MCP HubMCP Hub
Retour aux compétences

enforce-policy-as-code

pjt222
Mis à jour Yesterday
3 vues
17
2
17
Voir sur GitHub
Métaai

À propos

Cette compétence met en œuvre l'application de politiques sous forme de code dans Kubernetes en utilisant OPA Gatekeeper ou Kyverno pour valider et modifier les ressources selon les politiques organisationnelles. Elle couvre le contrôle d'admission, le mode audit et l'intégration CI/CD pour une validation en amont (shift-left). Utilisez-la pour faire respecter les standards de configuration, prévenir les erreurs de configuration de sécurité et garantir la conformité avant le déploiement.

Installation rapide

Claude Code

Recommandé
Principal
npx skills add pjt222/agent-almanac -a claude-code
Commande PluginAlternatif
/plugin add https://github.com/pjt222/agent-almanac
Git CloneAlternatif
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/enforce-policy-as-code

Copiez et collez cette commande dans Claude Code pour installer cette compétence

Documentation

Enforce Policy as Code

Set declarative policy enforcement with OPA Gatekeeper or Kyverno for Kubernetes resource check and mutate.

When Use

  • Enforce org rules for resource config (labels, annotations, limits)
  • Block security mis-configs (privileged containers, host namespaces, bad images)
  • Ensure compliance rules met before resource deploy
  • Standard resource name and meta
  • Auto-fix through mutation policy
  • Audit existing cluster resources vs policy with no block
  • Wire policy check into CI/CD for shift-left

Inputs

  • Required: Kubernetes cluster with admin access
  • Required: Pick policy engine (OPA Gatekeeper or Kyverno)
  • Required: List of policies to enforce (security, compliance, ops)
  • Optional: Existing resources to audit
  • Optional: Exempt patterns for specific namespaces or resources
  • Optional: CI/CD config for pre-deploy check

Steps

See Extended Examples for full config files and templates.

Step 1: Install Policy Engine

Deploy OPA Gatekeeper or Kyverno as admission controller.

For OPA Gatekeeper:

# Install Gatekeeper using Helm
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update

# Install with audit enabled
helm install gatekeeper gatekeeper/gatekeeper \
  --namespace gatekeeper-system \
  --create-namespace \
  --set audit.replicas=2 \
  --set replicas=3 \
  --set validatingWebhookFailurePolicy=Fail \
  --set auditInterval=60

# Verify installation
kubectl get pods -n gatekeeper-system
kubectl get crd | grep gatekeeper

# Check webhook configuration
kubectl get validatingwebhookconfigurations gatekeeper-validating-webhook-configuration -o yaml

For Kyverno:

# Install Kyverno using Helm
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update

# Install with HA setup
helm install kyverno kyverno/kyverno \
  --namespace kyverno \
  --create-namespace \
  --set replicaCount=3 \
  --set admissionController.replicas=3 \
  --set backgroundController.replicas=2 \
  --set cleanupController.replicas=2

# Verify installation
kubectl get pods -n kyverno
kubectl get crd | grep kyverno

# Check webhook configurations
kubectl get validatingwebhookconfigurations kyverno-resource-validating-webhook-cfg
kubectl get mutatingwebhookconfigurations kyverno-resource-mutating-webhook-cfg

Make namespace excludes:

# gatekeeper-config.yaml
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  name: config
  namespace: gatekeeper-system
spec:
  match:
    - excludedNamespaces:
      - kube-system
      - kube-public
      - kube-node-lease
      - gatekeeper-system
      processes:
      - audit
      - webhook
  validation:
    traces:
      - user: system:serviceaccount:gatekeeper-system:gatekeeper-admin
        kind:
          group: ""
          version: v1
          kind: Namespace

Got: Policy engine pods running with many replicas. CRDs in (ConstraintTemplate, Constraint for Gatekeeper; ClusterPolicy, Policy for Kyverno). Validating/mutating webhooks on. Audit controller running.

