Constraint template library
Constraint templates let you define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.
To help you see how the constraint templates function, each template includes an example constraint and a resource that violates the constraint.
Not all constraint templates are available for all versions of Policy Controller, Config Sync and Config Controller. Further, templates can change between versions. To better understand the history of a template, you can go to the Policy Controller, Config Sync and Config Controller archives to view earlier versions of this page.
All constraints contain a match section, which defines the objects a
constraint applies to. For details on how to configure that section, see
Constraint match section.
Links to earlier versions of this page
AllowedServicePortName
Requires that service port names have a prefix from a specified list.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
Examples
port-name-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: port-name-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
prefixes:
- http-
- http2-
- grpc-
- mongo-
- redis-
- tcp-
Disallowed
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-bad
spec:
ports:
- name: helloport
port: 5000
selector:
app: helloworld
DestinationRuleTLSEnabled
Prohibits disabling TLS for all hosts and host subsets in Istio DestinationRules.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-contorller-constraints#constraint
match:
[match schema]
Examples
dr-tls-enabled
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: dr-tls-enabled
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- networking.istio.io
kinds:
- DestinationRule
Disallowed
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-traffic-leastconn
namespace: default
spec:
host: myservice
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
DisallowedAuthzPrefix
Requires that principals and namespaces in Istio AuthorizationPolicy rules not have a prefix from a specified list.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
Examples
disallowed-authz-prefix-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: disallowed-authz-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedprefixes:
- badprefix
- reallybadprefix
Disallowed
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- badprefix-test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
GCPStorageLocationConstraintV1
Restricts the permitted locations for StorageBucket Config Connector resources to the list of locations provided in the constraint. Bucket names in the exemptions list are exempt.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
Examples
singapore-and-jakarta-only
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: singapore-and-jakarta-only
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- storage.cnrm.cloud.google.com
kinds:
- StorageBucket
parameters:
exemptions:
- my_project_id_cloudbuild
locations:
- asia-southeast1
- asia-southeast2
Allowed
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Disallowed
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
K8sAllowedRepos
Requires container images to begin with a string from the specified list.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Examples
repo-is-openpolicyagent
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: repo-is-openpolicyagent
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
repos:
- openpolicyagent/
Allowed
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
K8sBlockEndpointEditDefaultRole
Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints. ClusterRole/system:aggregate-to-edit should not allow Endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
block-endpoint-edit-default-role
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: block-endpoint-edit-default-role
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
Allowed
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
Disallowed
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- endpoints
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
K8sBlockNodePort
Disallows all Services with type NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
block-node-port
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
Disallowed
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: NodePort
K8sBlockProcessNamespaceSharing
Prohibits Pod specs with shareProcessNamespace set to true. This avoids scenarios where all containers in a Pod share a PID namespace and can access each other's filesystem and memory.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
block-process-namespace-sharing
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Allowed
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
shareProcessNamespace: true
K8sContainerLimits
Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
Examples
container-must-have-limits
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
K8sContainerRatios
Sets a maximum ratio for container resource limits to requests. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
Examples
container-must-meet-ratio
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ratio: "2"
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 800m
memory: 2Gi
requests:
cpu: 100m
memory: 100Mi
K8sDisallowedRoleBindingSubjects
Prohibits RoleBindings or ClusterRoleBindings with subjects matching any disallowedSubjects passed as parameters.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
Examples
disallowed-rolebinding-subjects
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: disallowed-rolebinding-subjects
spec:
parameters:
disallowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
Allowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Disallowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Requires container images to have an image tag different from the ones in the specified list. https://kubernetes.io/docs/concepts/containers/images/#image-names
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# tags <array>: Disallowed container image tags.
tags:
- <string>
Examples
container-image-must-not-have-latest-tag
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: container-image-must-not-have-latest-tag
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
tags:
- latest
Allowed
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-2
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
K8sEmptyDirHasSizeLimit
Requires that any emptyDir volumes specify a sizeLimit. Optionally, a maxSizeLimit parameter can be supplied in the constraint to specify a maximum allowable size limit.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
Examples
empty-dir-has-size-limit
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-size-limit
spec:
parameters:
maxSizeLimit: 4Gi
Allowed
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir:
sizeLimit: 2Gi
name: good-pod-volume
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: bad-pod-volume
K8sExternalIPs
Restricts Service externalIPs to an allowed list of IP addresses. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
Examples
external-ips
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
allowedIPs:
- 203.0.113.0
Allowed
apiVersion: v1
kind: Service
metadata:
name: allowed-external-ip
spec:
externalIPs:
- 203.0.113.0
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
Disallowed
apiVersion: v1
kind: Service
metadata:
name: disallowed-external-ip
spec:
externalIPs:
- 1.1.1.1
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
K8sHttpsOnly
Requires Ingress resources to be HTTPS only.
