From Confusion to Clarity: How Policy-as-Code Changed the Way I See DevOps Governance

Policy-as-Code CI/CD Governance
"Why is no one talking about policy enforcement in CI/CD pipelines like it's a core part of DevOps?"
This was the question that started it all for me.
I am C.Aman — a cloud and DevOps engineer who recently went deep into something most people ignore until things go wrong: Policy-as-Code. This blog is not a theoretical rant. It's a hands-on breakdown of what I built, how I built it, and why I believe every engineering team should prioritize governance just like they prioritize deployments.
🚧 The Problem I Faced
As someone who builds and automates pipelines, I've always focused on speed, reliability, and automation. But I kept seeing the same problems:
Secrets accidentally committed to code.
YAML files with
image: latest
tags going straight to production.Misconfigured GitHub workflows running with too much privilege.
No amount of "code reviews" or "manual checks" were enough. I knew there had to be a better way.
That’s when I stumbled upon OPA (Open Policy Agent) and the idea of Policy-as-Code.
🧠 What Is Policy-as-Code (in Human Terms)?
Policy-as-Code means writing rules (policies) as code that automatically validate or reject your:
Infrastructure files (like Terraform)
Kubernetes manifests
GitHub workflows
Anything YAML or JSON
You define the rules once using a language called Rego, and then every pipeline, repo, or deployment can automatically enforce them.
It's like having a robotic security guard at every DevOps checkpoint.
⚙️ What I Built (and You Can Too)
I decided to build an end-to-end Policy-as-Code Governance Platform, specifically targeting CI/CD pipelines on Azure using:
GitHub Actions (for CI linting)
Conftest (to run OPA Rego checks)
OPA (the brains behind policies)
ArgoCD (for GitOps-style deployment)
AKS (Azure Kubernetes Service)
Gatekeeper (for runtime K8s enforcement)
This wasn't just a proof-of-concept. It's a real, working system that:
Blocks insecure YAML files in GitHub
Prevents bad configurations from being deployed
Rejects Kubernetes manifests at runtime if they don’t comply
🔍 Real Policies I Implemented
Here are a few examples of actual Rego policies I wrote:
No secrets in manifests
violation["Hardcoded secret found"] { input.env[_].value == "password" }
Disallow
latest
image tagsviolation["Don't use :latest tag"] { endswith(input.image, ":latest") }
Allow only approved cloud regions
violation["Region not allowed"] { not input.region in ["eastus", "westeurope"] }
🔁 How the Workflow Looks (In Simple Steps)
I push code to GitHub
GitHub Actions runs Conftest to validate YAML/JSON against my Rego policies
If it passes, the code is synced via ArgoCD to AKS
Gatekeeper also checks live deployments in AKS for compliance
If anything breaks the rules — the build fails, the deployment stops, and I get logs showing why.
No more guessing. No more last-minute surprises.
📸 What It Looks Like in Action
✅ A compliant deployment glides through GitHub Actions, ArgoCD, and AKS.
❌ A non-compliant one is stopped at the gate — instantly.
In fact, the first time I pushed a manifest with image: latest
, my pipeline failed — and I was thrilled. It meant the system was working.
💡 Why You Should Care (Especially if You're in DevOps)
Whether you're working in a small startup or an enterprise, you need:
Consistency in what gets deployed
Security by design, not as an afterthought
Compliance without relying on humans to remember everything
Policy-as-Code gives you all of that — in a way that scales.
🛠️ Want to Try It Yourself?
I’ve made the entire project open source, with clear documentation, phase-by-phase breakdowns, and real-world examples:
👉 GitHub Repo: Policy-as-Code Governance Platform (Azure Edition)
Feel free to fork, improve, or message me if you’re building something similar.
🙋♂️ Final Thoughts
I’m still learning — but this project taught me that governance doesn’t have to be painful. It can be automated, elegant, and empowering.
If you’ve never explored Policy-as-Code before, I highly recommend giving it a shot. Start small. Add one policy. Watch the impact.
Trust me: your future self (and your security team) will thank you.
Connect with me:
💼 LinkedIn
💬 Let’s chat about DevOps, security, and cloud-native tooling!
Thanks for reading 🙌 — and if you liked this, please consider sharing or leaving a comment. Let’s normalize security as code.
#DevOps #CloudEngineering #PolicyAsCode #OPA #GitHubActions #Kubernetes #Rego #ArgoCD #CI_CD #SecurityAsCode #OpenSource #PlatformEngineering #CloudEngineering #ArgoCD #Argo # Kubernetes #OpenSource #PlatformEngineering #IaC #DevSecOps #CICDPipelines #CloudSecurity #InfrastructureAsCode #GitOps #K8sSecurity #Automation #ComplianceAsCode #RegoPolicies #YAMLValidation #GitHubSecurity #CloudNative #AzureKubernetes #SecurityAutomation #GovernanceAsCode #ShiftLeftSecurity #SoftwareSupplyChain #SecureDevOps #ModernDevOps #KubernetesGovernance #ContinuousCompliance #AzureDevOps #PlatformSecurity
Subscribe to my newsletter
Read articles from Aman Choudhary directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
