Skip to main content
Version: 0.21.2

Policy Enterprise

Policy CRD

The Policy CRD is used to define policies which are then consumed and used by the agent to validate entities.

It uses OPA Rego Language to evaluate the entities.

Policy Library

You should have a policy library repo set up which includes your policies resources as CRDs.


Enterprise customers should have access to fork policy library repo into their local repositories.

Tenant Policy

Tenant policies are special policies that are used by the Multi Tenancy feature in Weave GitOps Enterprise

Tenant policies have a special tag tenancy.

Mutating Resources

Starting from version v2.2.0, the policy agent will support mutating resources.

To enable mutating resources, policies must have field mutate set to true and the rego code should return the violating_key and the recommended_value in the violation response. The mutation webhook will use the violating_key and recommended_value to mutate the resource and return the new mutated resource.


result = {
"issue_detected": true,
"msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]),
"violating_key": "spec.replicas",
"recommended_value": min_replica_count

Policy Validation

The policy validation object is the result of validating an entity against a policy. It contains all the necessary information to give the user a clear idea on what caused this violation or compliance.

id: string # identifier for the violation
account_id: string # organization identifier
cluster_id: string # cluster identifier
policy: object # contains related policy data
entity: object # contains related resource data
status: string # Violation or Compliance
message: string # message that summarizes the policy validation
type: string # the mode that produced this object. one of: Admission, Audit, TFAdmission
trigger: string # what triggered the validation, create request or initial audit,..
created_at: string # time that the validation occurred in