Constraint template library (1.8)
Constraint templates let you define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.
The following constraint templates are included with Anthos Policy Controller. You can also browse the library of constraint templates in the Gatekeeper repository.
Not all constraint templates are available for all versions of Config Management. Each constraint template lists the version that it became available. You can also view the history of the Gatekeeper repository's library to observe how a template changed over time. In addition, you can go to the Policy Controller, Config Sync and Config Controller archives and view earlier versions of this page.
Links to earlier versions of this page:
anthos-service-mesh
AllowedServicePortName
Requires that service port names have a prefix from a specified list. Introduced in ACM v1.4.0.
| Name | Type |
|---|---|
| prefixes | array |
DestinationRuleTLSEnabled
Prohibits disabling TLS for all hosts and host subsets in Istio DestinationRules. Introduced in ACM v1.4.0.
DisallowedAuthzPrefix
Requires that principals and namespaces in Istio AuthorizationPolicy rules don't have a prefix from a specified list. Introduced in ACM v1.4.0.
| Name | Type |
|---|---|
| disallowedprefixes | array |
PolicyStrictOnly
Requires that Istio authentication Policy specify peers with STRICT mutual TLS. Introduced in ACM v1.4.0.
SourceNotAllAuthz
Requires that Istio AuthorizationPolicy rules have source principals set to something other than "*". Introduced in ACM v1.4.0.
etc
GCPStorageLocationConstraintV1
Restricts the permitted locations for StorageBucket Config Connector resources. Bucket names in the exemptions list are exempt. Introduced in ACM v1.6.1.
| Name | Type |
|---|---|
| exemptions | array |
| locations | array |
K8sBlockProcessNamespaceSharing
Prohibits Pod specs with shareProcessNamespace set to true. This avoids scenarios where all containers in a Pod share a PID namespace and can access each other's filesystem and memory. Introduced in ACM v1.3.1.
K8sDisallowedRoleBindingSubjects
Prohibits RoleBindings or ClusterRoleBindings with subjects matching any disallowedSubjects passed as parameters. Introduced in ACM v1.3.1.
| Name | Type |
|---|---|
| disallowedSubjects | array |
K8sEmptyDirHasSizeLimit
Requires that any emptyDir volumes specify a sizeLimit; optionally, a maxSizeLimit parameter can be supplied in the constraint to specify a maximum allowable size limit. Introduced in ACM v1.3.1.
| Name | Type |
|---|---|
| maxSizeLimit | string |
K8sLocalStorageRequireSafeToEvict
Requires Pods using local storage (emptyDir or hostPath) to have the annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Cluster Autoscaler will not delete Pods without this annotation. Introduced in ACM v1.3.1.
K8sMemoryRequestEqualsLimit
Promotes Pod stability by requiring that all containers' requested memory exactly equals the memory limit, so that Pods are never in a state where memory usage exceeds the requested amount. Kubernetes can terminate Pods in that state when memory is needed. Introduced in ACM v1.3.1.
K8sNoExternalServices
Prohibits the creation of Gateway, Ingress, and Service resources that expose workloads to external IPs.
- Gateway: All resources of group
networking.istio.ioare prohibited. - Ingress: All resources of group
extensionsornetworking.k8s.ioare prohibited. - Service: All
LoadBalancertype resources must haveInternalannotation; anyexternalIPsmust belong to the CIDRs specified by theinternalCIDRsparameter.
| Name | Type |
|---|---|
| internalCIDRs | array |
K8sRestrictLabels
Disallows resources from containing a label. Exceptions can be specified by group, kind, namespace, and name. Introduced in ACM v1.6.1.
| Name | Type |
|---|---|
| exceptions | array |
| restrictedLabels | array |
general
K8sAllowedRepos
Requires container images to begin with a repo string from a specified list. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| repos | array |
K8sBlockNodePort
Disallows all Services with type NodePort. Introduced in ACM v1.6.1.
K8sContainerLimits
Requires containers to have memory and CPU limits set and within a specified maximum amount. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| cpu | string |
| memory | string |
K8sContainerRatios
Sets a maximum ratio for container resource limits to requests. Introduced in ACM v1.6.1.
| Name | Type |
|---|---|
| ratio | string |
K8sExternalIPs
Restricts Services from containing externalIPs except those in a provided allowlist. Introduced in ACM v1.6.1.
| Name | Type |
|---|---|
| allowedIPs | array |
K8sHttpsOnly
Requires Ingress resources to be HTTPS only; TLS configuration should be set and kubernetes.io/ingress.allow-http annotation equals false. Introduced in ACM v1.3.0.
