DevOps · 4 modules

OPA / Gatekeeper — Policy as Code

The CNCF policy engine that puts guardrails on Kubernetes and beyond. Learn the OPA engine and the Rego language, Gatekeeper’s ConstraintTemplates and Constraints, how it plugs into admission control and audit, and OPA for API authorization and Terraform — remembered with spaced repetition.

flashcards
48
flashcards
per day
~10 min
per day
level
Intermediate
level
modules
4
modules
About this topic

What is OPA / Gatekeeper?

Open Policy Agent (OPA) is a CNCF-graduated, general-purpose policy engine: it lets you decouple decisions — authorization, admission, configuration rules — from application code and express them as policy as code. Policies are written in Rego, a declarative language that evaluates an input document against loaded data and returns a decision — not just allow/deny, but any JSON result.

Gatekeeper adapts OPA for Kubernetes. Instead of wiring OPA and a webhook by hand, you define policy as native CRDs: a ConstraintTemplate carries the Rego and creates a new constraint kind, and a Constraint instantiates it with parameters and a scope. Gatekeeper enforces at admission (validating and mutating) and adds an audit mode that flags resources that already violate policy.

This track covers OPA and Rego basics, Gatekeeper’s constraint model, how it complements Kubernetes admission control, and OPA beyond the cluster — API authorization, Envoy, Terraform and Conftest. It uses spaced repetition so the concepts stick.

What you'll learn

4 modules, seed to bloom

Each module is a set of flashcards — 48 in total. Answer, review, and watch your knowledge grow from seed to full bloom.

OPA & Rego Basics

The policy engine, the Rego language, input and data, decisions, rules and how OPA is deployed

12 cards

Gatekeeper

OPA in Kubernetes — ConstraintTemplates, Constraints, audit, enforcement actions, sync and mutation

12 cards

Admission Control

How Gatekeeper hooks admission — validating vs mutating, audit, match scope, failure policy and VAP

12 cards

Beyond Kubernetes

OPA outside K8s — API/service authorization, Envoy, Terraform/Conftest, bundles, decision logs and policy-as-code

12 cards
Try before you plant

Sample questions

A taste of the real flashcards. Pick an answer, then reveal the explanation.

Sample · OPA / Gatekeeper — Policy as Code

What is the Open Policy Agent (OPA)?

  • AA general-purpose policy engine — evaluating rules to make decisions decoupled from application code
  • BA Kubernetes admission controller — compiled into the API server to validate every request
  • CA container runtime scanner — inspecting images for policy violations before they are deployed
  • DA secrets manager — storing and distributing credentials to applications that request them
Permalink & share
Sample · OPA / Gatekeeper — Policy as Code

What is a ConstraintTemplate in Gatekeeper?

  • AA reusable policy definition — the Rego plus a schema that creates a new Constraint CRD kind
  • BA configured policy instance — the object that says which namespaces a rule applies to
  • CA record of past violations — the audit report Gatekeeper writes after scanning the cluster
  • DA webhook configuration — the object that registers Gatekeeper with the Kubernetes API server
Permalink & share
Sample · OPA / Gatekeeper — Policy as Code

How does Gatekeeper complement Kubernetes' built-in admission controllers?

  • AIt enforces custom, org-specific policy as code — beyond the fixed behavior compiled into the API server
  • BIt replaces them entirely — once Gatekeeper is installed the built-in controllers are switched off
  • CIt duplicates them — Gatekeeper re-implements each built-in controller with identical behavior
  • DIt configures them — Gatekeeper tunes the parameters of the compiled-in controllers at runtime
Permalink & share
Sample · OPA / Gatekeeper — Policy as Code

What is Conftest?

  • AA tool to test configuration files against Rego policies — commonly run in CI pipelines
  • BA load-testing harness — measuring how many decisions per second an OPA server can serve
  • CA Kubernetes operator — deploying and reconciling OPA instances across a fleet of clusters
  • DA migration tool — converting legacy YAML policies into equivalent Rego automatically
Permalink & share
How Gnoseed works

Learn it once, keep it for good

1

Answer a question

Each card is one practical concept with multiple options. Pick what you think is right.

2

Get the full answer

See the correct option plus a clear explanation, and a link to deeper docs when one is available.

3

Review at the right time

A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.

Why learn this

Why policy as code is worth your time

Guardrails without touching app code

OPA externalizes decisions, so you change policy by updating rules — not by redeploying every service.

The standard for Kubernetes policy

Gatekeeper is the widely adopted way to enforce org-specific rules on a cluster — core skill for platform and security teams.

One engine, many layers

The same Rego skills apply to microservice authz, CI/CD, and Terraform — learn it once, use it everywhere.

Policy you can test and review

Rego is version-controlled and unit-tested like code, so policy changes get the same rigor as any other change.

FAQ

Common questions

What is the difference between OPA and Gatekeeper? +

OPA is the general-purpose policy engine and Rego is its language. Gatekeeper packages OPA for Kubernetes as native CRDs (ConstraintTemplates and Constraints) with an admission webhook and audit, so you manage cluster policy the Kubernetes way.

Do I need to know Kubernetes? +

Helpful but not required. The OPA and Rego basics stand on their own, and much of the value — API authorization, Terraform, Conftest — applies well outside Kubernetes.

How long does it take? +

About 10 minutes a day. Spaced repetition means short, frequent sessions beat long cramming, so the concepts stick.

Is it free? +

Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.

Ready to master policy as code?

Plant your first seed today. Ten minutes a day is all it takes to put real guardrails on your clusters.

Start learning free