Skip to content

Part 3: Test

This is Part 3 of a multi-part, self-paced quick start exercise.

What Will You Do

In part 3, you will create and attempt to publish a workload on the cluster that will violate the OPA contraints that are currently enforced by OPA Gatekeeper on the cluster.

Step 1: Create Namespace

In this step, we will create a namespace for our workload.

  • Navigate to Infrastructure -> Namespaces
  • Click "New Namespace"
  • Enter a name for the namespace
  • Select "Wizard" for the type
  • Click "Save"

New Namespace

  • Click "Save & Go To Placement"
  • Select the cluster with the OPA Gatekeeper blueprint
  • Click "Save & Go to Publish"
  • Click "Publish"

Published Namespace

  • Click "Exit"

Step 2: Create Workload

In this step, we will create a test workload in order to test the OPA constraints in the OPA policy running on the cluster.

  • Navigate to Applications -> Workloads
  • Click on your NGINX workload
  • Click "New Workload" -> "Create New Workload"
  • Enter a name for the workload
  • Select "K8s YAML" for the package type
  • Click "Continue"

New Workload

  • Save the below workload YAML file to your machine
apiVersion: v1
kind: Pod
  name: opa-disallowed
    owner: me.agilebank.demo
    - name: opa
      image: openpolicyagent/opa:0.9.2
        - "run"
        - "--server"
        - "--addr=localhost:8080"
          cpu: "100m"
          memory: "2Gi"
  • In the console, Click "Choose File"
  • Select the workload YAML file that was previously saved
  • Click "Save and Go to Placement"

New Workload

  • Select the cluster with the OPA Gatekeeper blueprint
  • Click "Save & Go to Publish"
  • Click "Publish"

Publish Workload

The workload is now attempting to be published on the cluster. OPA Gatekeeper is acting as the admission controller, validating the workload specification against the applied OPA constraints. The workload should be denied by the admission controller as it violates the applied OPA contraints.


Our workload has defined "resource limits" over the allowed limit and therefore should be blocked on the cluster.

Failed Workload


In this part, you created a workload and attempted to publish it to the cluster. You saw that the workload could not be published as it violated a constraint.

You are now ready to use any of the turnkey OPA policies provided in this guide within your environment.