Constraint Templates
Constraint Templates describes both the Rego that enforces the Constraint and the schema of the Constraint. The Constraint schema allows an admin to fine-tune the behavior, much like arguments to a function. For example, a Constraint Template can be created to check all the labels described in a Constraint to be present. Templates are always defined in YAML format.
Create New Template¶
Perform the below steps to create a new Constraint Template:
- Login to the Controller and select Constraint Templates under OPA Gatekeeper. Users can view the list of existing templates on the Constraint Templates page
- Click New Template
- Provide a name for the template and select an Artifact Sync option
- To upload a file from the system, select the Upload files manually option
- To use the files available from the git repository, select the Pull files from repository option
- Click Create to proceed or Cancel to abort the process
Example of YAML file:
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8sreplicalimits
annotations:
description: >-
Requires that objects with the field `spec.replicas` (Deployments,
ReplicaSets, etc.) specify a number of replicas within defined ranges.
spec:
crd:
spec:
names:
kind: K8sReplicaLimits
validation:
# Schema for the `parameters` field
openAPIV3Schema:
type: object
properties:
ranges:
type: array
description: Allowed ranges for numbers of replicas. Values are inclusive.
items:
type: object
description: A range of allowed replicas. Values are inclusive.
properties:
min_replicas:
description: The minimum number of replicas allowed, inclusive.
type: integer
max_replicas:
description: The maximum number of replicas allowed, inclusive.
type: integer
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sreplicalimits
deployment_name = input.review.object.metadata.name
violation[{"msg": msg}] {
spec := input.review.object.spec
not input_replica_limit(spec)
msg := sprintf("The provided number of replicas is not allowed for deployment: %v. Allowed ranges: %v", [deployment_name, input.parameters])
}
input_replica_limit(spec) {
provided := input.review.object.spec.replicas
count(input.parameters.ranges) > 0
range := input.parameters.ranges[_]
value_within_range(range, provided)
}
value_within_range(range, value) {
range.min_replicas <= value
range.max_replicas >= value
}
- Click Choose File and upload the YAML file (if the Upload files manually option was chosen)
- Select the name of the repository from the drop-down and enter the path for the YAML file (if the Pull files from repository option was chosen)
Advanced Settings (Optional)
- Click Advanced Settings to select any of the provided options
- force: Enabling force option forces resource updates through a replacement strategy
- disableOpenAPIValidation: Enabling DisableOpenAPIValidation option prevents validating rendered YAML templates against the Kubernetes OpenAPI Schema
Below is an example of Upload files manually
Below is an example of Pull files from Repository
- Click Save & Exit
Edit / Delete Templates¶
- Click the Delete icon to delete or Edit icon to edit the existing templates
Template Types
Two types of Constraint Templates are Custom and System
- Templates created by customers are listed as Custom
- Templates created by system for reference are listed as System. Users can edit but cannot delete the System templates
Important
Users with Namespace Admin role do not have access to Constraint Templates page