Constraint Templatesπ£
These constraint templates come with OPA Gatekeeper:
K8sAllowedReposπ£
Image Repositories Container images must be pulled from the specified repositories.
K8sBannedImageTagsπ£
Banned Image Tags Container Images cannot use specified tags
K8sBlockNodePortπ£
Node Ports Services must not use node ports.
K8sContainerLimitsπ£
Resource Limits Containers must have cpu / memory limits and the values must be below the specified maximum.
K8sContainerRatiosπ£
Resource Ratio Container resource limits to requests ratio must not be higher than specified.
K8sExternalIPsπ£
External IPs Services may only contain specified external IPs.
K8sHttpsOnlyπ£
Ingress on HTTPS Only Ingress must only allow HTTPS connections.
K8sImageDigestsπ£
Image Digests Containers must use images with a digest instead of a tag.
K8sIstioInjectionπ£
Deprecated in favor of K8sRequiredLabelValues
K8sNoAnnotationValuesπ£
Annotation Values Containers must have the specified annotations.
K8sProtectedNamespacesπ£
Protected Namespaces Resources cannot be deployed into specified namespaces.
K8sPSPAllowedUsersπ£
Users and Groups Containers must be run as one of the specified users and groups.
K8sPSPAllowPrivilegeEscalationContainerπ£
Privilege Escalation Containers must not allow escalation of privileges.
K8sPSPAppArmorπ£
AppArmor Profile Containers may only use specified AppArmor profiles.
K8sPSPCapabilitiesπ£
Linux Capabilities Containers may only use specified Linux capabilities
K8sPSPFlexVolumesπ£
Flex Volume Drivers Containers may only use Flex Volumes with the specified drivers
K8sPSPForbiddenSysctlsπ£
SysCtls Containers must not use specified sysctls.
K8sPSPFSGroupπ£
Deprecated in favor of K8sPSPAllowedUsers
K8sPSPHostFilesystemπ£
Host Filesystem Paths Containers may only map volumes to the host node at the specified paths.
K8sPSPHostNamespaceπ£
Host Namespace Containers must not share the hostβs namespaces
K8sPSPHostNetworkingPortsπ£
Host Network Ports Container images may only use host ports that are specified.
K8sPSPPrivilegedContainerπ£
Privileged Containers Containers must not run as privileged.
K8sPSPProcMountπ£
Proc Mount Containers may only use the specified ProcMount types.
K8sPSPReadOnlyRootFilesystemπ£
Read-only Root Filesystem Containers must have read-only root filesystems.
K8sDenySADefaultπ£
Default Service Account Pods must not have default service account.
K8sPSPSeccompπ£
Seccomp Containers may only use the specified seccomp profiles.
K8sPSPSELinuxV2π£
SELinux Containers may only use the SELinux options specified.
K8sPSPVolumeTypesπ£
Volume Types Containers may only use the specified volume types in volume mounts.
K8sPvcLimitsπ£
Persistent Volume Claim Limits Persistent Volume Claims must not be larger than the specified limit.
K8sQualityOfServiceπ£
Guaranteed Quality of Service Pods must have limits = requests to guarantee Quality of Service
K8sRegulatedResourcesπ£
Resource List Resources must be in the specified allow list or not in the specified deny list.
K8sRequiredLabelsπ£
Deprecated in favor of K8sRequiredLabelValues
K8sRequiredLabelValuesπ£
Required Labels Containers must have the specified labels and values.
K8sRequiredPodsπ£
Deprecated in favor of using individual constraints.
K8sRequiredProbesπ£
Probes Container must have specified probes and probe types.
K8sUniqueIngressHostπ£
Unique Ingress Hosts Ingress hosts must be unique.
K8sUniqueServiceSelectorπ£
Unique Service Selector Services must have unique selectors within a namespace.
RestrictedTaintTolerationπ£
Taints and Tolerations Container must be configured according to specified taint and toleration rules.