Skip to content

Constraint Templates💣

These constraint templates come with OPA Gatekeeper:

K8sAllowedRepos💣

Image Repositories Container images must be pulled from the specified repositories.

K8sBannedImageTags💣

Banned Image Tags Container Images cannot use specified tags

K8sBlockNodePort💣

Node Ports Services must not use node ports.

K8sContainerLimits💣

Resource Limits Containers must have cpu / memory limits and the values must be below the specified maximum.

K8sContainerRatios💣

Resource Ratio Container resource limits to requests ratio must not be higher than specified.

K8sExternalIPs💣

External IPs Services may only contain specified external IPs.

K8sHttpsOnly💣

Ingress on HTTPS Only Ingress must only allow HTTPS connections.

K8sImageDigests💣

Image Digests Containers must use images with a digest instead of a tag.

K8sIstioInjection💣

Deprecated in favor of K8sRequiredLabelValues

K8sNoAnnotationValues💣

Annotation Values Containers must have the specified annotations.

K8sProtectedNamespaces💣

Protected Namespaces Resources cannot be deployed into specified namespaces.

K8sPSPAllowedUsers💣

Users and Groups Containers must be run as one of the specified users and groups.

K8sPSPAllowPrivilegeEscalationContainer💣

Privilege Escalation Containers must not allow escalation of privileges.

K8sPSPAppArmor💣

AppArmor Profile Containers may only use specified AppArmor profiles.

K8sPSPCapabilities💣

Linux Capabilities Containers may only use specified Linux capabilities

K8sPSPFlexVolumes💣

Flex Volume Drivers Containers may only use Flex Volumes with the specified drivers

K8sPSPForbiddenSysctls💣

SysCtls Containers must not use specified sysctls.

K8sPSPFSGroup💣

Deprecated in favor of K8sPSPAllowedUsers

K8sPSPHostFilesystem💣

Host Filesystem Paths Containers may only map volumes to the host node at the specified paths.

K8sPSPHostNamespace💣

Host Namespace Containers must not share the host’s namespaces

K8sPSPHostNetworkingPorts💣

Host Network Ports Container images may only use host ports that are specified.

K8sPSPPrivilegedContainer💣

Privileged Containers Containers must not run as privileged.

K8sPSPProcMount💣

Proc Mount Containers may only use the specified ProcMount types.

K8sPSPReadOnlyRootFilesystem💣

Read-only Root Filesystem Containers must have read-only root filesystems.

K8sDenySADefault💣

Default Service Account Pods must not have default service account.

K8sPSPSeccomp💣

Seccomp Containers may only use the specified seccomp profiles.

K8sPSPSELinuxV2💣

SELinux Containers may only use the SELinux options specified.

K8sPSPVolumeTypes💣

Volume Types Containers may only use the specified volume types in volume mounts.

K8sPvcLimits💣

Persistent Volume Claim Limits Persistent Volume Claims must not be larger than the specified limit.

K8sQualityOfService💣

Guaranteed Quality of Service Pods must have limits = requests to guarantee Quality of Service

K8sRegulatedResources💣

Resource List Resources must be in the specified allow list or not in the specified deny list.

K8sRequiredLabels💣

Deprecated in favor of K8sRequiredLabelValues

K8sRequiredLabelValues💣

Required Labels Containers must have the specified labels and values.

K8sRequiredPods💣

Deprecated in favor of using individual constraints.

K8sRequiredProbes💣

Probes Container must have specified probes and probe types.

K8sUniqueIngressHost💣

Unique Ingress Hosts Ingress hosts must be unique.

K8sUniqueServiceSelector💣

Unique Service Selector Services must have unique selectors within a namespace.

RestrictedTaintToleration💣

Taints and Tolerations Container must be configured according to specified taint and toleration rules.


Last update: 2022-07-25 by michaelmcleroy