finds.dev← search

// the find

open-policy-agent/gatekeeper

★ 4,236 · Go · Apache-2.0 · updated Jul 2026

🐊 Policy Controller for Kubernetes

Gatekeeper is OPA's Kubernetes-native admission controller — you define policy as Rego wrapped in CRDs (ConstraintTemplates), and Kubernetes enforces them as a validating/mutating webhook. It's the standard answer for teams that need policy-as-code on Kubernetes and don't want to manage a raw OPA sidecar.

The CRD-driven model is genuinely well-designed: policy authors write ConstraintTemplates once, operators instantiate Constraints with parameters, and RBAC controls who can do which. Audit mode lets you scan existing resources without blocking deployments — useful for introducing policies incrementally. The `gator` CLI brings policy evaluation local so you can test constraints in CI without a live cluster. External data support (providers) lets you validate against state outside the cluster, which the raw OPA sidecar model never handled cleanly.

Rego has a steep learning curve and the error messages when a policy fails to compile are genuinely cryptic — expect to spend time debugging indirection between ConstraintTemplate, Constraint, and the Rego source. Mutation support arrived late and is still more complex to reason about than validation; ordering and conflict resolution between mutators is not obvious from the docs. The per-pod status CRDs mean a busy cluster generates a lot of noise in etcd — there's no good built-in aggregation and you'll likely need Prometheus + dashboards before you understand what's actually being denied. Upgrades between minor versions have historically required CRD migrations, and the upgrade path through a running cluster is not as smooth as the install path.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →