References
Constraint match section
All constraints have a match field, which defines the objects a constraint applies to. All conditions specified must be matched before an object is in-scope for a constraint.
# excludedNamespaces <array>: ExcludedNamespaces is a list of namespace names.
# If defined, a constraint only applies to resources not in a listed namespace.
# ExcludedNamespaces also supports a prefix or suffix based glob. For example,
# `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`,
# and `excludedNamespaces: [*-system]` matches both `kube-system` and
# `gatekeeper-system`.
excludedNamespaces:
# <list item: string>: A string that supports globbing at its front or end.
# Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will
# match "kube-system" or "gatekeeper-system". The asterisk is required for
# wildcard matching.
- <string>
kinds:
# <list item: object>: Kinds accepts a list of objects with apiGroups and
# kinds fields that list the groups/kinds of objects to which the mutation
# will apply. If multiple groups/kinds objects are specified, only one match
# is needed for the resource to be in scope.
- # apiGroups <array>: APIGroups is the API groups the resources belong to.
# '*' is all groups. If '*' is present, the length of the slice must be
# one. Required.
apiGroups:
- <string>
kinds:
- <string>
# labelSelector <object>: LabelSelector is the combination of two optional
# fields: `matchLabels` and `matchExpressions`. These two fields provide
# different methods of selecting or excluding k8s objects based on the label
# keys and values included in object metadata. All selection expressions from
# both sections are ANDed to determine if an object meets the cumulative
# requirements of the selector.
labelSelector:
# matchExpressions <array>: matchExpressions is a list of label selector
# requirements. The requirements are ANDed.
matchExpressions:
# <list item: object>: A label selector requirement is a selector that
# contains values, a key, and an operator that relates the key and values.
- # key <string>: key is the label key that the selector applies to.
key: <string>
# operator <string>: operator represents a key's relationship to a set
# of values. Valid operators are In, NotIn, Exists and DoesNotExist.
operator: <string>
# values <array>: values is an array of string values. If the operator
# is In or NotIn, the values array must be non-empty. If the operator
# is Exists or DoesNotExist, the values array must be empty. This array
# is replaced during a strategic merge patch.
values:
- <string>
# matchLabels <object>: matchLabels is a map of {key,value} pairs. A single
# {key,value} in the matchLabels map is equivalent to an element of
# matchExpressions, whose key field is "key", the operator is "In", and the
# values array contains only "value". The requirements are ANDed.
matchLabels:
[key]: <string>
# name <string>: Name is the name of an object. If defined, it will match
# against objects with the specified name. Name also supports a prefix or
# suffix glob. For example, `name: pod-*` would match both `pod-a` and
# `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.
name: <string>
# namespaceSelector <object>: NamespaceSelector is a label selector against an
# object's containing namespace or the object itself, if the object is a
# namespace.
namespaceSelector:
# matchExpressions <array>: matchExpressions is a list of label selector
# requirements. The requirements are ANDed.
matchExpressions:
# <list item: object>: A label selector requirement is a selector that
# contains values, a key, and an operator that relates the key and values.
- # key <string>: key is the label key that the selector applies to.
key: <string>
# operator <string>: operator represents a key's relationship to a set
# of values. Valid operators are In, NotIn, Exists and DoesNotExist.
operator: <string>
# values <array>: values is an array of string values. If the operator
# is In or NotIn, the values array must be non-empty. If the operator
# is Exists or DoesNotExist, the values array must be empty. This array
# is replaced during a strategic merge patch.
values:
- <string>
# matchLabels <object>: matchLabels is a map of {key,value} pairs. A single
# {key,value} in the matchLabels map is equivalent to an element of
# matchExpressions, whose key field is "key", the operator is "In", and the
# values array contains only "value". The requirements are ANDed.
matchLabels:
[key]: <string>
# namespaces <array>: Namespaces is a list of namespace names. If defined, a
# constraint only applies to resources in a listed namespace. Namespaces also
# supports a prefix or suffix based glob. For example, `namespaces: [kube-*]`
# matches both `kube-system` and `kube-public`, and `namespaces: [*-system]`
# matches both `kube-system` and `gatekeeper-system`.
namespaces:
