Enforce Governance Policies

Use ValidatingResourcePolicy to enforce organizational rules on resources and changes with CEL.

A ValidatingResourcePolicy is a declarative, reusable way to enforce governance rules across any resource using Google CEL expressions. Use it to block destructive operations, enforce limits (partitions, replication factor), or require naming and metadata conventions.

For the full specification, see the ValidatingResourcePolicy reference. For the broader picture, see Validations.

Before you begin

A Jikkou context configured for your platform — see Getting Started.

1. Write a policy

A policy selects the resources it applies to and defines rules. Each rule’s expression fails when it evaluates to true. The failurePolicy decides what happens on failure:

FAIL — abort the operation with an error.
FILTER — silently drop the invalid resource(s) and continue.

file: policy-topics.yaml

---
apiVersion: core.jikkou.io/v1
kind: ValidatingResourcePolicy
metadata:
  name: KafkaTopicPolicy
spec:
  failurePolicy: FAIL
  selector:
    matchResources:
      - kind: KafkaTopic
  rules:
    - name: MaxTopicPartitions
      expression: "resource.spec.partitions > 50"
      messageExpression: "'Topic partitions MUST be <= 50, but was: ' + string(resource.spec.partitions)"
    - name: MinTopicPartitions
      expression: "resource.spec.partitions < 3"
      message: "Topic must have at least 3 partitions"

2. Apply resources with the policy

Policies are transient resources: pass the policy file alongside the resources being validated. Jikkou evaluates the policy during reconciliation.

jikkou apply --files ./kafka-topics.yaml --files ./policy-topics.yaml --dry-run

If a topic violates a rule, a FAIL policy stops the run and prints the rule’s message.

Block destructive operations

Policies can match change resources (e.g. KafkaTopicChange) to control operations. This example filters out delete operations on topics so they are never executed:

---
apiVersion: core.jikkou.io/v1
kind: ValidatingResourcePolicy
metadata:
  name: BlockTopicDeletes
spec:
  failurePolicy: FILTER
  selector:
    matchResources:
      - kind: KafkaTopicChange
  rules:
    - name: FilterDeleteOperation
      expression: "resource.spec.op == 'DELETE'"
      messageExpression: "'Operation ' + resource.spec.op + ' on topics is not authorized'"

Target a subset of resources

Combine matchResources, matchLabels, and matchExpressions (with matchingStrategy: ALL or ANY) to scope a policy. For example, apply it only to topics in the prod environment:

selector:
  matchingStrategy: ALL
  matchResources:
    - kind: KafkaTopic
  matchLabels:
    - key: environment
      operator: In
      values: ["prod"]

Reuse policies across environments

Store policies in a resource repository so they are injected automatically and shared across teams and environments, instead of passing them on every command.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 20, 2026: docs: expand how-to guides and tutorials per Diataxis (b6a6160b)