opa-policies

# Skill: OPA Policies & Kyverno > **Expertise:** Gatekeeper ConstraintTemplates, Kyverno ClusterPolicies, validation + mutation + generation. ## When to load When writing admission policies, testing policy changes, or debugging policy-blocked deployments. ## Gatekeeper: ConstraintTemplate + Constraint ```yaml # 1. ConstraintTemplate — defines the policy logic in Rego apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8srequirenonroot spec: crd: spec: names: { kind: K8sRequireNonRoot } targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequirenonroot violation[{"msg": msg}] { container := input.review.object.spec.containers[_] not container.securityContext.runAsNonRoot msg := sprintf("Container '%v' must set runAsNonRoot: true", [container.name]) } violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.runAsUser == 0 msg := sprintf("Container '%v' must not run as UID 0", [container.name]) } --- # 2. Constraint — applies the template to specific resources/namespaces apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNonRoot metadata: name: require-non-root-production spec: enforcementAction: deny # deny | warn | dryrun match: kinds: - apiGroups: [apps] kinds: [Deployment, StatefulSet, DaemonSet] namespaceS...