100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
DevOps

Policy as Code

IntermediateTechnique8.1K learners

Policy as Code is the practice of expressing organizational, security, and compliance rules as machine-readable code — rather than as prose documents — so that policies can be automatically and consistently enforced, tested, and…

Definition

Policy as Code is the practice of expressing organizational, security, and compliance rules as machine-readable code — rather than as prose documents — so that policies can be automatically and consistently enforced, tested, and version-controlled across infrastructure and software delivery pipelines.

Overview

Traditionally, organizational policies (only approved instance types may be used; storage buckets must never be publicly readable; every deployment must have resource limits defined; only images from an approved registry may be deployed) lived in wiki pages or compliance documents, enforced through manual review, audits, or after-the-fact detection. Policy as Code moves those rules into executable code, evaluated automatically at relevant points in the software and infrastructure lifecycle — during a CI/CD pipeline run, before a Terraform apply, at Kubernetes admission time, or continuously against live infrastructure — so that violations are caught and can be blocked before they cause harm, rather than discovered during a periodic audit weeks or months later. The most prominent tooling in this space is Open Policy Agent (OPA) and its policy language Rego, which provides a general-purpose policy engine usable across many contexts — Kubernetes admission control, API authorization, Terraform plan validation, CI pipeline gates — via a consistent policy-definition and evaluation model. Other tools take a more domain-specific approach: HashiCorp Sentinel is embedded directly into Terraform Cloud/Enterprise for infrastructure-specific policy checks, and Kubernetes-native tools like Kyverno express policies in native Kubernetes YAML rather than a separate policy language. Policy as Code brings the same benefits that Infrastructure as Code brought to infrastructure management: policies become version-controlled, testable, code-reviewable, and consistently applied rather than subject to interpretation or manual enforcement gaps. It also shifts governance left — instead of a security or compliance team discovering violations during a periodic audit, policy violations are caught automatically at the point of change (a pull request, a deployment pipeline, an admission webhook), giving immediate feedback to the engineer making the change and dramatically shrinking the window during which a non-compliant resource could exist. This has made Policy as Code a standard component of mature DevSecOps and platform engineering practices, particularly in regulated industries needing demonstrable, auditable compliance enforcement.

Key Concepts

  • Organizational rules expressed as executable, version-controlled code rather than prose documents
  • Enforced automatically at key points: CI/CD pipelines, IaC plan/apply, Kubernetes admission, runtime
  • Open Policy Agent (OPA) and Rego as the leading general-purpose policy engine/language
  • Domain-specific alternatives like HashiCorp Sentinel (Terraform) and Kyverno (Kubernetes-native YAML)
  • Shifts compliance checks left — caught at change time rather than in periodic audits
  • Policies are testable and code-reviewable, just like application code
  • Supports both preventive (blocking) and detective (alerting/reporting) enforcement modes
  • Central to mature DevSecOps, platform engineering, and regulated-industry compliance workflows

Use Cases

Blocking Terraform applies that would create publicly accessible storage buckets or open security groups
Enforcing Kubernetes admission policies (e.g. requiring resource limits, disallowing privileged containers)
Gating CI/CD pipelines against deploying container images that fail security or compliance checks
Continuously auditing live cloud infrastructure against required compliance baselines
Standardizing approved cloud resource types, regions, or tags across an organization
Providing auditable evidence of policy enforcement for regulatory compliance (SOC 2, HIPAA, PCI-DSS)

Frequently Asked Questions

From the Blog