Constraint Templates

SIGHUP base constraint templates

1 minute read

SIGHUP designed some constraint templates to let you start using the Gatekeeper constraints engine with SIGHUP supported ones.

A Constraint template describes both the Rego that enforces the constraint and the schema of the constraint. The schema of the constraint allows an admin to fine-tune the behavior of a constraint, much like arguments to a function.


SIGHUP base constraint templates

Below, you can find a list of constraint templates shipped with Kubernetes Fury Distribution (starting from v1.2.0).

  • k8slivenessprobe: Deny pods that don’t declare livenessProbe.
  • k8sreadinessprobe: Deny pods that don’t declare readinessProbe.
  • k8suniqueingresshost: Deny duplicated ingress across the cluster.
  • k8suniqueserviceselector: Deny duplicated services selector in the same namespace.
  • securitycontrols: Deny container images with the latest tag, with no limits declared (both CPU and memory), with privilege escalation capability and root containers.


Creating a constraint from a SIGHUP base constraint template is as easy as declaring a new CRD:

kind: K8sLivenessProbe
  name: liveness-probe
  enforcementAction: deny
      - kube-system
      - apiGroups: ["apps", "extensions"]
        kinds: ["Deployment"]

Take a look to the official documentation to better understand how to create Constraints.

First Free tip: change enforcementAction value to dryrun if you are not sure if you are passing the constraint.

Second free tip: Take a look to Gatekeeper Policy Manager if you want to understand what is the status of your constraints.

Last modified 07.01.2021: Update docs with v1.5 details (dadea1c)