Policies & Compliance
Define and enforce infrastructure policies across Terraform, Ansible configurations, and Kubernetes clusters. ops0 evaluates policies before deployments, enforces Kyverno rules on clusters, and tracks violations in the compliance dashboard.
Policy Types
The Policies page organizes policies into tabs by infrastructure type:
| Tab | Engine | Use Case |
|---|---|---|
| IaC Policies | OPA / Rego | Evaluate Terraform and OpenTofu plans |
| Configuration Policies | OPA / Rego | Evaluate Ansible configuration projects |
| Kubernetes Policies | Kyverno (YAML) | Enforce rules on Kubernetes clusters |
Severity Levels
| Severity | Behavior |
|---|---|
| Error | Blocks deployment and appears as policy_blocked status |
| Warning | Non-blocking violation counted in compliance metrics |
| Info | Advisory only with no enforcement |
Policy Categories
| Category | Example Rules |
|---|---|
| Security | S3 encryption required, no public IPs on databases, security groups restricted |
| Cost | Instance size limits, no expensive instance types |
| Compliance | Resources in approved regions only, encryption at rest |
| Tagging | Required tags (Owner, Environment, CostCenter), naming conventions |
| Best Practices | Industry standards and conventions |
| Custom | User-defined policies for any scenario |
AI Policy Generation
Generate policies automatically using natural language prompts. ops0 produces valid Rego or Kyverno YAML based on your description.
Describe What You Need
Enter a prompt such as "Block any S3 bucket without encryption in production accounts."
Select Parameters
Choose the category (security, cost, compliance, etc.) and severity level.
Review Generated Code
ops0 produces a complete Rego policy or Kyverno YAML that you can edit before saving.
Save and Activate
Save the policy and optionally assign it to projects or policy groups.
AI policy generation requires AI features to be configured at the organization level in Settings → API Configuration.
Policy Groups
Organize policies into named groups and attach groups to projects. This lets you manage policy assignments at scale instead of mapping individual policies.
| Field | Description |
|---|---|
| Name | Human-readable group name |
| Description | Purpose of this group |
| Type | iac, configurations, or kubernetes |
| Enabled | Toggle group enforcement on/off |
| Policies | Policies included in this group |
| Projects | Projects this group applies to |
How Groups Work
- Create a group and add policies to it
- Map the group to one or more projects
- All policies in the group apply to every mapped project
- Toggle the group to enable/disable all policies at once
Effective Policies
A project's effective policies are the union of:
- Policies directly mapped to the project
- Policies inherited from policy groups mapped to the project
View a project's effective policies at Policies → By Project.
Policy Templates
ops0 includes a library of built-in policy templates for common compliance and security scenarios. Import templates instead of writing policies from scratch.
| Category | Templates |
|---|---|
| AWS Security | S3 encryption, no public access, security group rules |
| AWS Cost | Instance limits, GP3 volumes |
| GCP Security | Storage encryption, firewall rules |
| Azure Security | Storage account encryption, NSG rules |
| Kubernetes | Security contexts, resource limits, image policies |
| Tagging | Required tags, naming conventions |
Browse Templates
Go to Policies → Templates to view the built-in library.
Preview
Review the Rego code and description before importing.
Import
Click Import to add the template as a new policy. Customize name, severity, and category as needed.
Compliance Frameworks
Import pre-built compliance frameworks that map industry standards to ops0 policies. Each framework contains controls specific to a cloud provider or platform.
| Framework | Providers |
|---|---|
| CIS Benchmarks | AWS, GCP, Azure, Oracle Cloud, Kubernetes, Ansible |
| SOC 2 | AWS, GCP, Azure, Oracle Cloud |
| HIPAA | AWS, GCP, Azure, Oracle Cloud |
| GDPR | AWS, GCP, Azure, Oracle Cloud |
| ISO 27001 | AWS, GCP, Azure, Oracle Cloud |
| ISO 27002 | AWS, GCP, Azure, Oracle Cloud |
| PCI-DSS | AWS, GCP, Azure, Oracle Cloud |
| NSA Kubernetes Hardening | Kubernetes |
| Pod Security Standards | Kubernetes |
| STIG Ansible | Ansible |
View Available Frameworks
Go to Policies → Frameworks and select your cloud provider.
Preview Controls
Review the framework's controls and mapped policies before importing.
Import Framework
Import creates a policy group with all framework policies pre-configured.
Kyverno Policies (Kubernetes)
For Kubernetes clusters, ops0 supports Kyverno policies written in YAML. Kyverno runs natively in the cluster and enforces policies at admission time.
| Feature | Description |
|---|---|
| Create/Import | Write Kyverno YAML or import from templates |
| Cluster Mapping | Map policies to specific Kubernetes clusters |
| Enforcement Modes | Enforce (block violations) or Audit (log only) |
| Toggle | Enable/disable individual policies |
| Validation | Syntax validation before deployment |
Policy Diagnostics
The Policy Diagnostics modal shows the health of Kyverno on a cluster:
- Kyverno installation status
- Deployed policies and their enforcement modes
- Webhook verification status
- Per-rule detail and status
Policy Actions
| Action | Description |
|---|---|
| Create | Write a new policy or use AI generation |
| Edit | Modify policy code, settings, or mappings |
| Test | Run against sample input in the editor |
| Enable/Disable | Toggle enforcement with a single click |
| Map to Projects | Assign directly or via policy groups |
| Delete | Remove the policy permanently |
Policy Check History
View a log of all policy evaluations across projects. The history shows:
- Which policies ran and their results (pass/fail)
- The project and deployment that triggered the check
- Timestamps and duration
- Violation details for failed checks
Access at Policies → Check History.
Example: Blocking an Insecure S3 Bucket
The Policy
package ops0.terraform.s3
deny[msg] {
resource := input.planned_values.root_module.resources[_]
resource.type == "aws_s3_bucket"
not resource.values.server_side_encryption_configuration
msg := sprintf(
"S3 bucket '%s' must have encryption enabled",
[resource.values.bucket]
)
}
Policy Settings
Name: S3 Encryption Required
Type: IaC (Terraform)
Category: Security
Severity: Error
Deployment Blocked
Terraform Plan: 1 to add, 0 to change, 0 to destroy
Policy Evaluation
─────────────────────────────────────
✗ FAILED - S3 Encryption Required (Error)
Violations:
• S3 bucket 'company-data-bucket' must have encryption enabled
Deployment blocked. Fix violations and retry.