If fail:

  • Check pod logs: kubectl logs -n gatekeeper-system -l app=gatekeeper --tail=50
  • Check webhook endpoints reach: kubectl get endpoints -n gatekeeper-system
  • Look for port clash or cert issue in webhook logs
  • Cluster needs enough resources (policy engines need ~500MB per replica)
  • Review RBAC: kubectl auth can-i create constrainttemplates --as=system:serviceaccount:gatekeeper-system:gatekeeper-admin

Step 2: Define Constraint Templates and Policies

Make reusable policy templates and specific constraints.

OPA Gatekeeper Constraint Template:

# required-labels-template.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
  annotations:
# ... (see EXAMPLES.md for complete configuration)

Kyverno ClusterPolicy:

# kyverno-policies.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
  annotations:
# ... (see EXAMPLES.md for complete configuration)

Apply policies:

# Apply Gatekeeper templates and constraints
kubectl apply -f required-labels-template.yaml

# Apply Kyverno policies
kubectl apply -f kyverno-policies.yaml

# Verify constraint/policy status
kubectl get constraints
kubectl get clusterpolicies

# Check for any policy errors
kubectl describe k8srequiredlabels require-app-labels
kubectl describe clusterpolicy require-labels

Got: ConstraintTemplates/ClusterPolicies made OK. Constraints show status "True" for enforce. No errors in policy definitions. Webhook start checking new resources vs policies.

If fail:

  • Check Rego syntax (Gatekeeper): use opa test local or check constraint status
  • Check policy YAML: kubectl apply --dry-run=client -f policy.yaml
  • Review constraint status: kubectl get constraint -o yaml | grep -A 10 status
  • Test with simple policy first, add more later
  • Check match rules (kinds, namespaces) right

Step 3: Test Policy Enforcement

Check policies block bad resources and allow good ones.

Make test manifests:

# test-non-compliant.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-no-labels
  namespace: production
# ... (see EXAMPLES.md for complete configuration)

Test policies:

# Attempt to create non-compliant resource (should fail)
kubectl apply -f test-non-compliant.yaml
# Expected: Error with policy violation message

# Create compliant resource (should succeed)
kubectl apply -f test-compliant.yaml
# Expected: deployment.apps/test-compliant created

# Test with dry-run for validation
kubectl apply -f test-non-compliant.yaml --dry-run=server
# Shows policy violations without actually creating resource

# Clean up
kubectl delete -f test-compliant.yaml

Test with policy reporting (Kyverno):

# Check policy reports
kubectl get policyreports -A
kubectl get clusterpolicyreports

# View detailed report
kubectl get policyreport -n production -o yaml

# Check policy rule results
kubectl get policyreport -n production -o jsonpath='{.items[0].results}' | jq .

Got: Bad resources blocked with clear violation msg. Good resources made OK. Policy reports show pass/fail. Dry-run check works no resource made.

If fail:

  • Check if policy in audit mode vs enforce: validationFailureAction: audit
  • Check webhook handling req: kubectl logs -n gatekeeper-system -l app=gatekeeper
  • Look for namespace excludes that exempt test namespace
  • Test webhook reach: kubectl run test --rm -it --image=busybox --restart=Never
  • Review webhook failure policy (Ignore vs Fail)

Step 4: Implement Mutation Policies

Set auto-fix through mutation.

Gatekeeper mutation:

# gatekeeper-mutations.yaml
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: Assign
metadata:
  name: add-default-labels
spec:
# ... (see EXAMPLES.md for complete configuration)

Kyverno mutation policies:

# kyverno-mutations.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-labels
spec:
# ... (see EXAMPLES.md for complete configuration)

Apply and test mutations:

# Apply mutation policies
kubectl apply -f gatekeeper-mutations.yaml
# OR
kubectl apply -f kyverno-mutations.yaml

# Test mutation with a deployment
# ... (see EXAMPLES.md for complete configuration)

Got: Mutations auto add labels, resources, or change images. Deployed resources show mutated values. Mutations logged in policy engine logs. No errors during mutation.

