If you have ever tried to keep a handful of servers compliant with the same security policy, you know the pain. Now multiply that by fifty, or five hundred. The manual checklist approach — SSH into each node, run a script, pray nothing changed overnight — breaks fast. Clusters drift. Patches get missed. Config files get edited by hand during an incident and never reverted. Before long, an auditor asks for evidence and you are scrambling to prove that your fleet actually matches the promised baseline.
This guide is for the engineer or team lead who has felt that scramble. We are going to walk through a different path: treating compliance rules as code that lives alongside your application manifests, gets reviewed in pull requests, and is enforced automatically every time something changes. No more spreadsheets. No more midnight SSH sessions. By the end, you will have a clear workflow to start automating compliance in your own cluster environment.
Why Manual Compliance Fails at Scale
Let us look at what actually happens when a team of three tries to keep twenty Kubernetes clusters compliant with a single security standard. The first week, someone writes a bash script that checks for common misconfigurations — maybe it scans for pods running as root or verifies that network policies exist. They run it weekly and fix issues. By week three, two clusters have been updated with a new version of the application that changes the pod security context. The script still passes because the check is not exhaustive. By month two, the original author has moved teams. The script lives on a jump box with no version history. When the quarterly audit comes, the team cannot prove which checks ran on which date, and the auditor flags several deviations that the script never caught.
This story repeats across organizations. The core problem is not negligence — it is the gap between policy intent and enforcement. A written policy says 'all containers must run as non-root,' but the actual enforcement depends on someone remembering to check, remembering the right command, and having access to every cluster. At scale, that dependency chain fails. Automated compliance as code closes the gap by making the policy itself executable. The same YAML or HCL that defines your network policies can also define the rules that verify them. When the policy changes, the enforcement changes with it, and every cluster gets the same check automatically.
The Cost of Drift
Configuration drift is not just an annoyance. It is the root cause of many real-world breaches. A misconfigured storage bucket, an overly permissive RBAC role, a container running with privileged escalation — each one is a gap that an attacker can exploit. Drift happens because manual processes cannot keep up with the pace of change in modern clusters. Deployments happen multiple times a day. Teams rotate. Incident responses leave temporary holes that become permanent. Automated compliance enforcement acts as a safety net, catching drift within minutes instead of months.
What You Need Before You Start
Before diving into tool selection and pipeline design, there are a few prerequisites that will make or break your compliance-as-code initiative. First, you need a clear inventory of what you are securing. That means knowing how many clusters you manage, their versions, and the network boundaries between them. If you do not have an accurate inventory, start there — a compliance tool can only check what it knows about.
Second, you need a written security policy, even if it is a rough draft. The policy does not have to be perfect. It just needs to capture the rules that matter most to your organization: which ports must be closed, which container runtimes are allowed, whether encryption in transit is required, and so on. This policy becomes the source of truth for your compliance code. Without it, you are automating guesses.
Tooling and Environment Basics
You will need a version control system — Git is the standard — and a CI/CD platform that can run custom scripts or containers. Most teams already have these. The compliance code itself can be written in a policy language like Rego (used by OPA), or in a declarative format like Kubernetes ValidatingAdmissionPolicies, or even in a scripting language like Python with a testing framework. The choice depends on your team's skills and the complexity of your rules. We will compare options in a later section. For now, ensure that your CI runner can connect to your clusters securely, either via API credentials or a service account with read-only access to the resources you need to audit.
Core Workflow: Write, Test, Deploy, Enforce
The compliance-as-code workflow mirrors standard software development. You write rules in a policy file, test them against sample resources, commit them to a repository, and then deploy the policy engine to your clusters. The enforcement mode can be either audit (warn only) or deny (block non-compliant resources). Most teams start with audit mode to surface violations without breaking existing workloads.
