Constraint template library
Constraint templates let you define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.
To help you see how the constraint templates function, each template includes an example constraint and a resource that violates the constraint.
Not all constraint templates are available for all versions of Policy Controller, Config Sync and Config Controller. Further, templates can change between versions. To better understand the history of a template, you can go to the Policy Controller, Config Sync and Config Controller archives to view earlier versions of this page.
All constraints contain a match
section, which defines the objects a
constraint applies to. For details on how to configure that section, see
Constraint match section.
Links to earlier versions of this page
AllowedServicePortName
Requires that service port names have a prefix from a specified list.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
Examples
port-name-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: port-name-constraint spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Service parameters: prefixes: - http- - http2- - grpc- - mongo- - redis- - tcp-
Disallowed
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-bad spec: ports: - name: helloport port: 5000 selector: app: helloworld
DestinationRuleTLSEnabled
Prohibits disabling TLS for all hosts and host subsets in Istio DestinationRules.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-contorller-constraints#constraint
match:
[match schema]
Examples
dr-tls-enabled
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: dr-tls-enabled spec: enforcementAction: dryrun match: kinds: - apiGroups: - networking.istio.io kinds: - DestinationRule
Disallowed
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-traffic-leastconn namespace: default spec: host: myservice trafficPolicy: loadBalancer: simple: LEAST_CONN
DisallowedAuthzPrefix
Requires that principals and namespaces in Istio AuthorizationPolicy
rules not have a prefix from a specified list.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
Examples
disallowed-authz-prefix-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: disallowed-authz-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedprefixes: - badprefix - reallybadprefix
Disallowed
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - badprefix-test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
GCPStorageLocationConstraintV1
Restricts the permitted locations
for StorageBucket Config Connector resources to the list of locations provided in the constraint. Bucket names in the exemptions
list are exempt.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
Examples
singapore-and-jakarta-only
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: singapore-and-jakarta-only spec: enforcementAction: deny match: kinds: - apiGroups: - storage.cnrm.cloud.google.com kinds: - StorageBucket parameters: exemptions: - my_project_id_cloudbuild locations: - asia-southeast1 - asia-southeast2
Allowed
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Disallowed
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
K8sAllowedRepos
Requires container images to begin with a string from the specified list.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Examples
repo-is-openpolicyagent
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: repo-is-openpolicyagent spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: repos: - openpolicyagent/
Allowed
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi
Disallowed
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
K8sBlockEndpointEditDefaultRole
Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints. ClusterRole/system:aggregate-to-edit should not allow Endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
block-endpoint-edit-default-role
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: block-endpoint-edit-default-role spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole
Allowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update
Disallowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - endpoints - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update
K8sBlockNodePort
Disallows all Services with type NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
block-node-port
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: - "" kinds: - Service
Disallowed
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: NodePort
K8sBlockProcessNamespaceSharing
Prohibits Pod specs with shareProcessNamespace
set to true
. This avoids scenarios where all containers in a Pod share a PID namespace and can access each other's filesystem and memory.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
block-process-namespace-sharing
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Allowed
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx
Disallowed
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx shareProcessNamespace: true
K8sContainerLimits
Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
Examples
container-must-have-limits
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
Allowed
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi
Disallowed
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
K8sContainerRatios
Sets a maximum ratio for container resource limits to requests. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
Examples
container-must-meet-ratio
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ratio: "2"
Disallowed
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 800m memory: 2Gi requests: cpu: 100m memory: 100Mi
K8sDisallowedRoleBindingSubjects
Prohibits RoleBindings or ClusterRoleBindings with subjects matching any disallowedSubjects
passed as parameters.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
Examples
disallowed-rolebinding-subjects
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: disallowed-rolebinding-subjects spec: parameters: disallowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Allowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Disallowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Requires container images to have an image tag different from the ones in the specified list. https://kubernetes.io/docs/concepts/containers/images/#image-names
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# tags <array>: Disallowed container image tags.
