Skip to content

Constraint Templates📜

These constraint templates come with OPA Gatekeeper:

K8sAllowedRepos📜

Image Repositories Container images must be pulled from the specified repositories.

K8sBannedImageTags📜

Banned Image Tags Container Images cannot use specified tags

K8sBlockNodePort📜

Node Ports Services must not use node ports.

K8sContainerLimits📜

Resource Limits Containers must have cpu / memory limits and the values must be below the specified maximum.

K8sContainerRatios📜

Resource Ratio Container resource limits to requests ratio must not be higher than specified.

K8sExternalIPs📜

External IPs Services may only contain specified external IPs.

K8sHttpsOnly📜

Ingress on HTTPS Only Ingress must only allow HTTPS connections.

K8sImageDigests📜

Image Digests Containers must use images with a digest instead of a tag.

K8sIstioInjection📜

Deprecated in favor of K8sRequiredLabelValues

K8sNoAnnotationValues📜

Annotation Values Containers must have the specified annotations.

K8sProtectedNamespaces📜

Protected Namespaces Resources cannot be deployed into specified namespaces.

K8sPSPAllowedUsers📜

Users and Groups Containers must be run as one of the specified users and groups.

K8sPSPAllowPrivilegeEscalationContainer📜

Privilege Escalation Containers must not allow escalation of privileges.

K8sPSPAppArmor📜

AppArmor Profile Containers may only use specified AppArmor profiles.

K8sPSPCapabilities📜

Linux Capabilities Containers may only use specified Linux capabilities

K8sPSPFlexVolumes📜

Flex Volume Drivers Containers may only use Flex Volumes with the specified drivers

K8sPSPForbiddenSysctls📜

SysCtls Containers must not use specified sysctls.

K8sPSPFSGroup📜

Deprecated in favor of K8sPSPAllowedUsers

K8sPSPHostFilesystem📜

Host Filesystem Paths Containers may only map volumes to the host node at the specified paths.

K8sPSPHostNamespace📜

Host Namespace Containers must not share the host’s namespaces

K8sPSPHostNetworkingPorts📜

Host Network Ports Container images may only use host ports that are specified.

K8sPSPPrivilegedContainer📜

Privileged Containers Containers must not run as privileged.

K8sPSPProcMount📜

Proc Mount Containers may only use the specified ProcMount types.

K8sPSPReadOnlyRootFilesystem📜

Read-only Root Filesystem Containers must have read-only root filesystems.

K8sDenySADefault📜

Default Service Account Pods must not have default service account.

K8sPSPSeccomp📜

Seccomp Containers may only use the specified seccomp profiles.

K8sPSPSELinuxV2📜

SELinux Containers may only use the SELinux options specified.

K8sPSPVolumeTypes📜

Volume Types Containers may only use the specified volume types in volume mounts.

K8sPvcLimits📜

Persistent Volume Claim Limits Persistent Volume Claims must not be larger than the specified limit.

K8sQualityOfService📜

Guaranteed Quality of Service Pods must have limits = requests to guarantee Quality of Service

K8sRegulatedResources📜

Resource List Resources must be in the specified allow list or not in the specified deny list.

K8sRequiredLabels📜

Deprecated in favor of K8sRequiredLabelValues

K8sRequiredLabelValues📜

Required Labels Containers must have the specified labels and values.

K8sRequiredPods📜

Deprecated in favor of using individual constraints.

K8sRequiredProbes📜

Probes Container must have specified probes and probe types.

K8sUniqueIngressHost📜

Unique Ingress Hosts Ingress hosts must be unique.

K8sUniqueServiceSelector📜

Unique Service Selector Services must have unique selectors within a namespace.

RestrictedTaintToleration📜

Taints and Tolerations Container must be configured according to specified taint and toleration rules.