Skip to content

Constraint TemplatesπŸ“œ

These constraint templates come with OPA Gatekeeper:

K8sAllowedReposπŸ“œ

Image Repositories Container images must be pulled from the specified repositories.

K8sBannedImageTagsπŸ“œ

Banned Image Tags Container Images cannot use specified tags

K8sBlockNodePortπŸ“œ

Node Ports Services must not use node ports.

K8sContainerLimitsπŸ“œ

Resource Limits Containers must have cpu / memory limits and the values must be below the specified maximum.

K8sContainerRatiosπŸ“œ

Resource Ratio Container resource limits to requests ratio must not be higher than specified.

K8sExternalIPsπŸ“œ

External IPs Services may only contain specified external IPs.

K8sHttpsOnlyπŸ“œ

Ingress on HTTPS Only Ingress must only allow HTTPS connections.

K8sImageDigestsπŸ“œ

Image Digests Containers must use images with a digest instead of a tag.

K8sIstioInjectionπŸ“œ

Deprecated in favor of K8sRequiredLabelValues

K8sNoAnnotationValuesπŸ“œ

Annotation Values Containers must have the specified annotations.

K8sProtectedNamespacesπŸ“œ

Protected Namespaces Resources cannot be deployed into specified namespaces.

K8sPSPAllowedUsersπŸ“œ

Users and Groups Containers must be run as one of the specified users and groups.

K8sPSPAllowPrivilegeEscalationContainerπŸ“œ

Privilege Escalation Containers must not allow escalation of privileges.

K8sPSPAppArmorπŸ“œ

AppArmor Profile Containers may only use specified AppArmor profiles.

K8sPSPCapabilitiesπŸ“œ

Linux Capabilities Containers may only use specified Linux capabilities

K8sPSPFlexVolumesπŸ“œ

Flex Volume Drivers Containers may only use Flex Volumes with the specified drivers

K8sPSPForbiddenSysctlsπŸ“œ

SysCtls Containers must not use specified sysctls.

K8sPSPFSGroupπŸ“œ

Deprecated in favor of K8sPSPAllowedUsers

K8sPSPHostFilesystemπŸ“œ

Host Filesystem Paths Containers may only map volumes to the host node at the specified paths.

K8sPSPHostNamespaceπŸ“œ

Host Namespace Containers must not share the host’s namespaces

K8sPSPHostNetworkingPortsπŸ“œ

Host Network Ports Container images may only use host ports that are specified.

K8sPSPPrivilegedContainerπŸ“œ

Privileged Containers Containers must not run as privileged.

K8sPSPProcMountπŸ“œ

Proc Mount Containers may only use the specified ProcMount types.

K8sPSPReadOnlyRootFilesystemπŸ“œ

Read-only Root Filesystem Containers must have read-only root filesystems.

K8sDenySADefaultπŸ“œ

Default Service Account Pods must not have default service account.

K8sPSPSeccompπŸ“œ

Seccomp Containers may only use the specified seccomp profiles.

K8sPSPSELinuxV2πŸ“œ

SELinux Containers may only use the SELinux options specified.

K8sPSPVolumeTypesπŸ“œ

Volume Types Containers may only use the specified volume types in volume mounts.

K8sPvcLimitsπŸ“œ

Persistent Volume Claim Limits Persistent Volume Claims must not be larger than the specified limit.

K8sQualityOfServiceπŸ“œ

Guaranteed Quality of Service Pods must have limits = requests to guarantee Quality of Service

K8sRegulatedResourcesπŸ“œ

Resource List Resources must be in the specified allow list or not in the specified deny list.

K8sRequiredLabelsπŸ“œ

Deprecated in favor of K8sRequiredLabelValues

K8sRequiredLabelValuesπŸ“œ

Required Labels Containers must have the specified labels and values.

K8sRequiredPodsπŸ“œ

Deprecated in favor of using individual constraints.

K8sRequiredProbesπŸ“œ

Probes Container must have specified probes and probe types.

K8sUniqueIngressHostπŸ“œ

Unique Ingress Hosts Ingress hosts must be unique.

K8sUniqueServiceSelectorπŸ“œ

Unique Service Selector Services must have unique selectors within a namespace.

RestrictedTaintTolerationπŸ“œ

Taints and Tolerations Container must be configured according to specified taint and toleration rules.


Last update: 2022-07-25 by michaelmcleroy