Constraint template library (1.4)
Constraint templates allow you to define how a constraint works but delegate
defining the specifics of the constraint to an individual or group with subject
matter expertise. In addition to separating concerns, this also separates the
logic of the constraint from its definition.
The following constraint templates are included with Anthos Policy Controller. You can also browse the library of
constraint templates in the Gatekeeper repository.
anthos-service-mesh
| Name |
Description |
Parameters |
| allowedserviceportname |
Requires that service port names have a prefix from a specified list. |
|
| destinationruletlsenabled |
Requires that all hosts and host subsets in Istio DestinationRules not have TLS disabled. |
|
| disallowedauthzprefix |
Requires that principals and namespaces in Istio AuthorizationPolicy rules not have a prefix from a specified list. |
| Name | Type | | disallowedprefixes | array |
|
| policystrictonly |
Requires that Istio authentication Policy specify peers with STRICT mutual TLS. |
|
| sourcenotallauthz |
Requires that Istio AuthorizationPolicy rules have source principals set to something other than "*". |
|
etc
| Name |
Description |
Parameters |
| k8sblockprocessnamespacesharing |
Prohibits pod specs with shareProcessNamespace set to true. This avoids scenarios where all containers in a pod share a PID namespace and can access each other's filesystem and memory. |
|
| k8sdisallowedrolebindingsubjects |
Prohibits RoleBindings or ClusterRoleBindings with subjects matching any disallowedSubjects passed as parameters. |
| Name | Type | | disallowedSubjects | array |
|
| k8semptydirhassizelimit |
Requires that any emptyDir volumes specify a sizeLimit; optionally, a maxSizeLimit parameter may be supplied in the constraint to specify a maximum allowable size limit. |
| Name | Type | | maxSizeLimit | string |
|
| k8slocalstoragerequiresafetoevict |
Requires pods using local storage (emptyDir or hostPath) to have the annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Cluster Autoscaler will not delete pods without this annotation. |
|
| k8smemoryrequestequalslimit |
Promotes pod stability by requiring that all containers' requested memory exactly equals the memory limit, so that pods are never in a state where memory usage exceeds the requested amount. Kubernetes may terminate pods in that state when memory is needed. |
|
| k8snoexternalservices |
Prohibits the creation of Gateway, Ingress, and Service resources that expose workloads to external IPs.- Gateway: All resources of group
networking.istio.io are prohibited. - Ingress: All resources of group
extensions or networking.k8s.io are prohibited. - Service: All
LoadBalancer type resources must have Internal annotation; any externalIPs must belong to the CIDRs specified by the internalCIDRs parameter.
|
| Name | Type | | internalCIDRs | array |
|
pod-security-policy
| Name |
Description |
Parameters |
| k8spspallowedusers |
Controls the user and group IDs of the container. |
|
| k8spspallowprivilegeescalationcontainer |
Controls restricting escalation to root privileges. |
|
| k8spspapparmor |
Controls the AppArmor profile used by containers. |
| Name | Type | | allowedProfiles | array |
|
| k8spspcapabilities |
Controls Linux capabilities. |
| Name | Type | | allowedCapabilities | array | | requiredDropCapabilities | array |
|
| k8spspflexvolumes |
Controls allow list of Flexvolume drivers. |
| Name | Type | | allowedFlexVolumes | array |
|
| k8spspforbiddensysctls |
Controls the sysctl profile used by containers. |
| Name | Type | | forbiddenSysctls | array |
|
| k8spspfsgroup |
Controls allocating an FSGroup that owns the pod's volumes. |
| Name | Type | | rule | string | | ranges | array |
|
| k8spsphostfilesystem |
Controls usage of the host filesystem. |
| Name | Type | | allowedHostPaths | array |
|
| k8spsphostnamespace |
Controls usage of host namespaces. |
|
| k8spsphostnetworkingports |
Controls usage of host networking and ports. |
| Name | Type | | max | integer | | hostNetwork | boolean | | min | integer |
|
| k8spspprivilegedcontainer |
Controls running of privileged containers. |
|
| k8spspprocmount |
Controls the Allowed Proc Mount types for the container. |
|
| k8spspreadonlyrootfilesystem |
Requires the use of a read only root file system. |
|
| k8spspseccomp |
Controls the seccomp profile used by containers. |
| Name | Type | | allowedProfiles | array |
|
| k8spspselinux |
Controls the SELinux context of the container. |
| Name | Type | | allowedSELinuxOptions | object |
|
| k8spspvolumetypes |
Controls usage of volume types. |
|
What's next
