Constraint Templates

SIGHUP base constraint templates

SIGHUP designed some constraint templates to let you start using Gatekeeper constraints engine with SIGHUP supported ones.

A Constraint template describes both the Rego that enforces the constraint and the schema of the constraint. The schema of the constraint allows an admin to fine-tune the behavior of a constraint, much like arguments to a function.

source: github.com/open-policy-agent/gatekeeper

SIGHUP base constraint templates

Below, you can find a list of constraint templates shipped with Kubernetes Fury Distribution (starting from v1.2.0).

  • k8slivenessprobe: Deny pods that don't declare livenessProbe.
  • k8sreadinessprobe: Deny pods that don't declare readinessProbe.
  • k8suniqueingresshost: Deny duplicated ingress across the cluster.
  • k8suniqueserviceselector: Deny duplicated services selector in the same namespace.
  • securitycontrols: Deny container images with latest tag, with no limits declared (both cpu and memory), with privilege escalation capability and root containers.

Usage

Creating a constraint from a SIGHUP base constraint template is as easy as declaring a new CRD:

---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLivenessProbe
metadata:
  name: liveness-probe
spec:
  enforcementAction: deny
  match:
    excludedNamespaces:
      - kube-system
    kinds:
      - apiGroups: ["apps", "extensions"]
        kinds: ["Deployment"]

Take a look to the official documentation to better understand how to create Constraints.

First Free tip: change enforcementAction value to dryrun if you are not sure if you are passing the constraint.

Second free tip: Take a look to Gatekeeper Policy Manager if you want to understand what is the status of your constraints.