tags:
- <string>
Examples
container-image-must-not-have-latest-tag
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: container-image-must-not-have-latest-tag spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: tags: - latest
Allowed
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa
Disallowed
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-2 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
K8sEmptyDirHasSizeLimit
Requires that any emptyDir
volumes specify a sizeLimit
. Optionally, a maxSizeLimit
parameter can be supplied in the constraint to specify a maximum allowable size limit.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
Examples
empty-dir-has-size-limit
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: empty-dir-has-size-limit spec: parameters: maxSizeLimit: 4Gi
Allowed
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: sizeLimit: 2Gi name: good-pod-volume
Disallowed
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: bad-pod-volume
K8sExternalIPs
Restricts Service externalIPs to an allowed list of IP addresses. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
Examples
external-ips
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: allowedIPs: - 203.0.113.0
Allowed
apiVersion: v1 kind: Service metadata: name: allowed-external-ip spec: externalIPs: - 203.0.113.0 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
Disallowed
apiVersion: v1 kind: Service metadata: name: disallowed-external-ip spec: externalIPs: - 1.1.1.1 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
K8sHttpsOnly
Requires Ingress resources to be HTTPS only.
Ingress resources must: - include a valid TLS configuration - include the kubernetes.io/ingress.allow-http
annotation, set to
false
.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
ingress-https-only
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Disallowed
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-demo-disallowed spec: rules: - host: example-host.example.com http: paths: - backend: serviceName: nginx servicePort: 80
K8sImageDigests
Requires container images to contain a digest. https://kubernetes.io/docs/concepts/containers/images/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
container-image-must-have-digest
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default
Allowed
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a name: opa
Disallowed
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa
K8sLocalStorageRequireSafeToEvict
Requires Pods using local storage (emptyDir
or hostPath
) to have the annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
. Cluster Autoscaler will not delete Pods without this annotation.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
local-storage-require-safe-to-evict
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict
Allowed
apiVersion: v1 kind: Pod metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" name: good-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
Disallowed
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
K8sMemoryRequestEqualsLimit
Promotes Pod stability by requiring that all containers' requested memory exactly equals the memory limit, so that Pods are never in a state where memory usage exceeds the requested amount. Otherwise, Kubernetes can terminate Pods requesting extra memory if memory is needed on the node.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
container-must-request-limit
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit
Allowed
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 4Gi
Disallowed
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
K8sNoEnvVarSecrets
Prohibits secrets as environment variables in Pod container definitions. Use mounted secret files in data volumes instead: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
no-secrets-as-env-vars
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars spec: enforcementAction: dryrun
Allowed
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: redis name: test volumeMounts: - mountPath: /etc/test name: test readOnly: true volumes: - name: test secret: secretName: mysecret
Disallowed
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - env: - name: MY_PASSWORD valueFrom: secretKeyRef: key: password name: mysecret image: redis name: test
K8sNoExternalServices
Prohibits the creation of known resources that expose workloads to external IPs. This includes Istio Gateway resources and Kubernetes Ingress resources. Kubernetes services are also disallowed unless they meet the following criteria:
Any Service of type LoadBalancer
must have a "cloud.google.com/load-balancer-type": "Internal"
annotation.
Any "external IPs" (external to the cluster) bound to the Service must be a member of a range of internal CIDRs as provided to the constraint.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
Examples
no-external
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external spec: parameters: internalCIDRs: - 10.0.0.1/32
Allowed
apiVersion: v1 kind: Service metadata: name: good-service namespace: default spec: externalIPs: - 10.0.0.1 ports: - port: 8888 protocol: TCP targetPort: 8888
Disallowed
apiVersion: v1 kind: Service metadata: name: bad-service namespace: default spec: externalIPs: - 10.0.0.2 ports: - port: 8888 protocol: TCP targetPort: 8888
K8sPSPAllowPrivilegeEscalationContainer
Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-allow-privilege-escalation-container
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: match: kinds: - apiGroups: - "" kinds: - Pod
Allowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-allowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: false
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Controls the user and group IDs of the container and some volumes. Corresponds to the runAsUser
, runAsGroup
, supplementalGroups
, and fsGroup
fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
Examples
psp-pods-allowed-user-ranges
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: fsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsUser: ranges: - max: 200 min: 100 rule: MustRunAs supplementalGroups: ranges: - max: 200 min: 100 rule: MustRunAs
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
K8sPSPAppArmor
Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
Examples
psp-apparmor
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default
Allowed
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor name: nginx-apparmor-allowed spec: containers: - image: nginx name: nginx
Disallowed
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: containers: - image: nginx name: nginx
K8sPSPCapabilities
Controls Linux capabilities on containers. Corresponds to the allowedCapabilities
and requiredDropCapabilities
fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
Examples
capabilities-demo
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: capabilities-demo spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: allowedCapabilities: - something requiredDropCapabilities: - must_drop
Disallowed
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
K8sPSPFSGroup
Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
Examples
psp-fsgroup
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ranges: - max: 1000 min: 1 rule: MayRunAs
Disallowed
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 2000 volumes: - emptyDir: {} name: fsgroup-demo-vol
K8sPSPFlexVolumes
Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes
field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
Examples
psp-flexvolume-drivers
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedFlexVolumes: - driver: example/lvm - driver: example/cifs
Allowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/lvm name: test-volume
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/testdriver name: test-volume
K8sPSPForbiddenSysctls
Controls the sysctl
profile used by containers. Corresponds to the forbiddenSysctls
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
Examples
psp-forbidden-sysctls
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: forbiddenSysctls: - kernel.*
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536"
K8sPSPHostFilesystem
Controls usage of the host filesystem. Corresponds to the allowedHostPaths
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
Examples
psp-host-filesystem
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedHostPaths: - pathPrefix: /foo readOnly: true
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
K8sPSPHostNamespace
Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID
and hostIPC
fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-host-namespace
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: psp-host-namespace spec: match: kinds: - apiGroups: - "" kinds: - Pod
Allowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-allowed spec: containers: - image: nginx name: nginx hostIPC: false hostPID: false
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-disallowed spec: containers: - image: nginx name: nginx hostIPC: true hostPID: true
K8sPSPHostNetworkingPorts
Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork
and hostPorts
fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
Examples
psp-host-network-ports
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: psp-host-network-ports spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: hostNetwork: true max: 9000 min: 80
Allowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-allowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9000 hostPort: 80 hostNetwork: false
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
K8sPSPPrivilegedContainer
Controls the ability of any container to enable privileged mode. Corresponds to the privileged
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-privileged-container
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
Allowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-allowed spec: containers: - image: nginx name: nginx securityContext: privileged: false
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: containers: - image: nginx name: nginx securityContext: privileged: true
K8sPSPProcMount
Controls the allowed procMount
types for the container. Corresponds to the allowedProcMountTypes
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
Examples
psp-proc-mount
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: procMount: Default
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Requires the use of a read-only root file system by pod containers. Corresponds to the readOnlyRootFilesystem
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
psp-readonlyrootfilesystem
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod
Allowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-allowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: true
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
K8sPSPSELinuxV2
Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
Examples
psp-selinux-v2
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
K8sPSPSeccomp
Controls the seccomp profile used by containers. Corresponds to the seccomp.security.alpha.kubernetes.io/allowedProfileNames
annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of allowed profile values for seccomp
# annotations on Pods.
allowedProfiles:
- <string>
Examples
psp-seccomp
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default - docker/default
Allowed
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed2 spec: containers: - image: nginx name: nginx
Disallowed
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed2 spec: containers: - image: nginx name: nginx
K8sPSPVolumeTypes
Restricts mountable volume types to those specified by the user. Corresponds to the volumes
field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
Examples
psp-volume-types
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - flexVolume
Disallowed
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - hostPath: path: /tmp name: cache-volume - emptyDir: {} name: demo-vol
K8sPodsRequireSecurityContext
Requires all Pods to define securityContext. Requires all containers defined in Pods to have a SecurityContext defined at the Pod or container level.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
pods-require-security-context
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context spec: enforcementAction: dryrun
Allowed
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: nginx name: nginx securityContext: runAsUser: 2000
Disallowed
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - image: nginx name: nginx
K8sProhibitRoleWildcardAccess
Requires that Roles and ClusterRoles not set resource access to a wildcard ("") value. Does not restrict wildcard access to subresources, such as "/status".
