Day 47 of 60
·
Data, ML & infrastructure
Policy as code
Compliance enforced by humans is slow, inconsistent, and ungated. Encoded as Rego and evaluated at admission, it's automatic and unforgeable.
ProblemCompliance and platform rules enforced by humans through review, slow, inconsistent, ungated.
How it works
Encode rules as data (Rego, CUE, JSON). Evaluate at admission control (Kubernetes), at PR time, at deploy time. Block what violates.
What it catches
Compliance drift, ungated risky deploys, accidental privilege escalation, environment-specific config violations.
Tools
Open Policy Agent (OPA) · OSS Conftest · OSS Kyverno · OSS Sentinel (HashiCorp) · Hybrid
Verdict by project size
Small
Skip
Medium
Opt
Large
Rec
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 0h | 0h | $0 | , |
| Medium 10–100k LOC | 2d | 3h | $0 | +1m |
| Large 100k–1M LOC | 10d | 20h | $500 | +3m |
| Extra-large >1M LOC | 40d | 80h | $5k | +8m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Operate
Per pull request · Runs in CI on every PR; gates merge.
Who owns it
Data Engineer
Pipelines, schemas, lineage
Collaborates with: SRE / DevOps / Platform, Security / AppSec
Reference implementations
-
Open Policy Agent examples
Policy-as-code examples using Rego for admission and CI decisions.
-
Gatekeeper library
Reusable Kubernetes policy constraints and templates.
-
Kyverno policies
Practical policy-as-code library for Kubernetes admission controls.
Quick check
Policy as code (OPA, Kyverno) replaces what?
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.