# <list item: string>: A string that supports globbing at its front or end.
# Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will
# match "kube-system" or "gatekeeper-system". The asterisk is required for
# wildcard matching.
- <string>
# scope <string>: Scope determines if cluster-scoped and/or namespaced-scoped
# resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to
# `*`)
scope: <string>
# source <string>: Source determines whether generated or original resources
# are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A
# value of `Generated` will only match generated resources, while `Original`
# will only match regular resources.
# Allowed Values: All, Generated, Original
source: <string>
Constraint template library
Constraint templates let you define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.
All constraints contain a match section, which defines the objects a constraint applies to. For details on how to configure that section, see
Constraint match section
.
Not all constraint templates are available for all versions of Policy Controller and templates can change between versions. Use the following links to compare constraints from supported versions:
To ensure that you receive full support, we recommend that you use constraint templates from a supported version of Policy Controller.
To help you see how the constraint templates function, each template includes an example constraint and a resource that violates the constraint.
Available constraint templates
| Constraint Template | Description |
|---|---|
| AsmPeerAuthnStrictMtls | Enforce all PeerAuthentications cannot overwrite strict mtls. Reference to https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. |
| AsmRequestAuthnProhibitedOutputHeaders | In RequestAuthentication, enforce the jwtRules.outPayloadToHeader field to not contain well known HTTP request headers or custom prohibited headers. Reference to https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. |
| K8sAllowedRepos | Requires container images to begin with a string from the specified list. |
| K8sAvoidUseOfSystemMastersGroup | Disallows the use of ‘system:masters’ group. Has no effect during audit. |
| K8sBlockAllIngress | Disallows the creation of Ingress objects (Ingress, Gateway, and Service types of NodePort and LoadBalancer). |
| K8sBlockCreationWithDefaultServiceAccount | Disallows the creation of resources using a default service account. Has no effect during audit. |
| K8sBlockObjectsOfType | Disallows object of forbidden types. |
| K8sNoEnvVarSecrets | Prohibits secrets as environment variables in Pod container definitions. Use mounted secret files in data volumes instead: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod |
| K8sNoExternalServices | Prohibits the creation of known resources that expose workloads to external IPs. This includes Istio Gateway resources and Kubernetes Ingress resources. Kubernetes services are also disallowed unless they meet the following criteria: Any Service of type LoadBalancer in Google Cloud must have a "networking.gke.io/load-balancer-type": "Internal" annotation. Any Service of type LoadBalancer in AWS must have a service.beta.kubernetes.io/aws-load-balancer-internal: "true annotation. Any “external IPs” (external to the cluster) bound to the Service must be a member of a range of internal CIDRs as provided to the constraint. |
| K8sPSPAllowPrivilegeEscalationContainer | Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation |
| K8sPSPAllowedUsers | Controls the user and group IDs of the container and some volumes. Corresponds to the runAsUser, runAsGroup, supplementalGroups, and fsGroup fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups |
| K8sPSPAppArmor | Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/ |
| K8sPSPAutomountServiceAccountTokenPod | Controls the ability of any Pod to enable automountServiceAccountToken. |
| K8sPSPCapabilities | Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities |
| K8sPSPFSGroup | Controls allocating an FSGroup that owns the Pod’s volumes. Corresponds to the fsGroup field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems |
| K8sPSPFlexVolumes | Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers |
| K8sPSPForbiddenSysctls | Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden. The forbiddenSysctls parameter takes precedence over the allowedSysctls parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
