Policy at admission
Gatekeeper/Kyverno as the runtime backstop.
CI gates catch non-compliant configuration before it merges, but the cluster still needs a backstop for anything that arrives another way. Admission-time policy — Gatekeeper (OPA) and Kyverno — enforces compliance controls at runtime, rejecting non-compliant resources as they are created.
Enforce controls at the cluster door
An admission policy engine evaluates every resource on its way into the cluster and can reject the ones that violate a control: no privileged pods, images only from signed sources, required owner and data-classification labels, resource limits set, no host mounts. Gatekeeper uses the same Rego you write for CI, so one policy library enforces in both places; Kyverno uses declarative YAML policies for teams who prefer not to write Rego. Either way, the control is now enforced at the cluster door — a resource that would break compliance never starts, whether it came through the pipeline or a direct kubectl apply.
# Gatekeeper constraint: every workload must carry a data-classification label# (a common SOC 2 / ISO requirement) — reject those that do not.apiVersion: constraints.gatekeeper.sh/v1beta1kind: K8sRequiredLabelsmetadata: { name: require-data-classification }spec:match: { kinds: [{ apiGroups: ["apps"], kinds: ["Deployment"] }] }parameters:labels: ["data-classification"]# A Deployment without the label is rejected at admission — the control holds# even for changes that never passed through CI.
Defense in depth and safe rollout
CI gates and admission policy are complementary: CI gives fast developer feedback and blocks the obvious cases early, while admission is the enforcing backstop that catches what bypasses the pipeline. Run the same controls at both points for defense in depth. As with every policy in the curriculum, roll admission enforcement out safely — start in audit/dryrun mode to measure what would be rejected, fix the legitimate cases, then flip to enforce, namespace by namespace. Each admission decision is also logged, so enforcement doubles as continuous evidence that the control operated on every resource the cluster admitted.