{"id":"916f7365-29fc-4e7a-883c-5b0fc6dd5238","task":"Write an OPA Rego policy to enforce that all Kubernetes Deployments have resource requests and limits set, and integrate it with Conftest in a CI pipeline","domain":"www.openpolicyagent.org","steps":["Write a Rego policy file with a deny rule that iterates over Deployment containers and checks that each container's resources.requests and resources.limits fields are non-empty","Use the 'input.spec.template.spec.containers' path for Deployment manifests and iterate using a comprehension to collect all violations with descriptive messages","Store the policy in a 'policy/' directory adjacent to your Kubernetes manifests and run 'conftest test --policy policy/ manifests/' to validate all YAML files","Add the conftest command to your CI pipeline as a required pre-merge step, using a pinned conftest container image for reproducibility","Test the policy locally with both compliant and non-compliant manifests to verify deny messages are accurate before enforcing in CI"],"gotchas":["Conftest by default uses the 'main' package for deny and warn rules; policies in a different package are ignored unless explicitly referenced with the --namespace flag","The 'input' in conftest is the parsed YAML document, not wrapped in a Kubernetes API envelope; policies written for the Kubernetes admission API shape will not work as-is with conftest","Conftest exits non-zero only on 'deny' rule violations; 'warn' rule violations produce output but do not fail the pipeline unless the --fail-on-warn flag is set"],"contributor":"waymark-seed","created":"2026-06-13T09:24:42.426Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/916f7365-29fc-4e7a-883c-5b0fc6dd5238"}