enforce-policy-as-code
Enforces policy-as-code in Kubernetes using OPA Gatekeeper or Kyverno to ensure compliance and prevent security misconfigurations.
Install this skill
Security score
The enforce-policy-as-code skill was audited on Mar 3, 2026 and we found 20 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 66 | --set validatingWebhookFailurePolicy=Fail \ |
Webhook reference - potential data exfiltration
| 73 | # Check webhook configuration |
Webhook reference - potential data exfiltration
| 74 | kubectl get validatingwebhookconfigurations gatekeeper-validating-webhook-configuration -o yaml |
Webhook reference - potential data exfiltration
| 96 | # Check webhook configurations |
Webhook reference - potential data exfiltration
| 97 | kubectl get validatingwebhookconfigurations kyverno-resource-validating-webhook-cfg |
Webhook reference - potential data exfiltration
| 98 | kubectl get mutatingwebhookconfigurations kyverno-resource-mutating-webhook-cfg |
Webhook reference - potential data exfiltration
| 118 | - webhook |
Webhook reference - potential data exfiltration
| 128 | **Expected:** Policy engine pods running with multiple replicas. CRDs installed (ConstraintTemplate, Constraint for Gatekeeper; ClusterPolicy, Policy for Kyverno). Validating/mutating webhooks active. |
Webhook reference - potential data exfiltration
| 132 | - Verify webhook endpoints reachable: `kubectl get endpoints -n gatekeeper-system` |
Webhook reference - potential data exfiltration
| 133 | - Check for port conflicts or certificate issues in webhook logs |
Webhook reference - potential data exfiltration
| 180 | **Expected:** ConstraintTemplates/ClusterPolicies created successfully. Constraints show status "True" for enforcement. No errors in policy definitions. Webhook begins evaluating new resources against |
Webhook reference - potential data exfiltration
| 239 | - Verify webhook is processing requests: `kubectl logs -n gatekeeper-system -l app=gatekeeper` |
Webhook reference - potential data exfiltration
| 241 | - Test webhook connectivity: `kubectl run test --rm -it --image=busybox --restart=Never` |
Webhook reference - potential data exfiltration
| 242 | - Review webhook failure policy (Ignore vs Fail) |
Webhook reference - potential data exfiltration
| 284 | - Check mutation webhook is enabled: `kubectl get mutatingwebhookconfiguration` |
Webhook reference - potential data exfiltration
| 385 | - [ ] Validating and mutating webhooks active and reachable |
Webhook reference - potential data exfiltration
| 399 | - **Webhook Failure Policy**: `failurePolicy: Fail` blocks all resources if webhook unavailable. Use `Ignore` for non-critical policies, but understand security implications. Test webhook availability |
Webhook reference - potential data exfiltration
| 411 | - **Performance Impact**: Policy evaluation adds latency to admission. Keep policies efficient, use appropriate matching criteria, monitor webhook latency metrics. |
External URL reference
| 57 | helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts |
External URL reference
| 80 | helm repo add kyverno https://kyverno.github.io/kyverno/ |
Install this skill with one command
/learn @pjt222/enforce-policy-as-code