The CNCF policy engine that puts guardrails on Kubernetes and beyond. Learn the OPA engine and the Rego language, Gatekeeper’s ConstraintTemplates and Constraints, how it plugs into admission control and audit, and OPA for API authorization and Terraform — remembered with spaced repetition.
Open Policy Agent (OPA) is a CNCF-graduated, general-purpose policy engine: it lets you decouple decisions — authorization, admission, configuration rules — from application code and express them as policy as code. Policies are written in Rego, a declarative language that evaluates an input document against loaded data and returns a decision — not just allow/deny, but any JSON result.
Gatekeeper adapts OPA for Kubernetes. Instead of wiring OPA and a webhook by hand, you define policy as native CRDs: a ConstraintTemplate carries the Rego and creates a new constraint kind, and a Constraint instantiates it with parameters and a scope. Gatekeeper enforces at admission (validating and mutating) and adds an audit mode that flags resources that already violate policy.
This track covers OPA and Rego basics, Gatekeeper’s constraint model, how it complements Kubernetes admission control, and OPA beyond the cluster — API authorization, Envoy, Terraform and Conftest. It uses spaced repetition so the concepts stick.
Each module is a set of flashcards — 48 in total. Answer, review, and watch your knowledge grow from seed to full bloom.
The policy engine, the Rego language, input and data, decisions, rules and how OPA is deployed
12 cardsOPA in Kubernetes — ConstraintTemplates, Constraints, audit, enforcement actions, sync and mutation
12 cardsHow Gatekeeper hooks admission — validating vs mutating, audit, match scope, failure policy and VAP
12 cardsOPA outside K8s — API/service authorization, Envoy, Terraform/Conftest, bundles, decision logs and policy-as-code
12 cardsA taste of the real flashcards. Pick an answer, then reveal the explanation.
What is the Open Policy Agent (OPA)?
What is a ConstraintTemplate in Gatekeeper?
How does Gatekeeper complement Kubernetes' built-in admission controllers?
What is Conftest?
Each card is one practical concept with multiple options. Pick what you think is right.
See the correct option plus a clear explanation, and a link to deeper docs when one is available.
A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.
OPA externalizes decisions, so you change policy by updating rules — not by redeploying every service.
Gatekeeper is the widely adopted way to enforce org-specific rules on a cluster — core skill for platform and security teams.
The same Rego skills apply to microservice authz, CI/CD, and Terraform — learn it once, use it everywhere.
Rego is version-controlled and unit-tested like code, so policy changes get the same rigor as any other change.
OPA is the general-purpose policy engine and Rego is its language. Gatekeeper packages OPA for Kubernetes as native CRDs (ConstraintTemplates and Constraints) with an admission webhook and audit, so you manage cluster policy the Kubernetes way.
Helpful but not required. The OPA and Rego basics stand on their own, and much of the value — API authorization, Terraform, Conftest — applies well outside Kubernetes.
About 10 minutes a day. Spaced repetition means short, frequent sessions beat long cramming, so the concepts stick.
Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.
Plant your first seed today. Ten minutes a day is all it takes to put real guardrails on your clusters.