Learn vocabulary for policy-as-code in GitOps workflows, pull-request-based policy changes, policy drift, conftest, and policy library management.
0 / 5 completed
1 / 5
What is the core principle of GitOps applied to policy-as-code?
GitOps for policy-as-code: policy definitions live in Git (OPA Rego files, Kyverno YAML, Sentinel policies). Changes require a PR → review → merge workflow — providing peer review, audit history, and rollback via git revert. A GitOps operator (Argo CD, Flux) syncs policies from Git to the cluster. Key vocabulary: 'desired state in Git,' 'reconciliation loop,' 'declarative policy,' 'drift = cluster state != Git state.'
2 / 5
What is 'pull-request-based policy change' workflow vocabulary?
PR-based policy workflow: developer opens PR to change a Rego policy → CI runs conftest tests against the policy → security team member reviews the logic change → compliance approves if it affects compliance-critical rules → PR merges → GitOps operator applies the new policy to clusters. This gives a full audit trail ('who approved this policy change and when?') — essential for SOC 2, ISO 27001 change management controls.
3 / 5
What is 'policy drift' in GitOps vocabulary?
Policy drift in GitOps: someone directly edits a Kyverno ClusterPolicy via kubectl or the cloud console without going through Git. The cluster now enforces a different policy than what Git declares. GitOps operators detect this mismatch (drift) and either alert or auto-reconcile. Key vocabulary: 'out-of-band change,' 'reconciliation,' 'self-healing GitOps,' 'drift detection.' Preventing drift is the key reason to enforce all changes through Git.
4 / 5
What is conftest in the policy-as-code workflow vocabulary?
conftest (Open Policy Agent ecosystem): run conftest test terraform-plan.json to evaluate Terraform plan against Rego policies. Policies live in a policy/ directory. conftest pull fetches policies from OCI registries (policy libraries). Key vocabulary: 'policy bundle,' 'conftest verify' (test the tests), 'namespace' (Rego package), 'data' (policy input). Integrates into CI pipelines to block PRs that introduce non-compliant infrastructure changes.
5 / 5
What is a 'policy library' in policy-as-code vocabulary?
Policy libraries: instead of each team writing their own Rego rules for 'S3 buckets must be encrypted' or 'containers must not run as root,' a platform team maintains a policy library (OCI artifact, Git submodule, or Terraform module). Teams reference specific versions. Examples: Styra DAS policy library, Gatekeeper policy library (CNCF), AWS Security Hub controls. Key vocabulary: 'policy versioning,' 'policy inheritance,' 'policy registry,' 'breaking policy changes.'