Skip to main content
Global
AIMenta
Blog

APAC Kubernetes Policy as Code Guide 2026: Conftest, OPA Gatekeeper, and Polaris

A practitioner guide for APAC platform engineering teams implementing Kubernetes policy as code in 2026 — covering Conftest for CI/CD pre-deployment policy testing of Kubernetes manifests, Terraform plans, and Dockerfiles using OPA Rego policies that block non-compliant infrastructure before cluster deployment; OPA Gatekeeper for runtime admission control at the Kubernetes API server with ConstraintTemplate CRDs, dry-run auditing of existing cluster violations, and namespace-scoped enforcement; and Polaris for immediate workload governance with built-in best-practice policies covering resource limits, security context, and health probes via CLI, admission webhook, and web dashboard for APAC platform engineering teams.

AE By AIMenta Editorial Team ·

The Kubernetes Configuration Risk Gap in APAC Clusters

APAC platform engineering teams operating Kubernetes at scale face a persistent challenge: developers and CI/CD pipelines can deploy workloads that violate security standards, resource governance rules, and operational best practices — and the cluster will accept them without complaint. A Deployment with no CPU limits gets scheduled and starves adjacent APAC workloads. A container running as root creates an APAC privilege escalation risk. A missing readiness probe causes APAC traffic to route to not-yet-ready pods.

Policy as code addresses this by encoding APAC infrastructure standards as version-controlled policy files that execute automatically — in CI/CD pipelines to catch violations before they reach clusters, and at the Kubernetes API server to block non-compliant resources at runtime.

Three tools cover the APAC Kubernetes policy as code spectrum:

Conftest — open-source CLI for testing Kubernetes manifests, Terraform plans, and Dockerfiles against OPA Rego policies in CI/CD.

OPA Gatekeeper — Kubernetes admission controller that enforces OPA policies at the API server, blocking non-compliant resource creation at runtime.

Polaris — open-source Kubernetes configuration audit tool with built-in best-practice policies, available as CLI, admission webhook, and dashboard.

APAC Policy as Code Fundamentals

Where APAC policy enforcement happens

APAC Policy Enforcement Layers:

Layer 1: APAC Developer Workstation
  → IDE linting, local conftest run
  → Catch APAC violations before git push
  → Cost: free (no APAC compute)

Layer 2: APAC CI/CD Pipeline (pre-merge)
  → Conftest validates APAC manifests/Terraform
  → Polaris CLI audits APAC Helm output
  → Blocks APAC PRs with violations
  → Cost: CI/CD runner time

Layer 3: APAC Kubernetes API Server (runtime)
  → Gatekeeper admission webhook
  → Blocks non-compliant APAC resources at create/update
  → Audit mode reviews APAC existing resources
  → Cost: webhook latency per APAC API call

← APAC defense-in-depth: catch APAC early (cheap), block APAC late (safe)

Core APAC Kubernetes policy categories

APAC Resource governance:
  ✗ No CPU requests/limits → APAC workload starves neighbors
  ✗ No memory limits → APAC OOMKill risks
  ✓ All APAC containers: requests ≤ limits; namespace quota respected

APAC Security posture:
  ✗ runAsRoot: true → APAC privilege escalation risk
  ✗ privileged: true → APAC container breakout risk
  ✓ Non-root; read-only filesystem; dropped APAC capabilities

APAC Operational reliability:
  ✗ No livenessProbe → APAC stuck containers not restarted
  ✗ No readinessProbe → APAC traffic to not-ready pods
  ✓ Both probes defined; APAC image tags pinned (no :latest)

APAC Supply chain:
  ✗ Image from docker.io → APAC uncontrolled third-party
  ✓ Images from approved APAC registries only

Conftest: APAC CI/CD Policy Testing

Conftest Rego policy — APAC Kubernetes resource limits

# policies/apac-resource-limits.rego
package apac.kubernetes.resources

# APAC: All containers must define CPU and memory limits
deny[msg] {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    not container.resources.limits.cpu
    msg := sprintf(
        "APAC container '%v' in Deployment '%v' missing CPU limit",
        [container.name, input.metadata.name]
    )
}

deny[msg] {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    not container.resources.limits.memory
    msg := sprintf(
        "APAC container '%v' in Deployment '%v' missing memory limit",
        [container.name, input.metadata.name]
    )
}

