native Kubernetes YAML rather than a new DSL.
- cloud-security№ 597
Kubernetes Admission Controller
An admission controller is a Kubernetes API server plugin that intercepts authenticated requests before persistence to validate, mutate, or reject objects against policy.
- cloud-security№ 838
Pod Security Standards
Pod Security Standards (PSS) are Kubernetes-defined security profiles — Privileged, Baseline, and Restricted — that codify safe pod configuration and replace the deprecated PodSecurityPolicy.
- cloud-security№ 599
Kubernetes Network Policy
Kubernetes NetworkPolicy is a namespaced resource that controls which pods can connect to which pods or external endpoints over IP, port, and protocol.
- cloud-security№ 582
Kata Containers
Kata Containers is an open-source runtime that wraps each container or Kubernetes pod in a lightweight virtual machine to provide hardware-level isolation between workloads.
- cloud-security№ 455
gVisor
gVisor is an open-source application kernel from Google that intercepts container system calls in user space, shrinking the host kernel attack surface exposed to untrusted workloads.