Constraint Templates💣
These constraint templates come with OPA Gatekeeper:
K8sAllowedRepos💣
Image Repositories Container images must be pulled from the specified repositories.
K8sBannedImageTags💣
Banned Image Tags Container Images cannot use specified tags
K8sBlockNodePort💣
Node Ports Services must not use node ports.
K8sContainerLimits💣
Resource Limits Containers must have cpu / memory limits and the values must be below the specified maximum.
K8sContainerRatios💣
Resource Ratio Container resource limits to requests ratio must not be higher than specified.
K8sExternalIPs💣
External IPs Services may only contain specified external IPs.
K8sHttpsOnly💣
Ingress on HTTPS Only Ingress must only allow HTTPS connections.
K8sImageDigests💣
Image Digests Containers must use images with a digest instead of a tag.
K8sIstioInjection💣
Deprecated in favor of K8sRequiredLabelValues
K8sNoAnnotationValues💣
Annotation Values Containers must have the specified annotations.
K8sProtectedNamespaces💣
Protected Namespaces Resources cannot be deployed into specified namespaces.
K8sPSPAllowedUsers💣
Users and Groups Containers must be run as one of the specified users and groups.
K8sPSPAllowPrivilegeEscalationContainer💣
Privilege Escalation Containers must not allow escalation of privileges.
K8sPSPAppArmor💣
AppArmor Profile Containers may only use specified AppArmor profiles.
K8sPSPCapabilities💣
Linux Capabilities Containers may only use specified Linux capabilities
K8sPSPFlexVolumes💣
Flex Volume Drivers Containers may only use Flex Volumes with the specified drivers
K8sPSPForbiddenSysctls💣
SysCtls Containers must not use specified sysctls.
K8sPSPFSGroup💣
Deprecated in favor of K8sPSPAllowedUsers
K8sPSPHostFilesystem💣
Host Filesystem Paths Containers may only map volumes to the host node at the specified paths.
K8sPSPHostNamespace💣
Host Namespace Containers must not share the host’s namespaces
K8sPSPHostNetworkingPorts💣
Host Network Ports Container images may only use host ports that are specified.
K8sPSPPrivilegedContainer💣
Privileged Containers Containers must not run as privileged.
K8sPSPProcMount💣
Proc Mount Containers may only use the specified ProcMount types.
K8sPSPReadOnlyRootFilesystem💣
Read-only Root Filesystem Containers must have read-only root filesystems.
K8sDenySADefault💣
Default Service Account Pods must not have default service account.
K8sPSPSeccomp💣
Seccomp Containers may only use the specified seccomp profiles.
K8sPSPSELinuxV2💣
SELinux Containers may only use the SELinux options specified.
K8sPSPVolumeTypes💣
Volume Types Containers may only use the specified volume types in volume mounts.
K8sPvcLimits💣
Persistent Volume Claim Limits Persistent Volume Claims must not be larger than the specified limit.
K8sQualityOfService💣
Guaranteed Quality of Service Pods must have limits = requests to guarantee Quality of Service
K8sRegulatedResources💣
Resource List Resources must be in the specified allow list or not in the specified deny list.
K8sRequiredLabels💣
Deprecated in favor of K8sRequiredLabelValues
K8sRequiredLabelValues💣
Required Labels Containers must have the specified labels and values.
K8sRequiredPods💣
Deprecated in favor of using individual constraints.
K8sRequiredProbes💣
Probes Container must have specified probes and probe types.
K8sUniqueIngressHost💣
Unique Ingress Hosts Ingress hosts must be unique.
K8sUniqueServiceSelector💣
Unique Service Selector Services must have unique selectors within a namespace.
RestrictedTaintToleration💣
Taints and Tolerations Container must be configured according to specified taint and toleration rules.