# APAC: No :latest image tags in production
warn[msg] {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    endswith(container.image, ":latest")
    msg := sprintf(
        "APAC container '%v' uses :latest tag — pin to APAC digest for reproducibility",
        [container.name]
    )
}

Conftest in APAC CI/CD — GitLab pipeline

# .gitlab-ci.yml — APAC Conftest policy gate

stages:
  - apac-lint
  - apac-policy
  - apac-deploy

apac-conftest-k8s:
  stage: apac-policy
  image: openpolicyagent/conftest:latest
  script:
    # APAC validate all Kubernetes manifests in k8s/ directory
    - conftest test k8s/ \
        --policy policies/ \
        --namespace apac.kubernetes \
        --output table
    # → Non-zero exit if any APAC deny rule fires → APAC pipeline blocked
  rules:
    - changes: ['k8s/**', 'policies/**']

apac-conftest-terraform:
  stage: apac-policy
  script:
    # APAC validate Terraform plan output
    - terraform plan -out=apac.tfplan
    - terraform show -json apac.tfplan > apac-plan.json
    - conftest test apac-plan.json \
        --policy policies/terraform/ \
        --namespace apac.terraform
  rules:
    - changes: ['terraform/**']

Conftest — APAC registry allowlist policy

# policies/apac-registry.rego
package apac.kubernetes.images

# APAC approved container registries
apac_approved_registries := {
    "registry.apac-company.internal",
    "asia.gcr.io/apac-project",
    "apac-region.ocir.io/apac-tenancy",
}

deny[msg] {
    input.kind == "Deployment"
    container := input.spec.template.spec.containers[_]
    image := container.image

    # APAC: Extract registry from image string
    not any_approved(image)
    msg := sprintf(
        "APAC container '%v' image '%v' not from approved APAC registry",
        [container.name, image]
    )
}

any_approved(image) {
    registry := apac_approved_registries[_]
    startswith(image, registry)
}

OPA Gatekeeper: APAC Runtime Admission Control

Gatekeeper ConstraintTemplate — APAC required labels

# APAC ConstraintTemplate: all Deployments must have required APAC labels
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: apackubernetesrequiredlabels
spec:
  crd:
    spec:
      names:
        kind: APACKubernetesRequiredLabels
      validation:
        openAPIV3Schema:
          properties:
            apac_labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package apac.kubernetes.requiredlabels

        violation[{"msg": msg}] {
            input.review.kind.kind == "Deployment"
            provided := {label | input.review.object.metadata.labels[label]}
            required := {label | label := input.parameters.apac_labels[_]}
            missing := required - provided
            count(missing) > 0
            msg := sprintf(
                "APAC Deployment '%v' missing required labels: %v",
                [input.review.object.metadata.name, missing]
            )
        }

Gatekeeper Constraint — APAC label enforcement

# APAC Constraint: enforce required labels on all APAC production Deployments
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: APACKubernetesRequiredLabels
metadata:
  name: apac-deployment-labels
spec:
  enforcementAction: deny          # APAC: block non-compliant Deployments
  match:
    kinds:
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
    namespaceSelector:
      matchLabels:
        apac-environment: production   # Only enforce in APAC production namespaces
  parameters:
    apac_labels:
      - "app.kubernetes.io/name"
      - "app.kubernetes.io/version"
      - "apac-team"
      - "apac-cost-centre"

Gatekeeper audit — APAC existing cluster violations

# APAC: Review existing Deployment violations (audit mode, not blocking)
kubectl get apackubernetesrequiredlabels.constraints.gatekeeper.sh \
  apac-deployment-labels \
  -o jsonpath='{.status.violations}' | jq .

