Policy Platforms | Skills Pool
Policy Platforms This skill should be used when the user asks about "kubernetes policy", "gatekeeper", "constraint template", "terraform policy", "conftest", "terraform compliance", "docker policy", "dockerfile policy", "envoy authz", "envoy authorization", "service mesh policy", "cloud policy", "aws policy rego", "azure policy rego", "gcp policy rego", or mentions writing OPA policies for a specific platform. Provides platform-specific Rego patterns and input schemas.
fyrsmithlabs 0 星標 2026年4月8日
Platform-specific OPA/Rego patterns covering Kubernetes, Terraform, Docker, cloud providers, and service mesh. Each platform has unique input schemas and conventions.
Platform Input Source Policy Tool Key Package Kubernetes AdmissionReview Gatekeeper / OPA kubernetes.admissionTerraform Plan JSON Conftest / OPA terraform.analysisDocker Dockerfile AST Conftest main (Conftest convention)Envoy CheckRequest OPA-Envoy plugin envoy.authzAWS/Azure/GCP Terraform plan / CloudFormation Conftest / Regula / Terrascan Varies
Kubernetes (Gatekeeper)
npx skills add fyrsmithlabs/marketplace
作者 fyrsmithlabs
星標 0
更新時間 2026年4月8日
職業
Gatekeeper provides an AdmissionReview object:
{
"review": {
"object": { /* resource being created/updated */ },
"oldObject": { /* previous version on UPDATE */ },
"operation": "CREATE",
"userInfo": { "username": "admin", "groups": ["system:masters"] },
"namespace": "default"
},
"parameters": { /* constraint parameters */ }
}
ConstraintTemplate Pattern package k8srequiredlabels
import rego.v1
violation contains {"msg": msg, "details": {"missing_labels": missing}} if {
provided := {label | some label, _ in input.review.object.metadata.labels}
required := {label | some label in input.parameters.labels}
missing := required - provided
count(missing) > 0
msg := sprintf("missing required labels: %v", [missing])
}
Common K8s Policy Categories Category Examples Pod Security No privileged, runAsNonRoot, drop capabilities, read-only rootfs Resource Limits CPU/memory limits required, ratio constraints Image Policy Allowed registries, no latest tag, signed images Network NetworkPolicy required, no hostNetwork, port restrictions Labels/Annotations Required labels, label format validation RBAC No wildcard permissions, namespace isolation
Testing Gatekeeper Policies Locally # Install gator CLI
go install github.com/open-policy-agent/gatekeeper/v3/cmd/gator@latest
# Test constraint template
gator verify suite.yaml
# Verify against test resources
gator test -f constraint-template.yaml -f constraint.yaml -f test-resource.yaml
Terraform plan JSON (via terraform show -json tfplan):
{
"resource_changes": [
{
"address": "aws_s3_bucket.example",
"type": "aws_s3_bucket",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": ["create"],
"before": null,
"after": { /* planned state */ },
"after_unknown": { /* computed values */ }
}
}
],
"configuration": { /* HCL configuration tree */ },
"planned_values": { /* root_module with resources */ }
}
Conftest Policy Pattern package terraform.aws.s3
import rego.v1
deny contains msg if {
some rc in input.resource_changes
rc.type == "aws_s3_bucket"
"create" in rc.change.actions
not rc.change.after.server_side_encryption_configuration
msg := sprintf("S3 bucket '%s' must have encryption enabled", [rc.address])
}
deny contains msg if {
some rc in input.resource_changes
rc.type == "aws_s3_bucket"
rc.change.after.acl == "public-read"
msg := sprintf("S3 bucket '%s' must not be public", [rc.address])
}
Workflow # Generate plan JSON
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
# Evaluate with Conftest
conftest test tfplan.json -p policy/terraform/
# Evaluate with OPA directly
opa eval -d policy/terraform/ -i tfplan.json "data.terraform.aws.s3.deny"
Category Examples Encryption S3 SSE, RDS encryption, EBS encryption Networking No public IPs, security group restrictions, VPC required IAM No wildcard actions, MFA required, role boundaries Tagging Required tags (env, team, cost-center) Compliance Logging enabled, backup configured, deletion protection
Docker
Conftest parses Dockerfiles into structured commands:
{
"Stages": [
{
"Name": "builder",
"From": {"Image": "golang", "Tag": "1.22"},
"Commands": [
{"Cmd": "run", "Value": ["apt-get install -y curl"]},
{"Cmd": "copy", "Value": [".", "/app"]},
{"Cmd": "user", "Value": ["nonroot"]}
]
}
]
}
Dockerfile Policy Pattern package docker.security
import rego.v1
deny contains msg if {
some stage in input.Stages
stage.From.Tag == "latest"
msg := sprintf("stage '%s' uses 'latest' tag - pin to specific version", [stage.Name])
}
deny contains msg if {
some stage in input.Stages
not _has_user(stage)
msg := sprintf("stage '%s' missing USER instruction - must not run as root", [stage.Name])
}
warn contains msg if {
some stage in input.Stages
some cmd in stage.Commands
cmd.Cmd == "add"
msg := "prefer COPY over ADD unless extracting archives"
}
_has_user(stage) if {
some cmd in stage.Commands
cmd.Cmd == "user"
}
Workflow conftest test Dockerfile -p policy/docker/
Envoy / Service Mesh
OPA-Envoy external authorization request:
{
"attributes": {
"request": {
"http": {
"method": "GET",
"path": "/api/v1/users",
"headers": {
"authorization": "Bearer eyJ..."
