Delivering policy securely
Version, test, and enforce guardrails.
Delivering policy safely means treating the policy repo like any critical codebase and wiring it into the systems it governs. The pipeline for the policies themselves: opa fmt --check and regal lint for style, opa check for compilation, opa test --coverage for correctness, then publish a signed bundle (or push to the Conftest/Gatekeeper distribution path). Policy that gates production must itself be reviewed, tested, and versioned.
policy-ci:script:- opa fmt --list policy/ && test -z "$(opa fmt --list policy/)" # formatted- regal lint policy/- opa check --strict policy/- opa test policy/ --coverage --threshold 90- opa build -b policy/ -o bundle.tar.gz --signing-key key.pem # signed bundle# publish bundle.tar.gz to the bundle server / OCI registry on merge
Enforce in the right place
The same policies then run at the enforcement points: Conftest in application CI (block bad config/IaC pre-merge), Gatekeeper at admission (block bad resources in-cluster), and the decision API for services. Defense in depth means the same rule can gate both the pipeline and the cluster — a public bucket is caught in the Terraform plan and, if it slips through, at the cloud. Version policies, roll out with dryrun/warn, and monitor decisions.