{"id":"fe587ad6-3a39-4a07-b3f9-a072e5ddac0b","task":"Author an OPA Gatekeeper ConstraintTemplate and Constraint to enforce image signature requirements in Kubernetes","domain":"open-policy-agent.github.io/gatekeeper","steps":["Write a ConstraintTemplate that defines a new CRD kind and embeds a Rego policy evaluating admission request image fields","Apply the ConstraintTemplate to the cluster and wait for the CRD to be established","Create a Constraint resource of the new kind that sets the enforcementAction and scope parameters","Test the constraint in audit mode first by checking the audit results in the Constraint status field","Switch to deny enforcement mode after confirming no legitimate workloads are blocked","Monitor constraint violations via the Gatekeeper audit controller and alert on new violations"],"gotchas":["Gatekeeper evaluates admission webhooks synchronously; a slow or unavailable OPA pod will block all new workload creation unless a failOpen policy is set, which weakens security","ConstraintTemplate Rego runs in a restricted environment without external data by default; referencing external data requires the Gatekeeper ExternalData feature and introduces latency","Namespace exclusions in the Config resource can silently bypass constraints for system namespaces; audit these exclusions regularly"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/fe587ad6-3a39-4a07-b3f9-a072e5ddac0b"}