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
prohibit-role-wildcard-access
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access spec: enforcementAction: dryrun
Allowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Disallowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Requires that objects with the field spec.replicas
(Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Examples
replica-limits
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: replica-limits spec: match: kinds: - apiGroups: - apps kinds: - Deployment parameters: ranges: - max_replicas: 50 min_replicas: 3
Allowed
apiVersion: apps/v1 kind: Deployment metadata: name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
Disallowed
apiVersion: apps/v1 kind: Deployment metadata: name: disallowed-deployment spec: replicas: 100 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sRequireNamespaceNetworkPolicies
Requires that every namespace defined in the cluster has a NetworkPolicy. Note: This constraint is referential. See https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#referential for details.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
require-namespace-network-policies
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies spec: enforcementAction: dryrun
Allowed
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-good-example
Disallowed
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequiredAnnotations
Requires all resources to contain a specified annotation(s) with a value matching a provided regular expression.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
annotations:
- allowedRegex: <string>
key: <string>
message: <string>
Examples
all-must-have-certain-set-of-annotations
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: annotations: - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ key: a8r.io/owner - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$ key: a8r.io/runbook message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Allowed
apiVersion: v1 kind: Service metadata: annotations: a8r.io/owner: dev-team-alfa@contoso.com a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks name: allowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
Disallowed
apiVersion: v1 kind: Service metadata: name: disallowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
K8sRequiredLabels
Requires all resources to contain a specified label with a value matching a provided regular expression.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
labels:
- allowedRegex: <string>
key: <string>
message: <string>
Examples
all-must-have-owner
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username
Allowed
apiVersion: v1 kind: Namespace metadata: labels: owner: user.agilebank.demo name: allowed-namespace
Disallowed
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Requires Pods to have readiness and/or liveness probes.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
probeTypes:
- <string>
probes:
- <string>
Examples
must-have-probes
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: probeTypes: - tcpSocket - httpGet - exec probes: - readinessProbe - livenessProbe
Disallowed
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: nginx:1.7.9 livenessProbe: null name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
K8sRestrictLabels
Disallows resources from containing specified labels unless there is an exception for the specific resource.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
Examples
restrict-label-example
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: exceptions: - group: "" kind: Pod name: allowed-example namespace: default restrictedLabels: - label-example
Allowed
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
Disallowed
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNamespaces
Restricts resources from using namespaces listed under the restrictedNamespaces parameter.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
Examples
restrict-default-namespace
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: restrict-default-namespace spec: enforcementAction: dryrun parameters: restrictedNamespaces: - default
Allowed
apiVersion: v1 kind: Pod metadata: name: allowed-example namespace: test-namespace spec: containers: - image: nginx name: nginx
Disallowed
apiVersion: v1 kind: Pod metadata: name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictRoleBindings
Restricts ClusterRoleBindings and RoleBindings from referencing the specified Role/ClusterRole unless all subjects of the binding are marked as being allowed.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject.
name: <string>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
Examples
restrict-clusteradmin-rolebindings
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
Allowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Disallowed
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sUniqueIngressHost
Requires all Ingress rule hosts to be unique. Does not handle hostname wildcards: https://kubernetes.io/docs/concepts/services-networking/ingress/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
unique-ingress-host
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: unique-ingress-host spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Disallowed
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-host-example spec: rules: - host: example-host.example.com http: paths: - backend: serviceName: nginx servicePort: 80
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ingress-host-example2 spec: rules: - host: example-host.example.com http: paths: - backend: serviceName: nginx servicePort: 80
K8sUniqueServiceSelector
Requires Services to have unique selectors within a namespace. Selectors are considered the same if they have identical keys and values. Selectors may share a key/value pair so long as there is at least one distinct key/value pair between them. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
unique-service-selector
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: labels: owner: admin.agilebank.demo name: unique-service-selector
Disallowed
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-example namespace: default spec: ports: - port: 443 selector: key: value
PolicyStrictOnly
Requires that Istio authentication Policy specify peers with STRICT
mutual TLS.
https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
policy-strict-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: policy-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - authentication.istio.io kinds: - Policy namespaces: - default
Disallowed
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-permissive namespace: default spec: peers: - mtls: mode: PERMISSIVE
SourceNotAllAuthz
Requires that Istio AuthorizationPolicy rules have source principals set to something other than "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. See the GCP docs for more information:
# https://cloud.google.com/anthos-config-management/docs/how-to/creating-policy-controller-constraints#constraint
match:
[match schema]
Examples
sourcenotall-authz-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: sourcenotall-authz-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Disallowed
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-all namespace: foo spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
What's next
- Learn more about Policy Controller
- Install Policy Controller
- Learn how to use constraints instead of PodSecurityPolicies
- View the open source library of constraint templates in the gatekeeper-library repository