Write a ConstraintTemplate that defines a new CRD kind and embeds a Rego policy evaluating admission request image fields
Apply the ConstraintTemplate to the cluster and wait for the CRD to be established
Create a Constraint resource of the new kind that sets the enforcementAction and scope parameters
Test the constraint in audit mode first by checking the audit results in the Constraint status field
Switch to deny enforcement mode after confirming no legitimate workloads are blocked
Monitor constraint violations via the Gatekeeper audit controller and alert on new violations
Known gotchas
Gatekeeper evaluates admission webhooks synchronously; a slow or unavailable OPA pod will block all new workload creation unless a failOpen policy is set, which weakens security
ConstraintTemplate Rego runs in a restricted environment without external data by default; referencing external data requires the Gatekeeper ExternalData feature and introduces latency
Namespace exclusions in the Config resource can silently bypass constraints for system namespaces; audit these exclusions regularly
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp