Esc
↑↓ navigate   Enter open   Esc close
Advanced 6 topic areas 88+ exercises

Policy-as-Code Engineer

Policy-as-code engineers translate organisational security and compliance requirements into machine-enforceable rules using tools like Open Policy Agent and Rego. Their work sits at the intersection of legal, security, and engineering, requiring English that is simultaneously precise enough for auditors and clear enough for developers who receive policy violation messages. This path covers the vocabulary and communication patterns for writing policies, documenting decisions, and presenting compliance automation findings.

Start first exercise → Browse all exercises

Topics covered

  • OPA & Rego
  • Kubernetes admission controllers
  • Compliance automation
  • Policy design documentation
  • Violation messaging
  • Audit reporting

Vocabulary spotlight

4 terms every Policy-as-Code Engineer should know in English:

admission controller n.

A Kubernetes component that intercepts API requests and can enforce custom policies before resources are created or modified

"We use an admission controller to reject any deployment that does not specify resource limits."
allow list n.

An explicit set of permitted values or entities; anything not on the list is denied by default

"The policy uses an allow list of approved container registries to prevent the use of untrusted images."
policy bundle n.

A versioned, distributable package of OPA policies and data used to enforce rules consistently across environments

"We publish a policy bundle on every merge to main so all clusters receive the same compliance rules."
dry-run mode n.

An evaluation mode where policy violations are reported but not enforced, used to assess impact before enabling enforcement

"We ran the new network policy in dry-run mode for two weeks before switching to enforce."
Open full glossary →

📚 Vocabulary Reference

Key terms organised by category for Policy-as-Code Engineers:

OPA & Rego

OPARegopolicy bundleruleallowdenypartial rulevirtual documentdata documentquery

Kubernetes Admission

admission controllervalidating webhookmutating webhookGatekeeperKyvernoconstraintconstraint templatenamespace selectordry-run modeenforce mode

Compliance & Governance

compliance frameworkcontrolaudit evidencepolicy exceptionrisk acceptanceallow listdeny listattestationremediationcoverage

Security Policy

least privilegezero trustRBACnetwork policypod securityimage provenancesupply chain securitySBOMsigningadmission review
Study full vocabulary modules →

Recommended exercises

Policy-as-Code Vocabulary 25 exercises
Vocabulary
Policy-as-Code Language 15 exercises
Writing
Kubernetes Operations Language 20 exercises
Vocabulary
Security Vocabulary 25 exercises
Vocabulary
Writing Documentation 3 exercises
Writing

Real-world scenarios you'll practise

  • Writing a policy design document that explains the business rationale, enforcement scope, and violation remediation steps for a new Rego rule.
  • Presenting compliance automation coverage metrics to a security audit committee — translating policy-enforcement data into audit evidence.
  • Writing developer-facing violation messages that are clear, actionable, and not intimidating — so engineers fix issues without raising a support ticket.
  • Facilitating a policy exception review meeting: assessing risk, recording the decision, and setting an expiry date for the exception.

Recommended reading

Explore another role

🤝 Technical Account Manager

Open path →