// the find
open-policy-agent/gatekeeper
🐊 Policy Controller for Kubernetes
Gatekeeper is OPA's Kubernetes-native admission controller — you define policy as Rego wrapped in CRDs (ConstraintTemplates), and Kubernetes enforces them as a validating/mutating webhook. It's the standard answer for teams that need policy-as-code on Kubernetes and don't want to manage a raw OPA sidecar.
The CRD-driven model is genuinely well-designed: policy authors write ConstraintTemplates once, operators instantiate Constraints with parameters, and RBAC controls who can do which. Audit mode lets you scan existing resources without blocking deployments — useful for introducing policies incrementally. The `gator` CLI brings policy evaluation local so you can test constraints in CI without a live cluster. External data support (providers) lets you validate against state outside the cluster, which the raw OPA sidecar model never handled cleanly.
Rego has a steep learning curve and the error messages when a policy fails to compile are genuinely cryptic — expect to spend time debugging indirection between ConstraintTemplate, Constraint, and the Rego source. Mutation support arrived late and is still more complex to reason about than validation; ordering and conflict resolution between mutators is not obvious from the docs. The per-pod status CRDs mean a busy cluster generates a lot of noise in etcd — there's no good built-in aggregation and you'll likely need Prometheus + dashboards before you understand what's actually being denied. Upgrades between minor versions have historically required CRD migrations, and the upgrade path through a running cluster is not as smooth as the install path.