Kubernetes OPA Ecosystem Projects

View a selection of projects and talks about integrating OPA with Kubernetes.

OPA Gatekeeper integrates with Kubernetes Admission and also uses Custom Resources and the Kubernetes API server to store policy state.

Spacelift supports Rego as a language to describe policies for various resource types, including Kubernetes. View the policy documentation for more information.

KubeStellar Console provides a unified multi-cluster dashboard with native OPA Gatekeeper integration. It discovers constraint templates and constraints across all connected clusters, displays policy violations in real time, and lets operators create new Rego policies using an AI-assisted workflow that generates ConstraintTemplate and Constraint YAML from plain-English descriptions.

The AI Cloud Maturity Model (ACMM) built into the console scores clusters across 8 dimensions — including a policy-as-code dimension that checks for OPA/Gatekeeper, Kyverno, and Conftest artifacts — producing a quantified maturity score with a public leaderboard.

The Fleet Compliance Heatmap card aggregates OPA Gatekeeper status alongside Kyverno, Trivy, Kubescape, Falco, and Compliance Trestle into a single cross-cluster compliance view.

View an example project showing how it's possible to integrate OPA with Kubernetes User Authorization.

KubeShield implements runtime policy for containers in a Kubernetes cluster using eBPF. Follow the tutorial here to get up and running.

The GKE Policy Automation project provides a set of policies for validating Kubernetes clusters running on GKE. Review the policy library here

Implements auditing and admission checking of Kubernetes resources using Rego policy using Polaris.

This example project in OPA contrib uses OPA to enforce admission policy in Kubernetes.

Implements the CIS benchmark using Rego for Kubernetes workloads.

Kopa integrates OPA with Kubernetes validating admission webhooks.