From Confusion to Clarity: How Policy-as-Code Changed the Way I See DevOps Governance

Aman ChoudharyAman Choudhary
4 min read

Policy-as-Code CI/CD Governance


"Why is no one talking about policy enforcement in CI/CD pipelines like it's a core part of DevOps?"
This was the question that started it all for me.

I am C.Aman — a cloud and DevOps engineer who recently went deep into something most people ignore until things go wrong: Policy-as-Code. This blog is not a theoretical rant. It's a hands-on breakdown of what I built, how I built it, and why I believe every engineering team should prioritize governance just like they prioritize deployments.


🚧 The Problem I Faced

As someone who builds and automates pipelines, I've always focused on speed, reliability, and automation. But I kept seeing the same problems:

  • Secrets accidentally committed to code.

  • YAML files with image: latest tags going straight to production.

  • Misconfigured GitHub workflows running with too much privilege.

No amount of "code reviews" or "manual checks" were enough. I knew there had to be a better way.

That’s when I stumbled upon OPA (Open Policy Agent) and the idea of Policy-as-Code.


🧠 What Is Policy-as-Code (in Human Terms)?

Policy-as-Code means writing rules (policies) as code that automatically validate or reject your:

  • Infrastructure files (like Terraform)

  • Kubernetes manifests

  • GitHub workflows

  • Anything YAML or JSON

You define the rules once using a language called Rego, and then every pipeline, repo, or deployment can automatically enforce them.

It's like having a robotic security guard at every DevOps checkpoint.


⚙️ What I Built (and You Can Too)

I decided to build an end-to-end Policy-as-Code Governance Platform, specifically targeting CI/CD pipelines on Azure using:

  • GitHub Actions (for CI linting)

  • Conftest (to run OPA Rego checks)

  • OPA (the brains behind policies)

  • ArgoCD (for GitOps-style deployment)

  • AKS (Azure Kubernetes Service)

  • Gatekeeper (for runtime K8s enforcement)

This wasn't just a proof-of-concept. It's a real, working system that:

  • Blocks insecure YAML files in GitHub

  • Prevents bad configurations from being deployed

  • Rejects Kubernetes manifests at runtime if they don’t comply


🔍 Real Policies I Implemented

Here are a few examples of actual Rego policies I wrote:

  1. No secrets in manifests

     violation["Hardcoded secret found"] {
       input.env[_].value == "password"
     }
    
  2. Disallow latest image tags

     violation["Don't use :latest tag"] {
       endswith(input.image, ":latest")
     }
    
  3. Allow only approved cloud regions

     violation["Region not allowed"] {
       not input.region in ["eastus", "westeurope"]
     }
    

🔁 How the Workflow Looks (In Simple Steps)

  1. I push code to GitHub

  2. GitHub Actions runs Conftest to validate YAML/JSON against my Rego policies

  3. If it passes, the code is synced via ArgoCD to AKS

  4. Gatekeeper also checks live deployments in AKS for compliance

If anything breaks the rules — the build fails, the deployment stops, and I get logs showing why.

No more guessing. No more last-minute surprises.


📸 What It Looks Like in Action

  • ✅ A compliant deployment glides through GitHub Actions, ArgoCD, and AKS.

  • ❌ A non-compliant one is stopped at the gate — instantly.

In fact, the first time I pushed a manifest with image: latest, my pipeline failed — and I was thrilled. It meant the system was working.


💡 Why You Should Care (Especially if You're in DevOps)

Whether you're working in a small startup or an enterprise, you need:

  • Consistency in what gets deployed

  • Security by design, not as an afterthought

  • Compliance without relying on humans to remember everything

Policy-as-Code gives you all of that — in a way that scales.


🛠️ Want to Try It Yourself?

I’ve made the entire project open source, with clear documentation, phase-by-phase breakdowns, and real-world examples:

👉 GitHub Repo: Policy-as-Code Governance Platform (Azure Edition)

Feel free to fork, improve, or message me if you’re building something similar.


🙋‍♂️ Final Thoughts

I’m still learning — but this project taught me that governance doesn’t have to be painful. It can be automated, elegant, and empowering.

If you’ve never explored Policy-as-Code before, I highly recommend giving it a shot. Start small. Add one policy. Watch the impact.

Trust me: your future self (and your security team) will thank you.


Connect with me:

  • 💼 LinkedIn

  • 💬 Let’s chat about DevOps, security, and cloud-native tooling!


Thanks for reading 🙌 — and if you liked this, please consider sharing or leaving a comment. Let’s normalize security as code.


#DevOps #CloudEngineering #PolicyAsCode #OPA #GitHubActions #Kubernetes #Rego #ArgoCD #CI_CD #SecurityAsCode #OpenSource #PlatformEngineering #CloudEngineering #ArgoCD #Argo # Kubernetes #OpenSource #PlatformEngineering #IaC #DevSecOps #CICDPipelines #CloudSecurity #InfrastructureAsCode #GitOps #K8sSecurity #Automation #ComplianceAsCode #RegoPolicies #YAMLValidation #GitHubSecurity #CloudNative #AzureKubernetes #SecurityAutomation #GovernanceAsCode #ShiftLeftSecurity #SoftwareSupplyChain #SecureDevOps #ModernDevOps #KubernetesGovernance #ContinuousCompliance #AzureDevOps #PlatformSecurity

2
Subscribe to my newsletter

Read articles from Aman Choudhary directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Aman Choudhary
Aman Choudhary