K8sImageDigests
Requires container images to contain a digest. Introduced in ACM v1.6.1.
K8sRequiredLabels
Requires all resources to contain a specified label with a value matching a provided regular expression. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| labels | array |
| message | string |
K8sRequiredProbes
Requires Pods to have readiness and/or liveness probes. Introduced in ACM v1.6.1.
| Name | Type |
|---|---|
| probeTypes | array |
| probes | array |
K8sUniqueIngressHost
Requires all Ingress hosts to be unique. Introduced in ACM v1.3.0.
K8sUniqueServiceSelector
Requires Services to have unique selectors within a namespace. Introduced in ACM v1.3.0.
cis-k8s
K8sNoEnvVarSecrets
Prohibits secrets as environment variables in container definitions; instead, use mounted secret files in data volumes. Introduced in ACM v1.5.2.
K8sPodsRequireSecurityContext
Requires all Pods and containers to have a SecurityContext defined at the Pod or container level. Introduced in ACM v1.5.2.
K8sProhibitRoleWildcardAccess
Requires that Roles and ClusterRoles not set resource access to a wildcard ("*") value. Introduced in ACM v1.5.2.
K8sRequireNamespaceNetworkPolicies
Requires that every namespace defined in the cluster has a NetworkPolicy. Introduced in ACM v1.5.2.
K8sRestrictNamespaces
Restricts resources from using namespaces listed under the restrictedNamespaces parameter. Resources can bypass this restriction using a labelSelector. Introduced in ACM v1.5.2.
| Name | Type |
|---|---|
| restrictedNamespaces | array |
K8sRestrictRoleBindings
Restricts ClusterRoleBindings and RoleBindings from referencing a Role or ClusterRole specified in the constraints. Exceptions can be listed as allowedSubjects in the constraint. Introduced in ACM v1.5.2.
| Name | Type |
|---|---|
| allowedSubjects | array |
| restrictedRole | object |
pod-security-policy
K8sPSPAllowPrivilegeEscalationContainer
Controls restricting escalation to root privileges. Introduced in ACM v1.1.0.
K8sPSPAllowedUsers
Controls the user and group IDs of the container. Introduced in ACM v1.3.0.
| Name | Type |
|---|---|
| fsGroup | object |
| runAsGroup | object |
| runAsUser | object |
| supplementalGroups | object |
K8sPSPAppArmor
Controls the AppArmor profile used by containers. Introduced in ACM v1.3.0.
| Name | Type |
|---|---|
| allowedProfiles | array |
K8sPSPCapabilities
Controls Linux capabilities. Introduced in ACM v1.3.0.
| Name | Type |
|---|---|
| allowedCapabilities | array |
| requiredDropCapabilities | array |
K8sPSPFSGroup
Controls allocating an FSGroup that owns the Pod's volumes. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| ranges | array |
| rule | string |
K8sPSPFlexVolumes
Controls the allowlist of Flexvolume drivers. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| allowedFlexVolumes | array |
K8sPSPForbiddenSysctls
Controls the sysctl profile used by containers. Introduced in ACM v1.3.0.
| Name | Type |
|---|---|
| forbiddenSysctls | array |
K8sPSPHostFilesystem
Controls usage of the host filesystem. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| allowedHostPaths | array |
K8sPSPHostNamespace
Controls usage of host namespaces. Introduced in ACM v1.1.0.
K8sPSPHostNetworkingPorts
Controls usage of host networking and ports. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| hostNetwork | boolean |
| max | integer |
| min | integer |
K8sPSPPrivilegedContainer
Controls running of privileged containers. Introduced in ACM v1.1.0.
K8sPSPProcMount
Controls the Allowed Proc Mount types for the container. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| procMount | string |
K8sPSPReadOnlyRootFilesystem
Requires the use of a read only root file system. Introduced in ACM v1.1.0.
K8sPSPSELinuxV2
Controls the SELinux context of the container. Introduced in ACM v1.5.2.
| Name | Type |
|---|---|
| allowedSELinuxOptions | array |
K8sPSPSeccomp
Controls the seccomp profile used by containers. Introduced in ACM v1.3.0.
| Name | Type |
|---|---|
| allowedProfiles | array |
K8sPSPVolumeTypes
Controls usage of volume types. Introduced in ACM v1.1.0.
| Name | Type |
|---|---|
| volumes | array |
pod-security-policy-deprecated
K8sPSPSELinux
Controls the SELinux context of the container. Introduced in ACM v1.3.0.
| Name | Type |
|---|---|
| allowedSELinuxOptions | object |
What's next
- Learn more about Policy Controller
- Install Policy Controller
- Learn how to use constraints instead of PodSecurityPolicies