Constraint template library

Constraint templates let you define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.

The following constraint templates are included with Anthos Policy Controller. You can also browse the library of constraint templates in the Gatekeeper repository.

Not all constraint templates are available for all versions of Anthos Config Management. Each constraint template lists the version that it became available. You can also view the history of the Gatekeeper repository's library to observe how a template changed over time. In addition, you can go to the Anthos Config Management archives and view earlier versions of this page.

anthos-service-mesh

AllowedServicePortName

Requires that service port names have a prefix from a specified list. Introduced in ACM v1.4.0.

Name Type
prefixes array

DestinationRuleTLSEnabled

Prohibits disabling TLS for all hosts and host subsets in Istio DestinationRules. Introduced in ACM v1.4.0.

DisallowedAuthzPrefix

Requires that principals and namespaces in Istio AuthorizationPolicy rules don't have a prefix from a specified list. Introduced in ACM v1.4.0.

Name Type
disallowedprefixes array

PolicyStrictOnly

Requires that Istio authentication Policy specify peers with STRICT mutual TLS. Introduced in ACM v1.4.0.

SourceNotAllAuthz

Requires that Istio AuthorizationPolicy rules have source principals set to something other than "*". Introduced in ACM v1.4.0.

etc

GCPStorageLocationConstraintV1

Restricts the permitted locations for StorageBucket Config Connector resources. Bucket names in the exemptions list are exempt. Introduced in ACM v1.6.1.

Name Type
exemptions array
locations array

K8sBlockProcessNamespaceSharing

Prohibits Pod specs with shareProcessNamespace set to true. This avoids scenarios where all containers in a Pod share a PID namespace and can access each other's filesystem and memory. Introduced in ACM v1.3.1.

K8sDisallowedRoleBindingSubjects

Prohibits RoleBindings or ClusterRoleBindings with subjects matching any disallowedSubjects passed as parameters. Introduced in ACM v1.3.1.

Name Type
disallowedSubjects array

K8sEmptyDirHasSizeLimit

Requires that any emptyDir volumes specify a sizeLimit; optionally, a maxSizeLimit parameter can be supplied in the constraint to specify a maximum allowable size limit. Introduced in ACM v1.3.1.

Name Type
maxSizeLimit string

K8sLocalStorageRequireSafeToEvict

Requires Pods using local storage (emptyDir or hostPath) to have the annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Cluster Autoscaler will not delete Pods without this annotation. Introduced in ACM v1.3.1.

K8sMemoryRequestEqualsLimit

Promotes Pod stability by requiring that all containers' requested memory exactly equals the memory limit, so that Pods are never in a state where memory usage exceeds the requested amount. Kubernetes can terminate Pods in that state when memory is needed. Introduced in ACM v1.3.1.

K8sNoExternalServices

Prohibits the creation of Gateway, Ingress, and Service resources that expose workloads to external IPs.

  • Gateway: All resources of group networking.istio.io are prohibited.
  • Ingress: All resources of group extensions or networking.k8s.io are prohibited.
  • Service: All LoadBalancer type resources must have Internal annotation; any externalIPs must belong to the CIDRs specified by the internalCIDRs parameter.
Introduced in ACM v1.3.0.

Name Type
internalCIDRs array

K8sRestrictLabels

Disallows resources from containing a label. Exceptions can be specified by group, kind, namespace, and name. Introduced in ACM v1.6.1.

Name Type
exceptions array
restrictedLabels array

general

K8sAllowedRepos

Requires container images to begin with a repo string from a specified list. Introduced in ACM v1.1.0.

Name Type
repos array

K8sBlockNodePort

Disallows all Services with type NodePort. Introduced in ACM v1.6.1.

K8sContainerLimits

Requires containers to have memory and CPU limits set and within a specified maximum amount. Introduced in ACM v1.1.0.

Name Type
cpu string
memory string

K8sContainerRatios

Sets a maximum ratio for container resource limits to requests. Introduced in ACM v1.6.1.

Name Type
ratio string

K8sExternalIPs

Restricts Services from containing externalIPs except those in a provided allowlist. Introduced in ACM v1.6.1.

Name Type
allowedIPs array

K8sHttpsOnly

Requires Ingress resources to be HTTPS only; TLS configuration should be set and kubernetes.io/ingress.allow-http annotation equals false. Introduced in ACM v1.3.0.