Let us walk through a concrete example using Open Policy Agent (OPA) and its Kubernetes admission controller. First, you define a rule that requires all pods to have a resource limit set. In Rego, that rule might look like:
violation[msg] {
pod := input.request.object
not pod.spec.containers[_].resources.limits
msg := sprintf("Container %v has no resource limits", [pod.spec.containers[_].name])
}
You save this rule in a file called require-limits.rego and add it to a Git repository. Next, you write a unit test that passes a sample pod with limits and one without. You run the test locally to confirm the rule works. Then you create a CI pipeline that runs the same tests on every pull request. When the rule passes review, you merge it, and the pipeline automatically deploys the updated policy bundle to your OPA instance running in the cluster. From that moment, any new pod that lacks resource limits is either logged or rejected, depending on your enforcement level.
Testing Policies Before Deployment
Testing is often the skipped step, but it is critical. A buggy policy can block legitimate deployments or, worse, silently pass violations. Use OPA's built-in test framework or a similar tool for your chosen policy engine. Write tests for both positive cases (compliant resources should pass) and negative cases (non-compliant resources should be flagged). Run these tests in CI before the policy is deployed to production clusters. Some teams also run a canary deployment of the policy on a small subset of clusters before rolling out broadly.
Tooling Choices and Setup Realities
No single tool fits every environment. Here is a comparison of three common approaches to compliance as code for clusters:
| Tool | Strengths | Weaknesses | Best For |
|---|---|---|---|
| Open Policy Agent (OPA) | Mature, flexible, large community, works with any Kubernetes resource | Steep learning curve for Rego, requires separate deployment | Teams with complex or custom policies |
| Kyverno | Kubernetes-native, uses YAML policies, easier to learn | Less flexible for non-Kubernetes resources, newer | Teams already deep in Kubernetes ecosystem |
| Custom scripts + CI | Full control, no new tooling, works across cloud and on-prem | Fragile, no built-in policy language, harder to scale | Small fleets or proof-of-concept stages |
Each option requires upfront investment in setup. OPA and Kyverno need to be installed in every cluster you want to monitor. Custom scripts need a runner that can authenticate to each cluster and parse the output. Whichever you choose, start with a single cluster and a small set of policies — five to ten rules — and iterate from there.
Integrating with Existing CI/CD
Your compliance pipeline should fit into your existing deployment workflow, not sit beside it. If you use GitOps with ArgoCD or Flux, you can add a policy check as a pre-sync hook or a validation step in the Git repository. If you use a traditional CI pipeline (Jenkins, GitHub Actions, GitLab CI), add a job that runs policy tests against any manifest that is about to be applied. The key is to make compliance checks automatic and visible — failing a pipeline is much more effective than sending a Slack message.
Adapting to Different Constraints
Not every fleet looks the same. A startup with three clusters on the same cloud provider has different constraints than a regulated enterprise with fifty clusters spread across air-gapped data centers. Here are variations for common scenarios.
Multi-Cloud and Hybrid Environments
When clusters span AWS, Azure, and on-premises, your compliance tool must be cloud-agnostic. OPA and Kyverno work on any Kubernetes distribution, so they are good choices. The challenge is authentication: each cluster may have a different API server endpoint and credential method. Use a service account with a long-lived token (or a short-lived token refreshed by an external secrets manager) and store the endpoints in a configuration file that your CI runner reads. Test connectivity to every cluster regularly.
Air-Gapped or Restricted Networks
If your clusters cannot reach the internet, you need to host the policy engine and any dependencies internally. For OPA, you can build a container image that includes your policy bundle and push it to a private registry. For Kyverno, the container image is available in most private registries, but you will need to mirror it. The CI runner that deploys policies must also be inside the network. Plan for a local Git server or a mirror of your repository.
Highly Regulated Environments (PCI, HIPAA, SOC2)
Regulated industries often require evidence of continuous compliance, not just snapshots. Your compliance-as-code pipeline should log every policy evaluation and store the results in an immutable audit trail. Tools like OPA can output structured logs (JSON) that you can send to a SIEM or a dedicated audit store. You will also need to prove that the policy code itself has not been tampered with — sign your policy bundles with a private key and verify the signature before loading them into the cluster.
