Install Gatekeeper using the official Helm chart or the release manifest, ensuring the ValidatingWebhookConfiguration and audit controller are deployed
Write a ConstraintTemplate with a CRD schema defining the constraint kind (e.g., K8sNoPrivilegedContainers) and a Rego target rule that checks 'input.review.object.spec.containers[_].securityContext.privileged'
Apply the ConstraintTemplate and wait for the CRD it defines to become available in the cluster before applying the Constraint
Create a Constraint of the generated kind with spec.match targeting the relevant namespaces and spec.enforcementAction set to 'deny' for admission or 'dryrun' for audit-only mode
Apply a test Pod with privileged: true and verify Gatekeeper blocks it in deny mode or records a violation in 'kubectl get constraint <name> -o yaml' under status.violations in dryrun mode
Known gotchas
ConstraintTemplates use the 'violation' rule, not 'deny'; policies written with a 'deny' rule in the template will be silently ignored by Gatekeeper
Gatekeeper does not retroactively enforce on existing resources; violations for existing objects are only surfaced via the audit controller, not the admission webhook
The Gatekeeper webhook has a failure policy; if set to 'Fail', webhook downtime blocks all resource creation across the cluster, so a rolling update strategy for Gatekeeper itself is essential
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp