Skip to content


In this self-paced exercise, you will learn how to configure, deploy and test the "Managed OPA Gatekeeper Add-on" using cluster blueprints.

You will first create a "Policy" to ensure that

  • Container resource limits to requests does not surpass a specified ratio
  • Only container images from "authorized" repositories are allowed on clusters

You will then deploy this policy across all clusters in your organization. Finally, you will deploy a test workload to see how OPA Gatekeeper based policies can be used to detect and enforce compliance. Specifically, you will see what is the "experience" for the application developers and how a security team can centrally view/handle "policy violations" across all clusters in their organization.


Watch a video showcasing the administrative and developer experience from this exercise.



Open Policy Agent is a general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that let’s you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in Kubernetes.


Gatekeeper provides a Kubernetes admission controller built around the OPA engine to integrate OPA and the Kubernetes API service. Although there are other methods to integrate OPA with kubernetes, Gatekeeper has the following capabilities making it more kubernetes native.

  • An extensible, parameterized policy library
  • Native Kubernetes CRDs for instantiating the policy library (aka "constraints")
  • Native Kubernetes CRDs for extending the policy library (aka "constraint templates")
  • Audit functionality


OPA policies are expressed in a high-level declarative language called Rego. Rego is purpose-built for expressing policies over complex hierarchical data structures.

What Will You Do by Part

Part What will you do?
1 Setup and Configuration
2 Create a custom OPA Gatekeeper policy
3 Apply a custom Blueprint with the OPA Gatekeeper Managed Add-on enabled
4 Deploy a Workload to test OPA Gatekeeper functionality


You have already provisioned or imported a Kubernetes cluster using the Rafay controller