If fail:

  • Check mutation webhook on: kubectl get mutatingwebhookconfiguration
  • Check mutation policy syntax: JSON paths and conditions
  • Review logs: kubectl logs -n kyverno deploy/kyverno-admission-controller
  • Test mutations not clash (many mutations on same field)
  • Make mutation happen before validation (order matters)

Step 5: Enable Audit Mode and Reporting

Set audit to spot violations in existing resources with no block.

Gatekeeper audit:

# Audit runs automatically based on auditInterval setting
# Check audit results
kubectl get constraints -o json | \
  jq '.items[] | {name: .metadata.name, violations: .status.totalViolations}'

# Get detailed violation information
# ... (see EXAMPLES.md for complete configuration)

Kyverno audit and reporting:

# Generate policy reports for existing resources
kubectl create job --from=cronjob/kyverno-cleanup-controller -n kyverno manual-report-gen

# View policy reports
kubectl get policyreport -A
kubectl get clusterpolicyreport
# ... (see EXAMPLES.md for complete configuration)

Make dashboard for policy compliance:

# prometheus-rules.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: policy-alerts
  namespace: monitoring
# ... (see EXAMPLES.md for complete configuration)

Got: Audit spot violations in existing resources with no block on deploy. Policy reports made with pass/fail counts. Violations export for review. Metrics out for watch. Alerts fire on rising violations.

If fail:

  • Check audit controller running: kubectl get pods -n gatekeeper-system -l gatekeeper.sh/operation=audit
  • Check audit interval in install
  • Review audit logs for errors: kubectl logs -n gatekeeper-system -l gatekeeper.sh/operation=audit
  • RBAC perms must let read all resource types for audit
  • Check CRD status field filling: kubectl get constraint -o yaml | grep -A 20 status

Step 6: Integrate with CI/CD Pipeline

Add pre-deploy policy check for shift-left enforce.

CI/CD integration script:

#!/bin/bash
# validate-policies.sh

set -e

echo "=== Policy Validation for CI/CD ==="
# ... (see EXAMPLES.md for complete configuration)

GitHub Actions workflow:

# .github/workflows/policy-validation.yaml
name: Policy Validation

on:
  pull_request:
    paths:
# ... (see EXAMPLES.md for complete configuration)

Pre-commit hook:

#!/bin/bash
# .git/hooks/pre-commit

# Validate Kubernetes manifests against policies
if git diff --cached --name-only | grep -E 'manifests/.*\.yaml$'; then
  echo "Validating Kubernetes manifests against policies..."
# ... (see EXAMPLES.md for complete configuration)

Got: CI/CD pipeline check manifests before deploy. Policy violations fail pipeline with clear msg. Policy reports pinned to PR. Pre-commit hooks catch violations early. Devs know policy issues before cluster.

If fail:

  • Check CLI tools in PATH
  • Check kubeconfig creds good for fetching policies
  • Test policy check local first: kyverno apply policy.yaml --resource manifest.yaml
  • Policies synced from cluster must be full
  • Review policy CLI logs for specific check errors

Validation

  • Policy engine pods running with HA config
  • Validating and mutating webhooks on and reachable
  • Constraint templates and policies made with no errors
  • Bad resources blocked with clear violation msg
  • Good resources deploy OK
  • Mutation policies auto fix resources
  • Audit mode spots violations in existing resources
  • Policy reports made and open
  • Metrics out for policy compliance watch
  • CI/CD pipeline checks manifests pre-deploy
  • Pre-commit hooks stop policy violations
  • Namespace excludes set right

Pitfalls

  • Webhook Failure Policy: failurePolicy: Fail blocks all resources if webhook down. Use Ignore for low-risk policies, but know security impact. Test webhook up before enforce.