| K8sPSPHostFilesystem | Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems |
| K8sPSPHostNamespace | Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces |
| K8sPSPHostNetworkingPorts | Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces |
| K8sPSPPrivilegedContainer | Controls the ability of any container to enable privileged mode. Corresponds to the privileged field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged |
| K8sPSPProcMount | Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes |
| K8sPSPReadOnlyRootFilesystem | Requires the use of a read-only root file system by pod containers. Corresponds to the readOnlyRootFilesystem field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems |
| K8sPSPSELinuxV2 | Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux |
| K8sPSPSeccomp | Controls the seccomp profile used by containers. Corresponds to the seccomp.security.alpha.kubernetes.io/allowedProfileNames annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp |
| K8sPSPVolumeTypes | Restricts mountable volume types to those specified by the user. Corresponds to the volumes field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems |
| K8sPSPWindowsHostProcess | Restricts running of Windows HostProcess containers / pods. See https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ for more information. |
| K8sPSSRunAsNonRoot | Requires containers run as non-root users. For more information, see https://kubernetes.io/docs/concepts/security/pod-security-standards/ |
| K8sPodDisruptionBudget | Disallow the following scenarios when deploying PodDisruptionBudgets or resources that implement the replica subresource (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment of PodDisruptionBudgets with .spec.maxUnavailable == 0 2. Deployment of PodDisruptionBudgets with .spec.minAvailable == .spec.replicas of the resource with replica subresource This will prevent PodDisruptionBudgets from blocking voluntary disruptions such as node draining. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| K8sPodResourcesBestPractices | Requires that containers are not best-effort (by setting cpu and memory requests) and following burstable best practices (memory request must exactly equal limit). Optionally, annotation keys can be configured to permit skipping the various validations. |
| K8sPodsRequireSecurityContext | Requires all Pods to define securityContext. Requires all containers defined in Pods to have a SecurityContext defined at the Pod or container level. |
| K8sProhibitRoleWildcardAccess | Requires that Roles and ClusterRoles not set resource access to a wildcard ‘""’ value except for the exempted Roles and ClusterRoles provided as exemptions. Does not restrict wildcard access to subresources, such as ‘"/status"’. |
| K8sRequireCosNodeImage | Enforces the use of Container-Optimized OS from Google on Nodes. |
| K8sRequireDaemonsets | Requires the list of daemonsets specified to be present. |
| K8sRequireNamespaceNetworkPolicies | Requires that every namespace defined in the cluster has a NetworkPolicy. |
| K8sRequireValidRangesForNetworks | Enforces which CIDR blocks are allowed for network ingress and egress. |
| K8sRequiredAnnotations | Requires resources to contain specified annotations, with values matching provided regular expressions. |
| K8sRequiredLabels | Requires resources to contain specified labels, with values matching provided regular expressions. |
| K8sRequiredResources | Requires containers to have defined resources set. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| K8sRestrictNamespaces | Restricts resources from using namespaces listed under the restrictedNamespaces parameter. |
| K8sRestrictRbacSubjects | Restricts the use of names in RBAC subjects to permitted values. |
| K8sRestrictRoleBindings | Restricts the subjects specified in ClusterRoleBindings and RoleBindings to a list of allowed subjects. |
| K8sRestrictRoleRules | Restricts rules that can be set on Role and ClusterRole objects. |
| K8sStorageClass | Requires storage classes to be specified when used. Only Gatekeeper 3.9+ and non-ephemeral containers are supported. |
AsmPeerAuthnStrictMtls
ASM Peer Authentication Strict mTLS v1.0.3
Enforce all PeerAuthentications cannot overwrite strict mtls. Reference to https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls .
