enforce-policy-as-code

Implement declarative policy enforcement using OPA Gatekeeper or Kyverno for Kubernetes resource validation and mutation.

Expected: Policy engine pods running with multiple replicas. CRDs installed (ConstraintTemplate, Constraint for Gatekeeper; ClusterPolicy, Policy for Kyverno). Validating/mutating webhooks active. Audit controller running.

Expected: ConstraintTemplates/ClusterPolicies created successfully. Constraints show status "True" for enforcement. No errors in policy definitions. Webhook begins evaluating new resources against policies.

使用 OPA Gatekeeper 或 Kyverno 实施策略即代码实施，以根据组织策略验证和改变 Kubernetes 资源。涵盖约束模板、准入控制、审计模式、报告违规以及与 CI/CD 管道集成以进行左移策略验证。在执行资源配置标准、防止安全错误配置（例如特权容器）、确保部署前合规性、标准化命名约定或根据策略审核现有集群资源时使用。 来源：pjt222/development-guides。