Weave Policy Agent is a policy-as-code engine built on Open Policy Agent (OPA) that ensures security, compliance, and best practices for Kubernetes applications. Designed for GitOps workflows, especially Flux, it enables fine-grained policies for Flux applications and tenants, ensuring isolation and compliance across Kubernetes deployments.
Weave Policy Agent uses the Kubernetes admission controller to monitor any Kubernetes Resource changes and prevent the ones violating the policies from getting deployed.
If you are using flux's terraform controller (tf-controller) to apply and sync your terraform plans, you can use Weave Policy Agent to prevent violating plans from being applied to your cluster.
The agent scans Kubernetes resources on the cluster and reports runtime violations at a configurable frequency.
While the agent works natively with Kubernetes resources, Weave Policy Agent has specific features allowing fine-grained policy configurations to flux applications and tenants, as well as alerting integration with flux's notification-controller
Policies and violations can be displayed on WeaveGitOps Dashboards allowing better observability of the cluster's compliance.
Example policies that target K8s and Flux best practices are available here. Users can as well write their policies in Rego using the agent policy CRD.
To get started, check out this guide on how to install the policy agent to your Kubernetes cluster and explore violations.
Policy agent guides for running the agent in Weave GitOps Enterprise, and leveraging all its capabilities, are available at docs.gitops.weave.works.
Refer to this doc for documentation on the high-level architecture and the different components that make up the agent.
Need help or want to contribute? Please see the links below.
- Have feature proposals or want to contribute?
- Please create a Github issue.
- Learn more about contributing here.