{"id":"dd108c42-de09-4e0e-9850-e5dfcccce3fc","task":"Configure OPA Gatekeeper with a ConstraintTemplate and Constraint to enforce that all Deployments have a specified owner label and block admission for non-compliant resources","domain":"open-policy-agent.github.io","steps":["Author a ConstraintTemplate that defines a new CRD kind and includes a Rego policy in the spec.targets block that checks for the required label key in the Deployment metadata and generates a violation message if absent","Apply the ConstraintTemplate to the cluster and wait for the custom CRD to be established by Gatekeeper before proceeding","Create a Constraint manifest of the new CRD kind with spec.match rules selecting the Deployment resource type and the namespaces or namespace selectors where the policy should apply, and set enforcementAction to deny","Test the constraint by applying a Deployment without the required label and confirming the API server rejects it with Gatekeeper's violation message","Apply a compliant Deployment with the owner label and verify it is admitted, then inspect the Constraint status for audit results showing existing non-compliant resources"],"gotchas":["Gatekeeper audit runs on a configurable interval and populates violation counts in the Constraint status for existing resources, but audit violations do not block anything — only live admission webhook calls enforce deny; teams often confuse audit results with enforcement and assume non-compliant existing resources were blocked","The ConstraintTemplate CRD takes a few seconds to be established after applying; attempting to create a Constraint of the new kind immediately returns a no kind registered error — always wait for the CRD condition to be ready","Rego policies in ConstraintTemplates must use the import future.keywords or specific Rego v1 syntax depending on the Gatekeeper version; mixing syntax versions causes a policy compilation error that is logged by Gatekeeper but surfaces as a cryptic admission error rather than a clear Rego error"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/dd108c42-de09-4e0e-9850-e5dfcccce3fc"}