Pitfalls and Debugging: What Usually Breaks
Even with a solid workflow, things go wrong. Here are the most common issues teams encounter and how to fix them.
Policy Too Broad or Too Narrow
A policy that blocks all pods without resource limits sounds good until you realize that some system namespaces (like kube-system) run critical components that do not have limits set. Suddenly, your cluster becomes unstable. Solution: always include namespace exclusions or a mechanism to exempt known-good resources. Test policies in audit mode first and review the violations before switching to deny mode.
Credential Rotation Breaks the Pipeline
If your CI runner uses a long-lived service account token to connect to clusters, and that token expires or gets rotated, the pipeline silently fails. Compliance checks stop running, but no one notices until the next audit. Solution: use short-lived tokens with automatic refresh, or integrate with an external secrets manager that rotates credentials and updates the CI configuration. Monitor the pipeline health with a heartbeat check that alerts if compliance jobs have not run in a specified period.
False Positives Erode Trust
When a policy flags a deployment that is actually compliant, engineers start ignoring the warnings. Over time, the whole compliance program loses credibility. To minimize false positives, write narrow, testable rules. Use the policy engine's dry-run or audit mode to compare results against manual inspections. When a false positive is confirmed, fix the rule immediately and add a regression test.
Frequently Asked Questions and Common Mistakes
We have gathered questions that come up repeatedly when teams start with compliance as code.
Q: Should we enforce policies at admission time or via periodic scanning? Both have value. Admission-time enforcement (via a mutating or validating webhook) catches violations before resources are created. Periodic scanning catches drift that happens after admission — for example, when someone edits a resource directly with kubectl edit. Use admission control for your core policies and periodic scanning for detective controls.
Q: How do we handle legacy workloads that do not comply? Do not block them immediately. Create a separate policy set for legacy workloads that logs violations but does not deny. Gradually migrate those workloads to meet the new standards. Set a deadline for full compliance and track progress with a dashboard.
Q: What if our policies change frequently? That is fine — treat policy changes like code changes. Use the same review and testing process. The key is to version your policies and keep a changelog so you can roll back if a new rule causes issues.
Common Mistake #1: Writing policies that are too specific to a single cluster. For example, hardcoding a namespace name that only exists in one environment. Instead, use parameters or data files that vary per cluster.
Common Mistake #2: Not testing the policy engine's performance under load. A complex OPA rule set can slow down the API server if it is evaluated on every resource creation. Benchmark with a realistic number of concurrent requests and optimize rules that take too long.
Common Mistake #3: Forgetting to monitor the policy engine itself. If OPA or Kyverno crashes, admission requests may be allowed through (depending on your failure policy). Set up alerts for engine health and evaluate the failure policy carefully — do you want to fail open or fail closed?
Next Steps: From Pilot to Fleet-Wide Enforcement
By now you have a grasp of the concepts and a workflow to start. Here are specific actions to take this week:
1. Pick one cluster and one policy. Choose a rule that is easy to verify — for example, 'all pods must have a liveness probe.' Write the policy in your chosen tool, test it in audit mode, and observe the results. This gives you a concrete win and surfaces any integration issues early.
2. Set up a compliance dashboard. Use the logs from your policy engine to populate a simple dashboard (Grafana, or even a spreadsheet initially). Track the number of violations over time and the time to remediation. This data will help you justify expanding the program.
3. Schedule a policy review cycle. Compliance is not a one-time project. Set a recurring meeting (monthly or quarterly) to review the policy set, add new rules based on recent incidents or audit findings, and retire rules that are no longer relevant.
4. Document your policy-as-code repository. Write a README that explains how to add a new rule, how to test it, and how to deploy it. This documentation is what saves you when a new team member joins or when you revisit the project six months later.
Automated compliance as code does not eliminate the need for good judgment or periodic manual reviews. But it does eliminate the tedium of checking the same things over and over, and it catches the drift that manual processes miss. Start small, iterate, and let the code do the heavy lifting.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!