Skip to content

Constraint Templates

Constraint Templates describes both the Rego that enforces the Constraint and the schema of the Constraint. The Constraint schema allows an admin to fine-tune the behavior, much like arguments to a function. For example, a Constraint Template can be created to check all the labels described in a Constraint to be present. Templates are always defined in YAML format.


Create New Template

Perform the below steps to create a new Constraint Template:

  • Login to the Controller and select Constraint Templates under OPA Gatekeeper. Users can view the list of existing templates on the Constraint Templates page
  • Click New Template
  • Provide a name for the template and select an Artifact Sync option
  • To upload a file from the system, select the Upload files manually option
  • To use the files available from the git repository, select the Pull files from repository option
  • Click Create to proceed or Cancel to abort the process

Example of YAML file:

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sreplicalimits
  annotations:
    description: >-
      Requires that objects with the field `spec.replicas` (Deployments,
      ReplicaSets, etc.) specify a number of replicas within defined ranges.
spec:
  crd:
    spec:
      names:
        kind: K8sReplicaLimits
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            ranges:
              type: array
              description: Allowed ranges for numbers of replicas.  Values are inclusive.
              items:
                type: object
                description: A range of allowed replicas.  Values are inclusive.
                properties:
                  min_replicas:
                    description: The minimum number of replicas allowed, inclusive.
                    type: integer
                  max_replicas:
                    description: The maximum number of replicas allowed, inclusive.
                    type: integer
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sreplicalimits

        deployment_name = input.review.object.metadata.name

        violation[{"msg": msg}] {
            spec := input.review.object.spec
            not input_replica_limit(spec)
            msg := sprintf("The provided number of replicas is not allowed for deployment: %v. Allowed ranges: %v", [deployment_name, input.parameters])
        }

        input_replica_limit(spec) {
            provided := input.review.object.spec.replicas
            count(input.parameters.ranges) > 0
            range := input.parameters.ranges[_]
            value_within_range(range, provided)
        }

        value_within_range(range, value) {
            range.min_replicas <= value
            range.max_replicas >= value
        }

OPA New Template

  • Click Choose File and upload the YAML file (if the Upload files manually option was chosen)
  • Select the name of the repository from the drop-down and enter the path for the YAML file (if the Pull files from repository option was chosen)

Advanced Settings (Optional)

  • Click Advanced Settings to select any of the provided options
  • force: Enabling force option forces resource updates through a replacement strategy
  • disableOpenAPIValidation: Enabling DisableOpenAPIValidation option prevents the Helm install action from validating rendered templates against the Kubernetes OpenAPI Schema

Below is an example of Upload files manually

Upload Yaml file

Below is an example of Pull files from Repository

Git Pull

  • Click Save & Exit

Edit / Delete Templates

  • Click the Delete icon to delete or Edit icon to edit the existing templates

Edit/Delete

Template Types

Two types of Constraint Templates are Custom and System

  • Templates created by customers are listed as Custom
  • Templates created by system for reference are listed as System. Users can edit but cannot delete the System templates