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-peer-authn-strict-mtls-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: asm-peer-authn-strict-mtls-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
parameters:
strictnessLevel: High
Allowed
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: valid-strict-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
Disallowed
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-permissive-mtls-pa
namespace: foo
spec:
mtls:
mode: PERMISSIVE
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-port-disable-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: DISABLE
"443":
mode: STRICT
selector:
matchLabels:
app: bar
AsmRequestAuthnProhibitedOutputHeaders
ASM RequestAuthentication Prohibited Output Headers v1.0.2
In RequestAuthentication, enforce the jwtRules.outPayloadToHeader field to not contain well known HTTP request headers or custom prohibited headers. Reference to https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
Examples
asm-request-authn-prohibited-output-headers-constraint
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: asm-request-authn-prohibited-output-headers-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- RequestAuthentication
parameters:
prohibitedHeaders:
- Bad-Header
- X-Bad-Header
Allowed
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: valid-request-authn
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Good-Header
selector:
matchLabels:
app: istio-ingressgateway
Disallowed
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Host
selector:
matchLabels:
app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: X-Bad-Header
selector:
matchLabels:
app: istio-ingressgateway
K8sAllowedRepos
Allowed Repositories v1.0.1
Requires container images to begin with a string from the specified list.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Examples
repo-is-openpolicyagent
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: repo-is-openpolicyagent
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
repos:
- openpolicyagent/
Allowed
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
Disallowed
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
ephemeralContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
K8sAvoidUseOfSystemMastersGroup
Disallow the use of ‘system:masters’ group v1.0.0
Disallows the use of ‘system:masters’ group. Has no effect during audit.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowlistedUsernames <array>: allowlistedUsernames is the list of
# usernames that are allowed to use system:masters group.
allowlistedUsernames:
- <string>
K8sBlockAllIngress
Block all Ingress v1.0.4
Disallows the creation of Ingress objects (Ingress, Gateway, and Service types of NodePort and LoadBalancer).
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowList <array>: A list of regular expressions for the Ingress object
# names that are exempt from the constraint.
allowList:
- <string>
K8sBlockCreationWithDefaultServiceAccount
Block Creation with Default Service Account v1.0.2
Disallows the creation of resources using a default service account. Has no effect during audit.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
K8sBlockObjectsOfType
Block Objects of Type v1.0.1
Disallows object of forbidden types.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
forbiddenTypes:
- <string>
K8sNoEnvVarSecrets
No Environment Variable Secrets v1.0.1
Prohibits secrets as environment variables in Pod container definitions. Use mounted secret files in data volumes instead: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
K8sNoExternalServices
No External Services v1.0.3
Prohibits the creation of known resources that expose workloads to external IPs. This includes Istio Gateway resources and Kubernetes Ingress resources. Kubernetes services are also disallowed unless they meet the following criteria: Any Service of type LoadBalancer in Google Cloud must have a “networking.gke.io/load-balancer-type”: “Internal” annotation. Any Service of type LoadBalancer in AWS must have a service.beta.kubernetes.io/aws-load-balancer-internal: “true annotation. Any “external IPs” (external to the cluster) bound to the Service must be a member of a range of internal CIDRs as provided to the constraint.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
# are supported currently.
cloudPlatform: <string>
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
K8sPSPAllowPrivilegeEscalationContainer
Allow Privilege Escalation in Container v1.0.1
Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
K8sPSPAllowedUsers
Allowed Users v1.0.2
Controls the user and group IDs of the container and some volumes. Corresponds to the runAsUser, runAsGroup, supplementalGroups, and fsGroup fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
K8sPSPAppArmor
App Armor v1.0.0
Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. For information on AppArmor, see https://kubernetes.io/docs/tutorials/clusters/apparmor/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
K8sPSPAutomountServiceAccountTokenPod
Automount Service Account Token for Pod v1.0.1
Controls the ability of any Pod to enable automountServiceAccountToken.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters: <object>
K8sPSPCapabilities
Capabilities v1.0.2
Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
K8sPSPFSGroup
FS Group v1.0.2
Controls allocating an FSGroup that owns the Pod’s volumes. Corresponds to the fsGroup field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
K8sPSPFlexVolumes
FlexVolumes v1.0.1
Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
K8sPSPForbiddenSysctls
Forbidden Sysctls v1.1.3
Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden. The forbiddenSysctls parameter takes precedence over the allowedSysctls parameter. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
