OPA in CI/CD Pipelines

📖 Introduction

Admission control at the Kubernetes API server is a last line of defense, not the only one. By the time a developer runs kubectl apply and gets a policy violation, they've already built the image, written the YAML, opened a PR, merged it, and triggered a deployment. Blocking at admission is correct — but discovering violations at that point is expensive.

Shift-left enforcement means catching policy violations earlier: in the developer's editor, in CI on every pull request, and in CD before a new bundle reaches production. This article shows how to integrate OPA and Conftest into a CI/CD pipeline so policy violations surface where they're cheapest to fix.

🗺️ Where Policy Enforcement Belongs

Each gate:

Pre-commit: instant feedback, opt-in
CI: mandatory, blocks merge
CD: policy bundle is itself versioned and tested before deployment
Admission: runtime safeguard, catches anything that bypassed earlier gates

🔧 Pre-commit Hook with Conftest

The fastest way to enable local policy checking:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/open-policy-agent/conftest
    rev: v0.50.0
    hooks:
      - id: conftest-not-exist
        name: conftest
        language: golang
        entry: conftest test
        files: \.(yaml|yml)$
        args: ["--policy", "./policy"]

Or a simpler shell script at .git/hooks/pre-commit:

#!/bin/bash
set -e

echo "Running manifest policy checks..."
conftest test --policy ./policy ./manifests/
echo "All policy checks passed."

🏗️ CI Pipeline: GitHub Actions

A complete GitHub Actions workflow covering:

OPA unit tests on the policies themselves
Conftest check on all Kubernetes manifests
Conftest check on Terraform plans

# .github/workflows/policy-check.yml
name: Policy Checks

on:
  pull_request:
    paths:
      - "manifests/**"
      - "terraform/**"
      - "policies/**"

jobs:
  opa-unit-tests:
    name: OPA Policy Unit Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install OPA
        run: |
          curl -L -o /usr/local/bin/opa \
            https://openpolicyagent.org/downloads/latest/opa_linux_amd64
          chmod 755 /usr/local/bin/opa

      - name: Run OPA Tests
        run: opa test ./policies/ -v

      - name: Check Coverage
        run: |
          opa test ./policies/ --coverage --format=json \
            | jq '.coverage >= 80 or error("Coverage below 80%")'

  manifest-policy-check:
    name: Kubernetes Manifest Policy Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Conftest
        run: |
          curl -L https://github.com/open-policy-agent/conftest/releases/download/v0.50.0/conftest_0.50.0_Linux_x86_64.tar.gz \
            | tar xz -C /usr/local/bin conftest

      - name: Check Kubernetes Manifests
        run: |
          conftest test \
            --policy ./policy/kubernetes \
            --namespace kubernetes \
            manifests/**/*.yaml

  terraform-policy-check:
    name: Terraform Plan Policy Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3

      - name: Terraform Init + Plan
        run: |
          cd terraform/
          terraform init
          terraform plan -out=tfplan.binary
          terraform show -json tfplan.binary > tfplan.json

      - name: Install Conftest
        run: |
          curl -L https://github.com/open-policy-agent/conftest/releases/download/v0.50.0/conftest_0.50.0_Linux_x86_64.tar.gz \
            | tar xz -C /usr/local/bin conftest

      - name: Check Terraform Plan
        run: |
          conftest test \
            --policy ./policy/terraform \
            --input terraform \
            terraform/tfplan.json

📋 Conftest Policies for Kubernetes Manifests

Conftest policies differ from Gatekeeper policies because input is the raw manifest, not wrapped in an admission review.

policy/
└── kubernetes/
    ├── no-latest-tag.rego
    ├── required-labels.rego
    ├── resource-limits.rego
    └── approved-registries.rego

policy/kubernetes/approved-registries.rego:

package kubernetes

import rego.v1

approved_registries := [
    "registry.internal/",
    "gcr.io/myproject/"
]

# For Deployments
deny contains msg if {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    not approved(container.image)
    msg := sprintf("[Deployment/%s] Unapproved image registry: %s", 
        [input.metadata.name, container.image])
}

# For bare Pods
deny contains msg if {
    input.kind == "Pod"
    container := input.spec.containers[_]
    not approved(container.image)
    msg := sprintf("[Pod/%s] Unapproved image registry: %s",
        [input.metadata.name, container.image])
}

approved(image) if {
    registry := approved_registries[_]
    startswith(image, registry)
}

policy/kubernetes/resource-limits.rego:

package kubernetes

import rego.v1

deny contains msg if {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    not container.resources.limits.memory
    msg := sprintf("[Deployment/%s] Container '%s' has no memory limit",
        [input.metadata.name, container.name])
}

warn contains msg if {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    not container.resources.requests.memory
    msg := sprintf("[Deployment/%s] Container '%s' has no memory request (recommendation)",
        [input.metadata.name, container.name])
}

Use warn for non-blocking guidance, deny for hard requirements.