  • Too Strict Initial Policies: Start with enforce mode on strict policies break existing workloads. Begin with audit mode, review violations, talk with teams, then enforce step by step.

  • Missing Resource Specs: Policies must set API groups, versions, kinds right. Use kubectl api-resources to find exact values. Wildcards (*) easy but can cause speed issues.

  • Mutation Order: Mutations run before validations. Make mutations not clash and validations know mutated values. Test mutation+validation together.

  • Namespace Excludes: Exempt system namespaces needed, but watch not over-exempt. Review excludes often as policies grow.

  • Rego Complex (Gatekeeper): Complex Rego policies hard to debug. Start simple, test with opa test local, add logging with trace(), use gator for offline tests.

  • Speed Hit: Policy check adds lag to admission. Keep policies tight, use right match rules, watch webhook lag metrics.

  • Policy Clash: Many policies changing same field cause issues. Team up policies across teams, use policy libs for common patterns, test mixes.

  • Background Scan: Background audit scans full cluster. Can be heavy on big clusters. Tune audit interval by cluster size and policy count.

  • Version Compat: Policy CRD versions change. Gatekeeper v3 uses v1beta1 constraints, Kyverno v1.11 uses kyverno.io/v1. Check docs for your version.

See Also

  • manage-kubernetes-secrets - Secret check policies
  • security-audit-codebase - Complement security scan
  • deploy-to-kubernetes - App deploy with policy check
  • setup-service-mesh - Service mesh authz policies complement admission policies
  • configure-api-gateway - Gateway policies work with admission policies
  • implement-gitops-workflow - GitOps with policy check in pipeline

Dépôt GitHub

pjt222/agent-almanac
Chemin: i18n/caveman/skills/enforce-policy-as-code
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

Compétences associées

content-collections

Méta

Cette compétence propose une configuration éprouvée en production pour Content Collections, un outil axé sur TypeScript qui transforme des fichiers Markdown/MDX en collections de données typées de manière sûre avec une validation Zod. Utilisez-la lors de la création de blogs, de sites de documentation ou d'applications Vite + React riches en contenu pour garantir la sécurité de typage et la validation automatique du contenu. Elle couvre tout, de la configuration du plugin Vite et de la compilation MDX à l'optimisation des déploiements et la validation des schémas.

Voir la compétence

polymarket

Méta

Cette compétence permet aux développeurs de créer des applications avec la plateforme de marchés prédictifs Polymarket, incluant l'intégration d'API pour le trading et les données de marché. Elle fournit également une diffusion de données en temps réel via WebSocket pour surveiller les transactions en direct et l'activité du marché. Utilisez-la pour mettre en œuvre des stratégies de trading ou pour créer des outils traitant les mises à jour de marché en direct.

Voir la compétence

creating-opencode-plugins

Méta

Cette compétence aide les développeurs à créer des plugins OpenCode qui s'interconnectent avec plus de 25 types d'événements tels que les commandes, les fichiers et les opérations LSP. Elle fournit la structure du plugin, les spécifications de l'API événementielle et les modèles d'implémentation pour les modules JavaScript/TypeScript. Utilisez-la lorsque vous avez besoin d'intercepter, de surveiller ou d'étendre le cycle de vie de l'assistant IA OpenCode avec une logique personnalisée pilotée par les événements.

Voir la compétence

sglang

Méta

SGLang est un framework de service LLM haute performance spécialisé dans la génération rapide et structurée pour les workflows JSON, regex et agentiques grâce à son cache de préfixe RadixAttention. Il offre une inférence nettement plus rapide, particulièrement pour les tâches avec des préfixes répétés, ce qui le rend idéal pour les sorties complexes et structurées ainsi que les conversations multi-tours. Choisissez SGLang plutôt que des alternatives comme vLLM lorsque vous avez besoin d'un décodage contraint ou que vous construisez des applications avec un partage étendu de préfixes.

Voir la compétence