Advanced Vocabulary #devops#security#opa#kubernetes

Policy-as-Code Vocabulary

5 exercises — Practice policy enforcement vocabulary: OPA, Rego, admission controllers, Gatekeeper, Sentinel, constraints, violations, and waivers.

Core Policy-as-Code vocabulary clusters

OPA & Rego: Open Policy Agent, Rego language, policy rule, allow/deny, input document, data document, partial evaluation
Kubernetes enforcement: admission controller, validating webhook, mutating webhook, Gatekeeper, constraint template, constraint, violation
Governance frameworks: Sentinel, compliance-as-code, policy gate, exception, waiver, audit mode vs. enforcement mode

0 / 5 completed

1 / 5

A platform engineer explains the technology stack:
"We use OPA as our policy engine across the board — not just Kubernetes. The same engine evaluates policies for our CI pipeline, our Terraform runs, and our microservices authorisation layer. Policies are written in Rego and the engine answers a simple question: given this input document and this data document, does the policy allow or deny?"
What is the role of the input document in an OPA evaluation?

2 / 5

Complete the sentence with the correct term.

A senior DevSecOps engineer says: "When a new pod is submitted to the Kubernetes API, it passes through two types of webhooks. A ___________ webhook can alter the resource — for example, injecting a sidecar or setting default security contexts — before it is stored. A validating webhook can only accept or reject it."

3 / 5

Match the definition.

Which option best defines Gatekeeper in a Kubernetes context?

4 / 5

A compliance engineer describes the team's workflow:
"We use Sentinel in our Terraform Enterprise pipelines. Before any infrastructure plan is applied, Sentinel evaluates our governance policies — things like 'all S3 buckets must have versioning enabled' or 'EC2 instances must not be publicly accessible'. If a policy fails, the plan is blocked. We have a small number of approved exceptions with documented waivers for legacy resources."
What is the difference between an exception and a waiver in policy-as-code governance?

5 / 5

Complete the sentence with the correct term.

A staff engineer explains the CI/CD pipeline to a new joiner: "Every pull request that touches infrastructure goes through a ___________ — a mandatory policy check that must pass before the change can be merged or applied. It's part of our compliance-as-code approach: the controls are automated and auditable, not just documented in a wiki."

Vocabulary Reference

Key policy-as-code terms and their definitions.

OPA (Open Policy Agent): A CNCF graduated project providing a general-purpose policy engine. Decouples policy decisions from application logic. Used across Kubernetes admission, API authorisation, CI pipelines, and Terraform. Policies are written in Rego.
Rego: The declarative query language used to write OPA policies. Policies are expressed as rules that compute values (typically allow or a set of deny messages) from input and data documents.
Input document / Data document: The input document is the JSON object representing the request being evaluated (e.g., a Kubernetes admission request). The data document is static or semi-static reference data loaded into OPA (e.g., approved registries, team metadata).
Admission controller: A Kubernetes component that intercepts API server requests before resources are persisted. Admission controllers can validate (accept/reject) or mutate (modify) resources. OPA/Gatekeeper is implemented as an admission controller.
Mutating webhook / Validating webhook: Two phases of the Kubernetes admission chain. A mutating webhook can alter a resource (e.g., inject a sidecar). A validating webhook runs after mutations and can only approve or reject. Both are invoked via HTTPS callbacks.
Gatekeeper: An OPA-based Kubernetes admission controller (CNCF project). Policies are expressed as ConstraintTemplates (Rego logic + CRD definition) and Constraints (parameterised instances). Violations are surfaced as Kubernetes custom resources.
Sentinel: HashiCorp's policy-as-code framework, integrated with Terraform, Vault, Nomad, and Consul. Policies act as policy gates in the run pipeline — a failing policy blocks a plan from being applied.
Compliance-as-code: The practice of encoding regulatory and organisational compliance controls as version-controlled, automatically evaluated code rather than manual checklists. Enables audit trails, peer review of controls, and shift-left compliance enforcement.
Violation: A resource or request that fails a policy rule. In Gatekeeper, violations are stored as fields on Constraint objects. A violation message describes what failed and why, aiding remediation.
Exception / Waiver: An exception is a managed, version-controlled exclusion of a specific resource from a policy rule. A waiver is a time-bound, documented acknowledgement of a known violation, approved by a risk owner, with a remediation deadline.

← Back to Vocabulary Exercises