Add blog post: From Kubernetes Gatekeeper to Full-Stack Governance with OPA

[lblackstone]

Summary

• Announcement blog post for the stable launch of OPA policy support (pulumi-policy-opa v1.1.0)
• Covers Kubernetes Gatekeeper compatibility (drop-in reuse of existing constraint template .rego files), full feature parity with TypeScript and Python policy SDKs, and integration with Pulumi Insights governance
• Includes FAQ section, Pulumi Cloud-oriented get-started workflow, and cross-links to self-hosted Insights and audit policy scan announcements

Test plan

• Preview locally with make serve and verify the post renders correctly at /blog/kubernetes-gatekeeper-full-stack-governance-opa/
• Verify meta image displays correctly in social preview
• Confirm all internal links resolve
• Verify Rego code examples render with syntax highlighting
• Confirm github-card shortcode renders for pulumi/pulumi-policy-opa

🤖 Generated with Claude Code

[claude]

Docs Review — PR #17970

Scope: Reviewed the full diff (2 files: index.md blog post + meta.png).

Overall Assessment

This is a well-structured blog post announcing the stable release of OPA policy support. The writing is clear, technically detailed, and well-organized. Only minor issues found.

Issues

1. Broken internal link — /docs/insights/policy/policy-groups/ (lines 39, 86, 119)

The path /docs/insights/policy/policy-groups/ is referenced three times. The actual file is content/docs/insights/policy/policy-groups.md (a leaf page, not a directory with _index.md), so the correct link path is /docs/insights/policy/policy-groups/ — which should resolve correctly since Hugo generates a directory for it. Verified this resolves. No action needed.

2. Em-dash usage — acceptable

Only one em-dash found in the entire post (line 24, "Kubernetes Gatekeeper compatibility — reuse your existing..."). Within guidelines.

3. Rego code example — deny vs violation rule heads (line 70–71)

The second rule in the Gatekeeper example uses deny contains msg if rather than the Gatekeeper-standard violation contains {"msg": msg} if. While the post does explain that both formats are supported, mixing them in a single "Gatekeeper-style" example could confuse readers who expect pure Gatekeeper compatibility. Consider making both rules use violation[{"msg": msg}] for the Gatekeeper example, then mentioning the deny[msg] shorthand separately.

4. Minor style — "first-class" repetition

The phrase "first-class" appears three times (lines 24, 30, 93). Consider varying the language in at least one instance — e.g., "fully supported" or "native" — to avoid repetition.

5. FAQ anchor format

The FAQ section uses bold text for questions rather than H3 headings. This is a valid stylistic choice for FAQs within a blog post, but using ### headings would improve scannability and generate anchor links for deep-linking.

6. Missing CTA button

Per review criteria, feature announcements should consider using the {{< blog/cta-button >}} shortcode. The "Get started" section at the end would benefit from a CTA button linking to the docs or the pulumi policy new workflow.

What looks good

• <!--more--> break is correctly placed after the intro paragraph
• Meta image is set, uses current Pulumi branding with mascot, and looks good for social sharing (~604 KB PNG)
• allow_long_title: true is correctly set (title is 60 chars)
• Meta description is 130 chars (within the 160-char limit) and includes key search terms
• Author profile (levi-blackstone.toml) exists
• All internal links verified: /docs/insights/policy/, /docs/insights/, /docs/insights/policy/policy-groups/, /docs/insights/policy/policy-packs/authoring/, /blog/policy-audit-scans-for-stacks/, /blog/self-hosted-insights/
• Proper use of {{< github-card >}} shortcode for the repo reference
• Code blocks all have language specifiers (yaml, rego, bash)
• Ordered list in "Get started" correctly uses 1. for all items
• Social media descriptions are well-crafted
• OPA acronym is expanded on first mention
• Writing is confident with no hedging language or AI patterns detected
• Word count (~1,165) is appropriate for a feature announcement

Publishing readiness checklist

• <!--more--> break present after intro
• meta_image set and not the default placeholder
• meta_image uses current Pulumi logos
• Author profile exists with avatar
• All links resolve
• Code examples correct with language specifiers
• No animated GIFs used as meta_image
• Images have alt text; screenshots have 1px gray borders — N/A (no inline images)
• Title ≤60 chars or allow_long_title: true set

Summary

The post is in good shape and nearly ready to publish. The main suggestions are cosmetic: consider making the Gatekeeper code example use consistent rule head format, varying the "first-class" phrasing, and adding a CTA button to the "Get started" section. None of these are blockers.

---

Mention @claude if you'd like additional reviews or want me to fix any of these issues.

🤖 Generated with Claude Code

[lblackstone]

@claude Fix all issues except 3, which is an intentional choice.

[claude]

Claude finished @lblackstone's task in 1m 6s —— View job

---

Review fixes applied

• Read blog post file
• Issue 4: Varied "first-class" phrasing — changed two of three occurrences: "fully supported" (line 29) and "native" (line 92), keeping the main announcement sentence unchanged
• Issue 5: FAQ section — converted all four bold questions to H3 headings for better scannability and anchor link support
• Issue 6: Added {{< blog/cta-button "Get started with OPA policies" "/docs/insights/policy/" >}} before the GitHub card in the "Get started" section
• Committed and pushed to levi/opa-policy-stable-blog

Issue 3 (Rego rule head format) was left as-is per your request.
· Branch

[pulumi-bot]

Your site preview for commit fa1e806 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-17970-fa1e806c.s3-website.us-west-2.amazonaws.com.