Fix: OpenClaw in Docker โ Connection Refused, Port Mapping, and Network Issues
Running OpenClaw in Docker and getting connection refused? Common issues with port mapping, bind addresses, DNS resolution, and WebSocket upgrades explained with fixes.
DevOps
Shift-Left Security: Integrating Policy-as-Code in CI/CD Pipelines
Luca Berton โข โข 1 min read
#security#policy-as-code#cicd#opa#kyverno
๐ก๏ธ Catch It Before Production
Shift-left security means finding misconfigurations in CI/CD โ not in production incident reports. Policy-as-code tools make this automated, consistent, and fast.
The Policy-as-Code Stack
Kyverno: Kubernetes-Native Policies
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
spec:
validationFailureAction: Enforce
rules:
- name: check-limits
match:
any:
- resources:
kinds:
- Pod
validate:
message: "CPU and memory limits are required"
pattern:
spec:
containers:
- resources:
limits:
memory: "?*"
cpu: "?*"OPA/Gatekeeper: Flexible Policy Engine
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: no-latest-tag
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["production"]
parameters:
tags: ["latest"]
exemptImages:
- "registry.internal/infra/*"Checkov: IaC Scanning
# Scan Terraform
checkov -d ./terraform/ --framework terraform --output json
# Scan Kubernetes manifests
checkov -d ./k8s/ --framework kubernetes --compact
# Scan Dockerfiles
checkov -d . --framework dockerfileCI/CD Integration
# GitLab CI example
stages:
- validate
- build
- deploy
security-scan:
stage: validate
image: bridgecrew/checkov:latest
script:
- checkov -d . --framework terraform,kubernetes,dockerfile
--output cli --output junitxml
--output-file-path console,checkov-results.xml
--soft-fail-on LOW
--hard-fail-on HIGH,CRITICAL
artifacts:
reports:
junit: checkov-results.xml
kyverno-test:
stage: validate
image: ghcr.io/kyverno/kyverno-cli:latest
script:
- kyverno apply ./policies/ --resource ./k8s/
allow_failure: falseEssential Policies
Every Kubernetes deployment should enforce:
- No
latesttags โ pin image versions - Resource limits required โ prevent noisy neighbors
- No privileged containers โ security baseline
- Read-only root filesystem โ prevent runtime modification
- Non-root user โ drop unnecessary privileges
- Network policies exist โ default deny
- No host networking โ container isolation
- Liveness/readiness probes โ health checking
Key Practices
- Start with
Auditmode โ see what would fail before enforcing - Exempt system namespaces โ
kube-systemneeds special permissions - Version your policies โ treat them like code
- Document exceptions โ when a policy is bypassed, record why
- Report on compliance trends โ track improvement over time
Implementing shift-left security? I help teams build secure CI/CD pipelines with policy-as-code. Get in touch.
๐ Need expert help with this topic?
Luca Berton
AI & Cloud Advisor with 18+ years experience. Author of 8 technical books, creator of Ansible Pilot, and instructor at CopyPasteLearn Academy. Speaker at KubeCon EU & Red Hat Summit 2026.
Related Articles
Fix: OpenClaw Gateway non-loopback control UI requires gateway.controlui.allowedorigins
Getting the allowedorigins error when starting your OpenClaw gateway? Here is exactly how to fix it, with step-by-step configuration for local network, VPS, and reverse proxy setups.
Fix: OpenClaw Model API Key Errors โ 401 Unauthorized, Invalid Key, and Rate Limits
Troubleshoot OpenClaw API key issues across OpenAI, Anthropic, and GitHub Copilot. Covers 401 errors, invalid key formats, rate limits, and model fallback configuration.