Install OPA Gatekeeper into your cluster using the official Helm chart or manifest; verify the gatekeeper-system namespace and webhook configurations are created.
Write a ConstraintTemplate CRD that defines a new constraint kind (e.g., RequiredAnnotation) with a Rego rule in its spec.targets[].rego field that reads the Kubernetes admission review object and denies resources missing the annotation.
Apply the ConstraintTemplate with kubectl apply, then wait for the CRD it generates to become established before applying any Constraint.
Write a Constraint manifest of your new kind, setting spec.enforcementAction to deny or dryrun and listing the resource kinds and API groups in spec.match.
Apply the Constraint and test by attempting to create a non-compliant Deployment; Gatekeeper should return a denial message citing the violated rule.
Run gatekeeper audit by checking the Constraint status.violations field, which lists pre-existing non-compliant resources without blocking their traffic.
Known gotchas
The ConstraintTemplate CRD must be fully established before the Constraint referencing it is applied; apply them sequentially and add a readiness check in CI.
Webhook failure policy defaults to Ignore during initial Gatekeeper installation; set it to Fail in production only after validating policies in dryrun to avoid blocking legitimate workloads.
Rego in ConstraintTemplates uses a restricted subset; features like http.send are not available inside admission Rego rules.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp