Skill Guide

Policy-as-code authoring (OPA/Rego, YAML-based guardrail definitions, compliance-as-code)

Policy-as-code authoring is the practice of defining, versioning, and automatically enforcing infrastructure and application compliance, security, and operational policies using machine-readable code (primarily OPA/Rego and YAML) integrated into CI/CD and runtime pipelines.

It converts subjective, manual compliance checks into automated, auditable guardrails, drastically reducing configuration drift, security incidents, and audit overhead. This shift enables rapid, secure deployment cycles and provides provable compliance evidence for regulators and stakeholders.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn Policy-as-code authoring (OPA/Rego, YAML-based guardrail definitions, compliance-as-code)

1. Core Policy Engines: Learn the fundamentals of Open Policy Agent (OPA) architecture and its decision model (input → policy → decision). 2. Rego Language Basics: Master Rego's syntax, focusing on rule structure, set comprehensions, and the `data` vs `input` context. 3. Policy Lifecycle: Understand the 3-stage model: Authoring (Rego files), Testing (OPA's built-in test framework), and Distribution (bundle server).

1. Integration Practice: Move from standalone `opa eval` commands to embedding OPA as a sidecar, Go library, or kube-mgmt plugin in a Kubernetes admission control pipeline (e.g., validating `Deployment` resources). 2. Pattern Recognition: Learn common policy patterns like least-privilege IAM, network segmentation, and resource naming conventions. 3. Avoid Anti-Patterns: Do not write monolithic Rego files; avoid mixing policy logic with data retrieval; never skip unit tests (`opa test .`).

1. System Design: Architect a multi-layered policy system where global (organization-wide), regional (cloud-account), and local (team) policies compose and override correctly using `import` and package hierarchies. 2. Performance Tuning: Optimize Rego for large inputs (Kubernetes clusters with 10k+ resources) using partial evaluation and indexing. 3. Strategic Governance: Establish a Policy-as-Code governance board, define policy-as-code contribution guidelines, and mentor teams on writing efficient, maintainable Rego.

Practice Projects

Beginner

Project

Kubernetes Pod Security Policy Enforcement

Scenario

Your development team is deploying containers that sometimes run as root or use host network namespaces, violating security baselines.

How to Execute

1. Install OPA and its Kubernetes admission controller (e.g., Gatekeeper). 2. Write a Rego policy that denies `Pod` objects where `spec.securityContext.runAsNonRoot` is not `true`. 3. Deploy the policy as a `ConstraintTemplate` and `Constraint` resource. 4. Test by applying a violating YAML manifest and confirming the admission webhook rejects it.

Intermediate

Project

Cross-Account AWS S3 Bucket Compliance Guardrail

Scenario

Your organization mandates that all S3 buckets have versioning enabled and server-side encryption with a specific KMS key, but multiple Terraform teams are provisioning them.

How to Execute

1. Write Rego policies that evaluate `input.planned_values` from a Terraform plan JSON. 2. Create a CI pipeline that runs `terraform plan -out=plan.json`, then executes `opa eval` with your policies against the plan. 3. Fail the pipeline if any bucket resource violates the rules. 4. Extend the policy to auto-fix by generating a Terraform `moved` block or configuration snippet.

Advanced

Project

Global Policy Composition & Override Framework

Scenario

A multinational corporation needs a core security policy (e.g., encryption at rest) for all cloud resources, but each subsidiary (EU, US, APAC) has unique data residency rules that can further restrict (but never relax) the core policy.

How to Execute

1. Structure policies into a Rego package hierarchy: `core.security.encryption`, `region.eu.data_residency`. 2. Implement a composition engine (likely a custom OPA plugin or wrapper) that loads core policies first, then overlays regional policies. 3. Use Rego's `import` and `with` keywords to allow regional rules to define stricter constraints (e.g., allowed KMS key ARN patterns). 4. Build a policy testing suite that validates composition logic and prevents relaxation of core rules.

Tools & Frameworks

Core Engines & Languages

Open Policy Agent (OPA)Rego Policy LanguageOPA Playground (play.openpolicyagent.org)

OPA is the CNCF-standard general-purpose policy engine. Rego is its declarative language. The Playground is essential for rapid prototyping and debugging of policy logic.

Kubernetes & Cloud-Native Integration

OPA GatekeeperKube-mgmtKyverno (YAML-native alternative)

Gatekeeper provides admission control and audit via CRDs. Kube-mgmt syncs policies/data into OPA running as a sidecar. Kyverno is a simpler, YAML-focused alternative for teams less comfortable with Rego.

Infrastructure as Code (IaC) Scanners

Checkov (Python-based, uses Rego-like DSL)tfsec (Terraform-focused)Terrascan (OPA/Rego policy library)

These tools scan IaC templates (Terraform, CloudFormation) for misconfigurations. Terrascan ships with a library of OPA policies for common cloud misconfigurations, which can be extended.

Testing & Collaboration

`opa test` (built-in)Conftest (CLI tool for structured data)Policy Repository (Git)

`opa test` runs unit tests on Rego policies. Conftest allows testing any structured config (YAML, JSON, TOML) against Rego policies. A centralized Git repo enables version control, peer review, and CI/CD for policies.

Interview Questions

Answer Strategy

The candidate should demonstrate a systematic debugging approach, not just guess-and-check. A strong answer follows a 4-step method: 1) Isolate the Input (get the exact YAML causing denial), 2) Test Locally (use `opa eval` with the exact input and policy), 3) Check Data (verify external data is loaded correctly), 4) Audit Logs (examine OPA/Gatekeeper decision logs). Sample Answer: "First, I'd grab the exact Deployment YAML from the event log. Then, I'd run it locally against my policy file using `opa eval -i input.yaml -d policy.rego` to see the denial reason. I'd check if the policy references external data (like allowed registries) that might be missing. Finally, I'd review the Gatekeeper audit logs to trace the full decision chain. The most common issue is a mismatch between the input context in testing and what Gatekeeper actually sees."

Answer Strategy

Tests the candidate's ability to design a practical, low-risk adoption strategy. A good answer includes incremental rollout, safe defaults, and education. Sample Answer: "I'd start with a 'detect-only' phase: write Rego policies for required tags (e.g., `CostCenter`, `Env`) but run them only in audit mode via `terraform plan` CI checks, logging violations without failing the build. Next, I'd educate the team using the OPA Playground examples. For existing resources, I'd use `terraform plan` to generate a one-time report of non-compliant resources and create a remediation backlog. Only after the team is comfortable would I switch the CI check to 'enforce', failing the plan on violations. Finally, I'd integrate the policy bundle into our internal developer platform for new resource provisioning."