Ingress resources must: - include a valid TLS configuration - include the kubernetes.io/ingress.allow-http annotation, set to
false.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
ingress-https-only
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Disallowed
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
K8sImageDigests
Requires container images to contain a digest. https://kubernetes.io/docs/concepts/containers/images/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
container-image-must-have-digest
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
Allowed
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
name: opa
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
K8sLocalStorageRequireSafeToEvict
Requires Pods using local storage (emptyDir or hostPath) to have the annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Cluster Autoscaler will not delete Pods without this annotation.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
local-storage-require-safe-to-evict
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict
Allowed
apiVersion: v1
kind: Pod
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
name: good-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
K8sMemoryRequestEqualsLimit
Promotes Pod stability by requiring that all containers' requested memory exactly equals the memory limit, so that Pods are never in a state where memory usage exceeds the requested amount. Otherwise, Kubernetes can terminate Pods requesting extra memory if memory is needed on the node.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
container-must-request-limit
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit
Allowed
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 4Gi
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
K8sNoEnvVarSecrets
Prohibits secrets as environment variables in Pod container definitions. Use mounted secret files in data volumes instead: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
no-secrets-as-env-vars
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars spec: enforcementAction: dryrun
Allowed
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: redis
name: test
volumeMounts:
- mountPath: /etc/test
name: test
readOnly: true
volumes:
- name: test
secret:
secretName: mysecret
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysecret
image: redis
name: test
K8sNoExternalServices
Prohibits the creation of known resources that expose workloads to external IPs. This includes Istio Gateway resources and Kubernetes Ingress resources. Kubernetes services are also disallowed unless they meet the following criteria:
Any Service of type LoadBalancer must have a "cloud.google.com/load-balancer-type": "Internal" annotation.
Any "external IPs" (external to the cluster) bound to the Service must be a member of a range of internal CIDRs as provided to the constraint.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
Examples
no-external
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external
spec:
parameters:
internalCIDRs:
- 10.0.0.1/32
Allowed
apiVersion: v1
kind: Service
metadata:
name: good-service
namespace: default
spec:
externalIPs:
- 10.0.0.1
ports:
- port: 8888
protocol: TCP
targetPort: 8888
Disallowed
apiVersion: v1
kind: Service
metadata:
name: bad-service
namespace: default
spec:
externalIPs:
- 10.0.0.2
ports:
- port: 8888
protocol: TCP
targetPort: 8888
K8sPSPAllowPrivilegeEscalationContainer
Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-allow-privilege-escalation-container
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: false
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Controls the user and group IDs of the container and some volumes. Corresponds to the runAsUser, runAsGroup, supplementalGroups, and fsGroup fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
Examples
psp-pods-allowed-user-ranges
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
fsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsUser:
ranges:
- max: 200
min: 100
rule: MustRunAs
supplementalGroups:
ranges:
- max: 200
min: 100
rule: MustRunAs
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
K8sPSPAppArmor
Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
Examples
psp-apparmor
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
Allowed
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
name: nginx-apparmor-allowed
spec:
containers:
- image: nginx
name: nginx
Disallowed
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
containers:
- image: nginx
name: nginx
K8sPSPCapabilities
Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
Examples
capabilities-demo
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: capabilities-demo
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
allowedCapabilities:
- something
requiredDropCapabilities:
- must_drop
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
K8sPSPFSGroup
Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
Examples
psp-fsgroup
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ranges:
- max: 1000
min: 1
rule: MayRunAs
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 2000
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
K8sPSPFlexVolumes
Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
Examples
psp-flexvolume-drivers
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/lvm
name: test-volume
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/testdriver
name: test-volume
K8sPSPForbiddenSysctls
Controls the sysctl profile used by containers. Corresponds to the forbiddenSysctls field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
Examples
psp-forbidden-sysctls
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
forbiddenSysctls:
- kernel.*
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
K8sPSPHostFilesystem
Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
Examples
psp-host-filesystem
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedHostPaths:
- pathPrefix: /foo
readOnly: true
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
K8sPSPHostNamespace
Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-host-namespace
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-allowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: false
hostPID: false
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-disallowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: true
hostPID: true
K8sPSPHostNetworkingPorts
Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
Examples
psp-host-network-ports
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
hostNetwork: true
max: 9000
min: 80
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-allowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9000
hostPort: 80
hostNetwork: false
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
K8sPSPPrivilegedContainer
Controls the ability of any container to enable privileged mode. Corresponds to the privileged field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-privileged-container
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: false
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
K8sPSPProcMount
Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
Examples
psp-proc-mount
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
procMount: Default
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Requires the use of a read-only root file system by pod containers. Corresponds to the readOnlyRootFilesystem field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-readonlyrootfilesystem
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: true
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
K8sPSPSELinuxV2
Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
Examples
psp-selinux-v2
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
K8sPSPSeccomp
Controls the seccomp profile used by containers. Corresponds to the seccomp.security.alpha.kubernetes.io/allowedProfileNames annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of allowed profile values for seccomp
# annotations on Pods.
allowedProfiles:
- <string>
Examples
psp-seccomp
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
- docker/default
Allowed
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed2
spec:
containers:
- image: nginx
name: nginx
Disallowed
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed2
spec:
containers:
- image: nginx
name: nginx
K8sPSPVolumeTypes
Restricts mountable volume types to those specified by the user. Corresponds to the volumes field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
Examples
psp-volume-types
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
- flexVolume
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- hostPath:
path: /tmp
name: cache-volume
- emptyDir: {}
name: demo-vol
K8sPodsRequireSecurityContext
Requires all Pods to define securityContext. Requires all containers defined in Pods to have a SecurityContext defined at the Pod or container level.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
pods-require-security-context
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context spec: enforcementAction: dryrun
Allowed
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsUser: 2000
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- image: nginx
name: nginx
K8sProhibitRoleWildcardAccess
Requires that Roles and ClusterRoles not set resource access to a wildcard ("") value. Does not restrict wildcard access to subresources, such as "/status".
