SIGHUP designed some constraint templates to let you start using Gatekeeper constraints engine with SIGHUP supported ones.
A Constraint template describes both the Rego that enforces the constraint and the schema of the constraint. The schema of the constraint allows an admin to fine-tune the behavior of a constraint, much like arguments to a function.
SIGHUP base constraint templates
Below, you can find a list of constraint templates shipped with Kubernetes Fury Distribution (starting from v1.2.0).
k8slivenessprobe: Deny pods that don't declare
k8sreadinessprobe: Deny pods that don't declare
k8suniqueingresshost: Deny duplicated ingress across the cluster.
k8suniqueserviceselector: Deny duplicated services selector in the same namespace.
securitycontrols: Deny container images with
latesttag, with no limits declared (both cpu and memory), with privilege escalation capability and root containers.
Creating a constraint from a SIGHUP base constraint template is as easy as declaring a new CRD:
--- apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLivenessProbe metadata: name: liveness-probe spec: enforcementAction: deny match: excludedNamespaces: - kube-system kinds: - apiGroups: ["apps", "extensions"] kinds: ["Deployment"]
Take a look to
the official documentation
to better understand how to create
First Free tip: change
enforcementAction value to
dryrun if you are not sure if you are passing the constraint.
Second free tip: Take a look to Gatekeeper Policy Manager if you want to understand what is the status of your constraints.
Was this page helpful?
Glad to hear it! Thanks for letting us know!
Sorry to hear that. Please tell us how we can improve.