K8sImageDigests

Requires container images to contain a digest. Introduced in ACM v1.6.1.

K8sRequiredLabels

Requires all resources to contain a specified label with a value matching a provided regular expression. Introduced in ACM v1.1.0.

Name Type
labels array
message string

K8sRequiredProbes

Requires Pods to have readiness and/or liveness probes. Introduced in ACM v1.6.1.

Name Type
probeTypes array
probes array

K8sUniqueIngressHost

Requires all Ingress hosts to be unique. Introduced in ACM v1.3.0.

K8sUniqueServiceSelector

Requires Services to have unique selectors within a namespace. Introduced in ACM v1.3.0.

cis-k8s

K8sNoEnvVarSecrets

Prohibits secrets as environment variables in container definitions; instead, use mounted secret files in data volumes. Introduced in ACM v1.5.2.

K8sPodsRequireSecurityContext

Requires all Pods and containers to have a SecurityContext defined at the Pod or container level. Introduced in ACM v1.5.2.

K8sProhibitRoleWildcardAccess

Requires that Roles and ClusterRoles not set resource access to a wildcard ("*") value. Introduced in ACM v1.5.2.

K8sRequireNamespaceNetworkPolicies

Requires that every namespace defined in the cluster has a NetworkPolicy. Introduced in ACM v1.5.2.

K8sRestrictNamespaces

Restricts resources from using namespaces listed under the restrictedNamespaces parameter. Resources can bypass this restriction using a labelSelector. Introduced in ACM v1.5.2.

Name Type
restrictedNamespaces array

K8sRestrictRoleBindings

Restricts ClusterRoleBindings and RoleBindings from referencing a Role or ClusterRole specified in the constraints. Exceptions can be listed as allowedSubjects in the constraint. Introduced in ACM v1.5.2.

Name Type
allowedSubjects array
restrictedRole object

pod-security-policy

K8sPSPAllowPrivilegeEscalationContainer

Controls restricting escalation to root privileges. Introduced in ACM v1.1.0.

K8sPSPAllowedUsers

Controls the user and group IDs of the container. Introduced in ACM v1.3.0.

Name Type
fsGroup object
runAsGroup object
runAsUser object
supplementalGroups object

K8sPSPAppArmor

Controls the AppArmor profile used by containers. Introduced in ACM v1.3.0.

Name Type
allowedProfiles array

K8sPSPCapabilities

Controls Linux capabilities. Introduced in ACM v1.3.0.

Name Type
allowedCapabilities array
requiredDropCapabilities array

K8sPSPFSGroup

Controls allocating an FSGroup that owns the Pod's volumes. Introduced in ACM v1.1.0.

Name Type
ranges array
rule string

K8sPSPFlexVolumes

Controls the allowlist of Flexvolume drivers. Introduced in ACM v1.1.0.

Name Type
allowedFlexVolumes array

K8sPSPForbiddenSysctls

Controls the sysctl profile used by containers. Introduced in ACM v1.3.0.

Name Type
forbiddenSysctls array

K8sPSPHostFilesystem

Controls usage of the host filesystem. Introduced in ACM v1.1.0.

Name Type
allowedHostPaths array

K8sPSPHostNamespace

Controls usage of host namespaces. Introduced in ACM v1.1.0.

K8sPSPHostNetworkingPorts

Controls usage of host networking and ports. Introduced in ACM v1.1.0.

Name Type
hostNetwork boolean
max integer
min integer

K8sPSPPrivilegedContainer

Controls running of privileged containers. Introduced in ACM v1.1.0.

K8sPSPProcMount

Controls the Allowed Proc Mount types for the container. Introduced in ACM v1.1.0.

Name Type
procMount string

K8sPSPReadOnlyRootFilesystem

Requires the use of a read only root file system. Introduced in ACM v1.1.0.

K8sPSPSELinuxV2

Controls the SELinux context of the container. Introduced in ACM v1.5.2.

Name Type
allowedSELinuxOptions array

K8sPSPSeccomp

Controls the seccomp profile used by containers. Introduced in ACM v1.3.0.

Name Type
allowedProfiles array

K8sPSPVolumeTypes

Controls usage of volume types. Introduced in ACM v1.1.0.

Name Type
volumes array

pod-security-policy-deprecated

K8sPSPSELinux

Controls the SELinux context of the container. Introduced in ACM v1.3.0.

Name Type
allowedSELinuxOptions object

What's next