# Output:
# [
#   {
#     "kind": "Deployment",
#     "name": "apac-payment-api",
#     "namespace": "apac-production",
#     "message": "APAC Deployment 'apac-payment-api' missing labels: {\"apac-cost-centre\"}"
#   },
#   {
#     "kind": "Deployment",
#     "name": "apac-notification-svc",
#     "namespace": "apac-production",
#     "message": "APAC Deployment 'apac-notification-svc' missing labels: {\"apac-team\",\"apac-cost-centre\"}"
#   }
# ]
# → APAC remediation list: 2 Deployments need label updates before enforcement tightens

Polaris: APAC Built-in Best-Practice Auditing

Polaris CLI — APAC cluster audit

# APAC: Run Polaris audit against live cluster
polaris audit \
  --cluster \
  --format pretty \
  --set-exit-code-on-danger \
  --set-exit-code-below-score 80

# Output:
# Polaris audit for APAC cluster
# ================================
# Namespace: apac-production
#
# apac-payment-api (Deployment)
#   ✓ cpuRequestsMissing: PASS
#   ✓ memoryRequestsMissing: PASS
#   ✗ cpuLimitsMissing: DANGER  ← APAC CPU limits missing
#   ✗ runAsRootAllowed: DANGER  ← APAC container runs as root
#   ✓ readinessProbeMissing: PASS
#   ✗ livenessProbeMissing: WARNING  ← APAC no liveness probe
#
# apac-inventory-svc (Deployment)
#   ✓ All checks: PASS
#
# Cluster Score: 73/100  ← Below APAC threshold of 80 → exit code 1

Polaris custom check — APAC organization policy

# polaris-config.yaml — APAC custom checks extending built-in library

checks:
  # APAC built-in checks (configure severity)
  cpuLimitsMissing: danger
  memoryLimitsMissing: danger
  runAsRootAllowed: danger
  livenessProbeMissing: warning
  readinessProbeMissing: danger
  tagNotSpecified: danger          # Forbid :latest in APAC

customChecks:
  # APAC custom: containers must use approved base images
  apacApprovedRegistry:
    successMessage: "APAC container uses approved registry"
    failureMessage: "APAC container image not from approved APAC registry"
    category: Security
    target: Container
    schema:
      '$schema': "http://json-schema.org/draft-07/schema"
      properties:
        image:
          pattern: "^(registry.apac-company.internal|asia.gcr.io/apac-project)/.*"
      required: ["image"]
    severity: danger

APAC Policy as Code Tool Selection

APAC Policy Need                      → Tool         → Why

APAC CI/CD policy testing            → Conftest      Pre-deployment gate;
(catch violations before cluster)    →               multi-format support
                                                     (YAML/JSON/HCL/TF);
                                                     OPA Rego flexibility

APAC runtime enforcement             → Gatekeeper    API server admission;
(block non-compliant at deploy time) →               ConstraintTemplate CRDs;
                                                     audit existing APAC cluster

APAC quick-start governance          → Polaris       Built-in APAC policies;
(no Rego, immediate coverage)        →               no custom code needed;
                                                     APAC dashboard + CLI

APAC full defense-in-depth           → Conftest +    CI/CD pre-deployment +
(APAC enterprise multi-layer)        → Gatekeeper    runtime blocking; same
                                                     APAC Rego policies both

APAC compliance dashboard            → Polaris       Visual APAC cluster score;
(executive visibility, per-workload) →               per-namespace breakdown;
                                                     APAC exportable reports

Related APAC Platform Engineering Resources

For the GitOps and IaC tools (Flux, Pulumi, Terraform Cloud) whose output Conftest validates before cluster deployment, see the APAC GitOps and IaC guide.

For the Kubernetes runtime security tools (Falco, OPA, KEDA) that complement Gatekeeper's admission control with behavioral monitoring, see the APAC Kubernetes runtime security guide.

For the IaC security scanning tools (Checkov, Gitleaks, TruffleHog) that scan Terraform and infrastructure code for misconfigurations before Conftest policy testing, see the APAC IaC security guide.

Beyond this insight

Cross-reference our practice depth.

If this article matches your stage of thinking, the underlying capabilities ship across all six pillars, ten verticals, and nine Asian markets.

All insights · Case studies · AI tools · Encyclopedia
Keep reading

Related reading

Blog

Infrastructure as Code for APAC: OpenTofu, Ansible, and AWS CDK Compared

 Blog

Kubernetes Networking, Autoscaling, and Logging for APAC: Karpenter, Cilium, and Fluentd

 Blog

Search Infrastructure for APAC: Typesense, Meilisearch, and Weaviate Compared

Want this applied to your firm?

We use these frameworks daily in client engagements. Let's see what they look like for your stage and market.

Talk to AIMenta