Abstract
Cloud-native software-delivery pipelines increasingly rely on Policy-as-Code (PaC) to automate security, compliance, and governance enforcement. Although Policy-as-Code is widely adopted within Continuous Integration (CI) pipelines and Kubernetes admission-control frameworks, governance requirements are often implemented independently, potentially increasing maintenance effort and creating opportunities for policy drift. Despite the growing adoption of Policy-as-Code, comparatively little empirical evidence exists regarding the reuse of a shared policy-definition layer across complementary enforcement stages within the software-delivery lifecycle. This paper presents and empirically evaluates a reusable multi-stage Policy-as-Code enforcement model based on a shared policy-definition layer implemented using the Open Policy Agent (OPA) framework and its Rego policy language. Rather than proposing a new Policy-as-Code technology, the study investigates whether a shared policy-definition layer can support consistent policy enforcement across Continuous Integration validation and Kubernetes admission control. The model was evaluated using Conftest and OPA Gatekeeper through a structured experimental study comprising 29 Kubernetes manifests, 37 experimental scenarios, eight Kubernetes resource types, and 261 policy assertions covering representative cloud-native workload-governance requirements. Within the evaluated dataset, all intentionally introduced insecure configurations were correctly identified without observed false positives or false negatives. The shared policy-definition layer was successfully reused across both validation stages, while Kubernetes admission control mitigated all evaluated CI bypass scenarios by providing an independent deployment-time enforcement boundary. The results demonstrate that a shared policy-definition layer can support consistent policy enforcement across complementary enforcement stages while enabling policy reuse without requiring duplicate policy implementations within the evaluated environment. More broadly, the study contributes empirical evidence supporting policy reuse as a governance strategy for cloud-native software delivery and provides a reproducible foundation for future investigations involving larger datasets, broader governance-policy portfolios, alternative Policy-as-Code ecosystems, and production-scale deployments.
IPC Classification
Keywords
€ 4.00