* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/)
* Prevent Dangerous Kuberne...

# Prevent Dangerous Kubernetes Operations with Prisma Cloud's Open Policy Agent Integration

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-compute-open-policy-agent%2F)  
[](https://twitter.com/share?text=Prevent+Dangerous+Kubernetes+Operations+with+Prisma+Cloud%27s+Open+Policy+Agent+Integration&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-compute-open-policy-agent%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprisma-cloud-compute-open-policy-agent%2F&title=Prevent+Dangerous+Kubernetes+Operations+with+Prisma+Cloud%27s+Open+Policy+Agent+Integration&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/prisma-cloud-compute-open-policy-agent/&ts=markdown)  
\[\](mailto:?subject=Prevent Dangerous Kubernetes Operations with Prisma Cloud's Open Policy Agent Integration)  
Link copied  
By [Doug Purcell](https://www.paloaltonetworks.com/blog/author/doug-purcell/?ts=markdown "Posts by Doug Purcell")  
Jul 08, 2021  
5 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)  
[Open Policy Agent](https://www.paloaltonetworks.com/blog/tag/open-policy-agent/?ts=markdown)

If you're looking for ways to create security guardrails in your Kubernetes environment, then you can consider using [Prisma Cloud's integration with Open Policy Agent](https://www.paloaltonetworks.com/blog/prisma-cloud/open-policy-agent-support/?ts=markdown) (OPA) to enforce runtime policies, such as protecting against spinning up unvetted images or misconfigured pods that are overprivileged. Prisma Cloud Compute simplifies the management of OPA policies across your Kubernetes deployments, and in this tutorial you will learn how to implement OPA-based policies in Prisma Cloud Compute so that you can enforce security guardrails.

## Prerequisites

To follow the steps in this tutorial, complete the following prerequisites:

* Have a Prisma Cloud Console with Defenders deployed. Reach out to Prisma Cloud customer support to get access to Prisma Cloud Compute.
* Have some Defenders deployed on a Kubernetes cluster. Refer to the documentation for instructions on how to [deploy Defenders](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_kubernetes.html).
* Have the ability to manage your Kubernetes cluster or kubectl access between get nodes and get pods.

After the prerequisites have been completed, you will have enabled the default policies in Compute.

## Enable Admission Control in Prisma Cloud Compute

Prisma Cloud Compute comes with an admission controller which is a piece of code that intercepts requests to the Kubernetes API server. It's built using the Open Policy Agent which has a built-in declarative language called Rego for creating your own custom policies. To use the admission controller, enable it within Compute by navigating to the **Defend** section of the user interface and select **Access \> Admission** and toggle **Disabled** to **Enabled** which turns admission control on in the UI. Then, you'll also need to deploy a Webhook into the cluster.

![Enable admission control in Prisma Cloud Compute](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image-7.png)
Enable admission control in Prisma Cloud Compute

## Deploy a Webhook

A webhook enables web apps to communicate with each other and for real time data from one app to notify another after an event occurred. After the admission control is enabled you need to deploy a webhook into the cluster to send the AdmissionReview object to the Defender so that the policies are evaluated. If no webhook is deployed the policies won't be enforced. To deploy a Webhook, turn-on the admission controller by navigating to **Manage** in the UI and select **Defenders** \> **Advanced settings** and toggle **Disabled** to **Enabled**.

![Enable admission controller in the Advanced Defender settings](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image-8.png)
Enable admission controller in the Advanced Defender settings

The YAML file represents the configuration details that are used to validate the webhook. You can copy/paste it into an editor like VSCode by clicking the **Copy configuration** button which highlights the entire file.

`apiVersion: admissionregistration.k8s.io/v1`

`kind: ValidatingWebhookConfiguration`

`metadata:`

`name: "tw-validating-webhook"`

`webhooks:`

`- name: "validating-webhook.twistlock.com"`

` admissionReviewVersions: ["v1", "v1beta1"]`

` sideEffects: None`

` failurePolicy: Fail`

` rules:`

`- operations: ["CREATE", "UPDATE", "CONNECT", "DELETE"]`

` apiGroups: ["*"]`

` apiVersions: ["*"]`

` resources: ["*/*"]`

`clientConfig:`

`caBundle: "<snip>"`

`service:`

`name: defender`

`namespace: "twistlock"`

`path: "<snip>"`

If you changed any of the default settings while deploying defenders, such as the default namespace `twistlock`, you'll need to adjust those settings in this file to match. In addition, you can change the operation rules in the handbook. For example, you can add DELETE if you want to ensure that a namespace can be deleted. Next, apply the file to create the Webhook. Assuming that you named the file `ValidatingWebhookConfiguration.yml`, you can use the following Kubernetes command:

`kubectl apply -f ValidatingWebhookConfiguration.yml`

The output will be:

`validatingwebhookconfiguration.admissionregistration.k8s.io/tw-validating-webhook created`

The output indicates that the webhook was successfully created and that you have the hooks setup in the API. After the Webhook has been created in your cluster you should see the default policies in Admission Control by navigating to the **Defend** portion of the UI and selecting **Access \> Admission** and toggling **Disabled** to **Enabled**.
![Default policies in Admission Control in the Defend part of the UI](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image-9.png)
Default policies in Admission Control in the Defend part of the UI

Defenders deployed to Kubernetes clusters can function as Open Policy Agent admission controllers. They can evaluate rules written in the Rego language to allow, alert, or block admission requests. Compute supplies default policies for a myriad of use cases such as detecting pods created with sensitive host file system mounts or minimizing the admission of privileged containers. If any of the default policies don't fit your organization's needs, disable them here. Also, extend the functionality of the default policies by adding new custom rules using Rego.

## Get Started With Creating Your Own Custom Rules

Prisma Cloud Compute has a set of rules that will help you get started with creating your own custom policies. You can find examples on [GitHub](https://github.com/twistlock/sample-code/tree/master/opa-rego-policies) that will help you write your custom Rego policies along with [notes](https://github.com/twistlock/sample-code/tree/master/opa-rego-policies#notes) for assisting you with writing your own policies. For more helpful information and how-tos, [visit our TechDocs](https://docs.paloaltonetworks.com/prisma/prisma-cloud.html).

*** ** * ** ***

## Related Blogs

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://www.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)

[#### Join Prisma Cloud at KubeCon North America in Chicago](https://www.paloaltonetworks.com/blog/cloud-security/kubecon-na-2023/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### AppSec and CloudSec 101: Blurring the Lines Between Cloud-Native App Layers](https://www.paloaltonetworks.com/blog/cloud-security/application-infrastructure-security-101-blurring-cloud-native-app-layers/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### Prisma Cloud Supports Arm Workloads on Google Cloud and GKE](https://www.paloaltonetworks.com/blog/cloud-security/supports-arm-workloads-on-google-cloud-and-gke/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Zero Trust for Applications: Securing Content within Transactions](https://www.paloaltonetworks.com/blog/cloud-security/zero-trust-for-applications-securing-content-within-transactions/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### 6 Common Kubernetes and Container Attack Techniques and How to Prevent Them](https://www.paloaltonetworks.com/blog/cloud-security/6-common-kubernetes-attacks/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language