Skip to main content

Module 8: Policy-as-Code Security Slides

Slide walkthrough for Module 8 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: OPA, Kyverno, Gatekeeper,...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Policy-as-Code Security - OPA, Kyverno, Gatekeeper, and admission controllers for automated security enforcement
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - Manual security reviews do not scale. With hundreds of deployments per day, you need automated policy enforcement that b
  4. OPA and Rego - Lesson section from the full module
  5. Kyverno - Lesson section from the full module
  6. Gatekeeper vs Kyverno - Lesson section from the full module
  7. Real-World Use Cases - Blocking privileged containers via admission control, Requiring resource limits on all deployments
  8. Common Mistakes to Avoid - 4 mistakes covered
  9. Hands-On Labs - 2 hands-on labs
  10. Key Takeaways - 5 points to remember

Learning Objectives

  • Write OPA Rego policies for Kubernetes security
  • Deploy Kyverno for declarative policy enforcement
  • Configure Gatekeeper admission controller
  • Automate compliance checks in CI/CD

Why This Module Matters

Manual security reviews do not scale. With hundreds of deployments per day, you need automated policy enforcement that blocks misconfigurations at the admission layer. Policy-as-code is the automation layer of cloud-native security.

Common Mistakes

  • Deploying policies in Enforce mode without testing in Audit mode first
  • Writing overly broad policies that block legitimate workloads
  • Not versioning policies in Git alongside application code
  • Forgetting to exclude system namespaces (kube-system) from restrictive policies

Key Takeaways

  • Policy-as-code automates security enforcement — no manual reviews needed
  • Admission controllers block insecure configs BEFORE they reach the cluster
  • OPA Gatekeeper uses Rego (powerful, steep learning curve)
  • Kyverno uses YAML (Kubernetes-native, easier adoption)
  • Policies should be tested in CI/CD before deploying to production

Hands-On Labs

  1. Block Insecure Deployments with OPA Gatekeeper

    Deploy Gatekeeper and enforce container security policies.

    30 min - Intermediate

    • Install OPA Gatekeeper
    • Create ConstraintTemplate for privileged containers
    • Deploy a privileged pod — observe rejection
    • Deploy a compliant pod — observe success

    View lab files on GitHub

  2. Enforce Security with Kyverno

    Use Kyverno to require resource limits and block dangerous configurations.

    30 min - Beginner

    • Install Kyverno
    • Create policies: require limits, block latest tag, require labels
    • Test with compliant and non-compliant deployments
    • View policy reports

    View lab files on GitHub

Read the full module | Back to course curriculum