# not listed in the `forbiddenSysctls` parameter.
allowedSysctls:
- <string>
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
K8sPSPHostFilesystem
Host Filesystem v1.0.2
Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
K8sPSPHostNamespace
Host Namespace v1.0.1
Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters: <object>
K8sPSPHostNetworkingPorts
Host Networking Ports v1.0.2
Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
K8sPSPPrivilegedContainer
Privileged Container v1.0.1
Controls the ability of any container to enable privileged mode. Corresponds to the privileged field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
K8sPSPProcMount
Proc Mount v1.0.3
Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
K8sPSPReadOnlyRootFilesystem
Read Only Root Filesystem v1.0.1
Requires the use of a read-only root file system by pod containers. Corresponds to the readOnlyRootFilesystem field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
K8sPSPSELinuxV2
SELinux V2 v1.0.3
Defines an allow-list of seLinuxOptions configurations for pod containers. Corresponds to a PodSecurityPolicy requiring SELinux configs. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
K8sPSPSeccomp
Seccomp v1.0.1
Controls the seccomp profile used by containers. Corresponds to the seccomp.security.alpha.kubernetes.io/allowedProfileNames annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
K8sPSPVolumeTypes
Volume Types v1.0.2
Restricts mountable volume types to those specified by the user. Corresponds to the volumes field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
K8sPSPWindowsHostProcess
Restricts Windows HostProcess containers / pods. v1.0.0
Restricts running of Windows HostProcess containers / pods. See https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ for more information.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
K8sPSSRunAsNonRoot
Requires containers run as non-root users. v1.0.0
Requires containers run as non-root users. For more information, see https://kubernetes.io/docs/concepts/security/pod-security-standards/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
K8sPodDisruptionBudget
Pod Disruption Budget v1.0.3
Disallow the following scenarios when deploying PodDisruptionBudgets or resources that implement the replica subresource (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment of PodDisruptionBudgets with .spec.maxUnavailable == 0 2. Deployment of PodDisruptionBudgets with .spec.minAvailable == .spec.replicas of the resource with replica subresource This will prevent PodDisruptionBudgets from blocking voluntary disruptions such as node draining. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
K8sPodResourcesBestPractices
Requires Containers are not Best-effort and Following Burstable Best Practices v1.0.5
Requires that containers are not best-effort (by setting cpu and memory requests) and following burstable best practices (memory request must exactly equal limit). Optionally, annotation keys can be configured to permit skipping the various validations.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
# skipBestEffortValidationAnnotationKey <string>: Optional annotation key
# to skip best-effort container validation.
skipBestEffortValidationAnnotationKey: <string>
# skipBurstableValidationAnnotationKey <string>: Optional annotation key to
# skip burstable container validation.
skipBurstableValidationAnnotationKey: <string>
# skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
# annotation key to skip both best-effort and burstable validation.
skipResourcesBestPracticesValidationAnnotationKey: <string>
K8sPodsRequireSecurityContext
Pods Require Security Context v1.1.1
Requires all Pods to define securityContext. Requires all containers defined in Pods to have a SecurityContext defined at the Pod or container level.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
K8sProhibitRoleWildcardAccess
Prohibit Role Wildcard Access v1.0.5
Requires that Roles and ClusterRoles not set resource access to a wildcard ‘""’ value except for the exempted Roles and ClusterRoles provided as exemptions. Does not restrict wildcard access to subresources, such as ‘"/status”’.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression
# based match on the name.
regexMatch: <boolean>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
K8sRequireCosNodeImage
Require COS Node Image v1.1.1
Enforces the use of Container-Optimized OS from Google on Nodes.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptOsImages <array>: A list of exempt OS Images.
