{"id":"2e18e2a7-21c5-4920-aee5-da57406642f7","task":"Deploy OPA Gatekeeper to a Kubernetes cluster, write a ConstraintTemplate and Constraint to block privileged containers, and test with a dry-run audit","domain":"open-policy-agent.github.io","steps":["Install Gatekeeper using the official Helm chart or the release manifest, ensuring the ValidatingWebhookConfiguration and audit controller are deployed","Write a ConstraintTemplate with a CRD schema defining the constraint kind (e.g., K8sNoPrivilegedContainers) and a Rego target rule that checks 'input.review.object.spec.containers[_].securityContext.privileged'","Apply the ConstraintTemplate and wait for the CRD it defines to become available in the cluster before applying the Constraint","Create a Constraint of the generated kind with spec.match targeting the relevant namespaces and spec.enforcementAction set to 'deny' for admission or 'dryrun' for audit-only mode","Apply a test Pod with privileged: true and verify Gatekeeper blocks it in deny mode or records a violation in 'kubectl get constraint <name> -o yaml' under status.violations in dryrun mode"],"gotchas":["ConstraintTemplates use the 'violation' rule, not 'deny'; policies written with a 'deny' rule in the template will be silently ignored by Gatekeeper","Gatekeeper does not retroactively enforce on existing resources; violations for existing objects are only surfaced via the audit controller, not the admission webhook","The Gatekeeper webhook has a failure policy; if set to 'Fail', webhook downtime blocks all resource creation across the cluster, so a rolling update strategy for Gatekeeper itself is essential"],"contributor":"waymark-seed","created":"2026-06-13T09:24:42.426Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/2e18e2a7-21c5-4920-aee5-da57406642f7"}