}
}
},
"source": {
"principal": "spiffe://cluster.local/ns/default/sa/frontend"
},
"destination": {
"principal": "spiffe://cluster.local/ns/default/sa/backend"
}
}
}
Envoy Authorization Pattern package envoy.authz
import rego.v1
default allow := false
allow if {
input.attributes.request.http.method == "GET"
glob.match("/api/v1/public/*", ["/"], input.attributes.request.http.path)
}
allow if {
input.attributes.request.http.method in {"GET", "POST"}
token := io.jwt.decode(bearer_token)
"admin" in token[1].roles
}
bearer_token := t if {
auth_header := input.attributes.request.http.headers.authorization
startswith(auth_header, "Bearer ")
t := substring(auth_header, 7, -1)
}
Cloud Provider Patterns
Common AWS resource types and their security properties:
Resource Security Properties aws_s3_bucketserver_side_encryption_configuration, acl, versioning, loggingaws_security_groupingress[].cidr_blocks (no 0.0.0.0/0 on sensitive ports)aws_rds_instancestorage_encrypted, backup_retention_period, deletion_protectionaws_iam_policyNo * in Action or Resource aws_cloudtrailenable_logging, is_multi_region_trail
Resource Security Properties azurerm_storage_accountenable_https_traffic_only, min_tls_version, network_rulesazurerm_key_vaultpurge_protection_enabled, soft_delete_retention_daysazurerm_sql_serveradministrator_login, minimum_tls_version
Resource Security Properties google_storage_bucketuniform_bucket_level_access, encryptiongoogle_compute_firewallsource_ranges (no 0.0.0.0/0)google_sql_database_instancesettings.ip_configuration.require_ssl
Common Mistakes -- DO NOT MAKE THESE These are the most frequent platform-specific errors. Check every policy against this table before finalizing.
Kubernetes / Gatekeeper WRONG CORRECT Why input.spec.containersinput.review.object.spec.containersGatekeeper wraps the resource under input.review.object deny contains msg ifviolation contains {"msg": msg} ifGatekeeper uses violation returning objects, not deny returning strings input.labelsinput.review.object.metadata.labelsLabels are nested under the full K8s object path Checking only containers Also check initContainers Init containers can also have security issues input.spec.template.spec.containers (for Deployments)Check input.review.object.spec.template.spec.containers Workload controllers nest pod spec under .spec.template.spec
WRONG CORRECT Why input.resourcesinput.resource_changesresources does not exist in plan JSON; use resource_changesinput.planned_values.resourcesinput.planned_values.root_module.resourcesMissing root_module intermediate key rc.after.bucketrc.change.after.bucketPlanned values are under rc.change.after, not rc.after Not checking rc.change.actions Filter by "create" in rc.change.actions Policies should only enforce on relevant actions (create/update)
Docker / Conftest WRONG CORRECT Why input.commandsinput.Stages[].Commands[]Docker AST nests commands under Stages; fields are PascalCase cmd == "ADD"cmd.Cmd == "add"Commands are objects with .Cmd field; command type values are lowercase input.frominput.Stages[].From.ImageBase image is nested under PascalCase From.Image per stage Lowercase field names PascalCase: Stages, Commands, Name, From, Cmd, Value Conftest Dockerfile parser uses PascalCase for all struct fields
Envoy WRONG CORRECT Why input.request.methodinput.attributes.request.http.methodEnvoy nests HTTP details under attributes.request.http input.headersinput.attributes.request.http.headersHeaders are deeply nested
Additional Resources
Reference Files
references/kubernetes-input.mdreferences/terraform-input.mdreferences/cloud-resources.md Kubernetes (Gatekeeper)