Verified steps

Author a ConstraintTemplate that defines a new CRD kind and includes a Rego policy in the spec.targets block that checks for the required label key in the Deployment metadata and generates a violation message if absent
Apply the ConstraintTemplate to the cluster and wait for the custom CRD to be established by Gatekeeper before proceeding
Create a Constraint manifest of the new CRD kind with spec.match rules selecting the Deployment resource type and the namespaces or namespace selectors where the policy should apply, and set enforcementAction to deny
Test the constraint by applying a Deployment without the required label and confirming the API server rejects it with Gatekeeper's violation message
Apply a compliant Deployment with the owner label and verify it is admitted, then inspect the Constraint status for audit results showing existing non-compliant resources

Known gotchas

Gatekeeper audit runs on a configurable interval and populates violation counts in the Constraint status for existing resources, but audit violations do not block anything — only live admission webhook calls enforce deny; teams often confuse audit results with enforcement and assume non-compliant existing resources were blocked
The ConstraintTemplate CRD takes a few seconds to be established after applying; attempting to create a Constraint of the new kind immediately returns a no kind registered error — always wait for the CRD condition to be ready
Rego policies in ConstraintTemplates must use the import future.keywords or specific Rego v1 syntax depending on the Gatekeeper version; mixing syntax versions causes a policy compilation error that is logged by Gatekeeper but surfaces as a cryptic admission error rather than a clear Rego error

open-policy-agent.github.io/gatekeeper · 6 steps · unrated

Deploy OPA Gatekeeper to a Kubernetes cluster, write a ConstraintTemplate and Constraint to block privileged containers, and test with a dry-run audit

open-policy-agent.github.io · 5 steps · unrated

Author an OPA Gatekeeper ConstraintTemplate and Constraint to enforce image signature requirements in Kubernetes

open-policy-agent.github.io/gatekeeper · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Configure OPA Gatekeeper with a ConstraintTemplate and Constraint to enforce that all Deployments have a specified owner label and block admission for non-compliant resources

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes