Constraint Templatesπ
These constraint templates come with OPA Gatekeeper:
K8sAllowedReposπ
Image Repositories Container images must be pulled from the specified repositories.
K8sBannedImageTagsπ
Banned Image Tags Container Images cannot use specified tags
K8sBlockNodePortπ
Node Ports Services must not use node ports.
K8sContainerLimitsπ
Resource Limits Containers must have cpu / memory limits and the values must be below the specified maximum.
K8sContainerRatiosπ
Resource Ratio Container resource limits to requests ratio must not be higher than specified.
K8sExternalIPsπ
External IPs Services may only contain specified external IPs.
K8sHttpsOnlyπ
Ingress on HTTPS Only Ingress must only allow HTTPS connections.
K8sImageDigestsπ
Image Digests Containers must use images with a digest instead of a tag.
K8sIstioInjectionπ
Deprecated in favor of K8sRequiredLabelValues
K8sNoAnnotationValuesπ
Annotation Values Containers must have the specified annotations.
K8sProtectedNamespacesπ
Protected Namespaces Resources cannot be deployed into specified namespaces.
K8sPSPAllowedUsersπ
Users and Groups Containers must be run as one of the specified users and groups.
K8sPSPAllowPrivilegeEscalationContainerπ
Privilege Escalation Containers must not allow escalation of privileges.
K8sPSPAppArmorπ
AppArmor Profile Containers may only use specified AppArmor profiles.
K8sPSPCapabilitiesπ
Linux Capabilities Containers may only use specified Linux capabilities
K8sPSPFlexVolumesπ
Flex Volume Drivers Containers may only use Flex Volumes with the specified drivers
K8sPSPForbiddenSysctlsπ
SysCtls Containers must not use specified sysctls.
K8sPSPFSGroupπ
Deprecated in favor of K8sPSPAllowedUsers
K8sPSPHostFilesystemπ
Host Filesystem Paths Containers may only map volumes to the host node at the specified paths.
K8sPSPHostNamespaceπ
Host Namespace Containers must not share the hostβs namespaces
K8sPSPHostNetworkingPortsπ
Host Network Ports Container images may only use host ports that are specified.
K8sPSPPrivilegedContainerπ
Privileged Containers Containers must not run as privileged.
K8sPSPProcMountπ
Proc Mount Containers may only use the specified ProcMount types.
K8sPSPReadOnlyRootFilesystemπ
Read-only Root Filesystem Containers must have read-only root filesystems.
K8sDenySADefaultπ
Default Service Account Pods must not have default service account.
K8sPSPSeccompπ
Seccomp Containers may only use the specified seccomp profiles.
K8sPSPSELinuxV2π
SELinux Containers may only use the SELinux options specified.
K8sPSPVolumeTypesπ
Volume Types Containers may only use the specified volume types in volume mounts.
K8sPvcLimitsπ
Persistent Volume Claim Limits Persistent Volume Claims must not be larger than the specified limit.
K8sQualityOfServiceπ
Guaranteed Quality of Service Pods must have limits = requests to guarantee Quality of Service
K8sRegulatedResourcesπ
Resource List Resources must be in the specified allow list or not in the specified deny list.
K8sRequiredLabelsπ
Deprecated in favor of K8sRequiredLabelValues
K8sRequiredLabelValuesπ
Required Labels Containers must have the specified labels and values.
K8sRequiredPodsπ
Deprecated in favor of using individual constraints.
K8sRequiredProbesπ
Probes Container must have specified probes and probe types.
K8sUniqueIngressHostπ
Unique Ingress Hosts Ingress hosts must be unique.
K8sUniqueServiceSelectorπ
Unique Service Selector Services must have unique selectors within a namespace.
RestrictedTaintTolerationπ
Taints and Tolerations Container must be configured according to specified taint and toleration rules.