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
prohibit-role-wildcard-access
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access spec: enforcementAction: dryrun
Allowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Disallowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Requires that objects with the field spec.replicas (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Examples
replica-limits
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
parameters:
ranges:
- max_replicas: 50
min_replicas: 3
Allowed
apiVersion: apps/v1
kind: Deployment
metadata:
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Disallowed
apiVersion: apps/v1
kind: Deployment
metadata:
name: disallowed-deployment
spec:
replicas: 100
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
K8sRequireNamespaceNetworkPolicies
Requires that every namespace defined in the cluster has a NetworkPolicy. Note: This constraint is referential. See https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#referential for details.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
require-namespace-network-policies
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies spec: enforcementAction: dryrun
Allowed
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-good-example
Disallowed
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequiredAnnotations
Requires all resources to contain a specified annotation(s) with a value matching a provided regular expression.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
annotations:
- allowedRegex: <string>
key: <string>
message: <string>
Examples
all-must-have-certain-set-of-annotations
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: all-must-have-certain-set-of-annotations
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
annotations:
- allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
key: a8r.io/owner
- allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
key: a8r.io/runbook
message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Allowed
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/owner: dev-team-alfa@contoso.com
a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
name: allowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
Disallowed
apiVersion: v1
kind: Service
metadata:
name: disallowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
K8sRequiredLabels
Requires all resources to contain a specified label with a value matching a provided regular expression.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
labels:
- allowedRegex: <string>
key: <string>
message: <string>
Examples
all-must-have-owner
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
labels:
- allowedRegex: ^[a-zA-Z]+.agilebank.demo$
key: owner
message: All namespaces must have an `owner` label that points to your company
username
Allowed
apiVersion: v1
kind: Namespace
metadata:
labels:
owner: user.agilebank.demo
name: allowed-namespace
Disallowed
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Requires Pods to have readiness and/or liveness probes.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
probeTypes:
- <string>
probes:
- <string>
Examples
must-have-probes
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
probeTypes:
- tcpSocket
- httpGet
- exec
probes:
- readinessProbe
- livenessProbe
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: nginx:1.7.9
livenessProbe: null
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
K8sRestrictLabels
Disallows resources from containing specified labels unless there is an exception for the specific resource.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
Examples
restrict-label-example
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
exceptions:
- group: ""
kind: Pod
name: allowed-example
namespace: default
restrictedLabels:
- label-example
Allowed
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
Disallowed
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictNamespaces
Restricts resources from using namespaces listed under the restrictedNamespaces parameter.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
Examples
restrict-default-namespace
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: restrict-default-namespace
spec:
enforcementAction: dryrun
parameters:
restrictedNamespaces:
- default
Allowed
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
namespace: test-namespace
spec:
containers:
- image: nginx
name: nginx
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictRoleBindings
Restricts ClusterRoleBindings and RoleBindings from referencing the specified Role/ClusterRole unless all subjects of the binding are marked as being allowed.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject.
name: <string>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
Examples
restrict-clusteradmin-rolebindings
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Allowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Disallowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sUniqueIngressHost
Requires all Ingress rule hosts to be unique. Does not handle hostname wildcards: https://kubernetes.io/docs/concepts/services-networking/ingress/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
unique-ingress-host
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: unique-ingress-host
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Disallowed
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-host-example
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-host-example2
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
K8sUniqueServiceSelector
Requires Services to have unique selectors within a namespace. Selectors are considered the same if they have identical keys and values. Selectors may share a key/value pair so long as there is at least one distinct key/value pair between them. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
unique-service-selector
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
labels:
owner: admin.agilebank.demo
name: unique-service-selector
Disallowed
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-example
namespace: default
spec:
ports:
- port: 443
selector:
key: value
PolicyStrictOnly
Requires that Istio authentication Policy specify peers with STRICT mutual TLS.
https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
policy-strict-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: policy-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- authentication.istio.io
kinds:
- Policy
namespaces:
- default
Disallowed
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: policy-permissive
namespace: default
spec:
peers:
- mtls:
mode: PERMISSIVE
SourceNotAllAuthz
Requires that Istio AuthorizationPolicy rules have source principals set to something other than "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
sourcenotall-authz-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: sourcenotall-authz-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Disallowed
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-all
namespace: foo
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
What's next
- Learn more about Policy Controller
- Install Policy Controller
- Learn how to use constraints instead of PodSecurityPolicies
- View the open source library of constraint templates in the gatekeeper-library repository