🏗️ CI Pipeline: Policy Bundle Deployment

When policy changes are merged, the bundle must be rebuilt and published. A separate workflow handles this:

# .github/workflows/publish-bundle.yml
name: Publish Policy Bundle

on:
  push:
    branches: [main]
    paths:
      - "policies/**"

jobs:
  publish:
    name: Build and Publish Bundle
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install OPA
        run: |
          curl -L -o /usr/local/bin/opa \
            https://openpolicyagent.org/downloads/latest/opa_linux_amd64
          chmod 755 /usr/local/bin/opa

      - name: Run Tests
        run: opa test ./policies/ -v

      - name: Build Bundle
        run: |
          opa build -b ./policies/ -o bundle.tar.gz \
            --revision ${{ github.sha }}

      - name: Push to OCI Registry
        run: |
          opa push \
            registry.internal/policies/k8s-admission:${{ github.sha }} \
            bundle.tar.gz
          
          # Also tag as latest
          opa push \
            registry.internal/policies/k8s-admission:latest \
            bundle.tar.gz

      - name: Notify
        run: |
          echo "Bundle published: registry.internal/policies/k8s-admission:${{ github.sha }}"

This creates a verifiable, traceable link between a Git commit and a deployed policy bundle.

🔬 Testing Terraform Plans with Conftest

# policy/terraform/security.rego
package terraform

import rego.v1

# Deny S3 buckets with public ACL
deny contains msg if {
    resource := input.planned_values.root_module.resources[_]
    resource.type == "aws_s3_bucket"
    resource.values.acl == "public-read"
    msg := sprintf("S3 bucket '%s' has public-read ACL", [resource.name])
}

# Warn about unencrypted RDS instances
warn contains msg if {
    resource := input.planned_values.root_module.resources[_]
    resource.type == "aws_db_instance"
    not resource.values.storage_encrypted
    msg := sprintf("RDS instance '%s' is not encrypted at rest", [resource.name])
}

# In CI, after terraform plan -out=tfplan.binary && terraform show -json tfplan.binary > tfplan.json
conftest test --policy ./policy/terraform --input terraform tfplan.json

📊 Reporting in Pull Requests

In GitHub Actions, policy failures surface as workflow failures and block merge (if branch protection is configured). For clearer reporting, use the JSON output format:

conftest test \
  --policy ./policy/kubernetes \
  --output json \
  manifests/**/*.yaml | jq '{
    failures: [.[] | select(.failures) | {file: .filename, violations: [.failures[].msg]}],
    warnings: [.[] | select(.warnings) | {file: .filename, warnings: [.warnings[].msg]}]
  }'

🧭 Series Wrap-Up

This article completes the OPA 101 series. Here's what we covered:

Article

Topic

OPA concepts, policy decoupling, when to use it

Rego language — syntax, rules, iteration, functions

OPA architecture — deployment modes, bundle pull, decision logging

Gatekeeper — installation, ConstraintTemplates, Constraints

Kubernetes policies — registries, labels, resource limits, pod security

Bundles — building, serving, versioning, production distribution

Testing — opa test, Conftest, coverage

CI/CD — shift-left enforcement, GitHub Actions, Terraform validation

Recommended next steps:

Browse the Gatekeeper Library for production-ready templates
Explore OPA Envoy integration for API-level authorization
Look at Styra DAS for managed OPA policy management

📎 References

PreviousTesting OPA Policies NextCompliance Automation

Last updated 12 hours ago

hashtag📖 Introduction

hashtag🗺️ Where Policy Enforcement Belongs

hashtag🔧 Pre-commit Hook with Conftest

hashtag🏗️ CI Pipeline: GitHub Actions

hashtag📋 Conftest Policies for Kubernetes Manifests

hashtag🏗️ CI Pipeline: Policy Bundle Deployment

hashtag🔬 Testing Terraform Plans with Conftest

hashtag📊 Reporting in Pull Requests

hashtag🧭 Series Wrap-Up

hashtag📎 References