exemptOsImages:
- <string>
K8sRequireDaemonsets
Required Daemonsets v1.1.2
Requires the list of daemonsets specified to be present.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# requiredDaemonsets <array>: A list of names and namespaces of the
# required daemonsets.
requiredDaemonsets:
- # name <string>: The name of the required daemonset.
name: <string>
# namespace <string>: The namespace for the required daemonset.
namespace: <string>
# restrictNodeSelector <boolean>: The daemonsets cannot include
# `NodeSelector`.
restrictNodeSelector: <boolean>
K8sRequireNamespaceNetworkPolicies
Require Namespace Network Policies v1.0.6
Requires that every namespace defined in the cluster has a NetworkPolicy.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
K8sRequireValidRangesForNetworks
Require Valid Ranges for Networks v1.0.2
Enforces which CIDR blocks are allowed for network ingress and egress.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for egress.
allowedEgress:
- <string>
# allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for ingress.
allowedIngress:
- <string>
K8sRequiredAnnotations
Required Annotations v1.0.1
Requires resources to contain specified annotations, with values matching provided regular expressions.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
K8sRequiredLabels
Required Labels v1.0.1
Requires resources to contain specified labels, with values matching provided regular expressions.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
K8sRequiredResources
Required Resources v1.0.1
Requires containers to have defined resources set. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# limits <array>: A list of limits that should be enforced (`cpu`,
# `memory`, or both).
limits:
# Allowed Values: cpu, memory
- <string>
# requests <array>: A list of requests that should be enforced (`cpu`,
# `memory`, or both).
requests:
# Allowed Values: cpu, memory
- <string>
K8sRestrictNamespaces
Restrict Namespaces v1.0.1
Restricts resources from using namespaces listed under the restrictedNamespaces parameter.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
K8sRestrictRbacSubjects
Restrict RBAC Subjects v1.0.3
Restricts the use of names in RBAC subjects to permitted values.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedSubjects <array>: The list of names permitted in RBAC subjects.
allowedSubjects:
- # name <string>: The exact-name or the pattern of the allowed subject
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
K8sRestrictRoleBindings
Restrict Role Bindings v1.0.3
Restricts the subjects specified in ClusterRoleBindings and RoleBindings to a list of allowed subjects.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
K8sRestrictRoleRules
Restrict Role and ClusterRole rules. v1.0.4
Restricts rules that can be set on Role and ClusterRole objects.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedRules <array>: AllowedRules is the list of rules that are allowed
# on Role or ClusterRole objects. If set, any item off this list will be
# rejected.
allowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be allowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# disallowedRules <array>: DisallowedRules is the list of rules that are
# NOT allowed on Role or ClusterRole objects. If set, any item on this list
# will be rejected.
disallowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be disallowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
# names that are allowed to violate this policy.
exemptions:
clusterRoles:
- # name <string>: Name is the name or a pattern of the ClusterRole
# to be exempted.
name: <string>
# regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
# regex match of the ClusterRole name.
regexMatch: <boolean>
roles:
- # name <string>: Name is the name of the Role to be exempted.
name: <string>
# namespace <string>: Namespace is the namespace of the Role to be
# exempted.
namespace: <string>
K8sStorageClass
Storage Class v1.1.2
Requires storage classes to be specified when used. Only Gatekeeper 3.9+ and non-ephemeral containers are supported.
Constraint schema
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://docs.samsungspc.com/kosmos/constraint-match-criteria
match: [match schema]
parameters:
# allowedStorageClasses <array>: An optional allow-list of storage classes.
# If specified, any storage class not in the `allowedStorageClasses`
# parameter is disallowed.
allowedStorageClasses:
- <string>
includeStorageClassesInMessage: <boolean>
What’s next
- Learn more about Policy Controller
- Install Policy Controller
- Learn how to use constraints instead of PodSecurityPolicies
- View the open source library of constraint templates in the gatekeeper-library repository