Skip to content


Constraints are used to notify Gatekeeper that a Constraint Template needs to be enforced. It also specifies the 'how' by passing the required parameters. Constraint spec is used to select the enforcement action (deny, warn or dryrun). By default, it is set to deny i.e. any admission requests that result in violations are denied.

Create New Constraint

Perform the below steps to create a new constraint:

  • Login to the Controller and select Constraints under the OPA Gatekeeper. Users can view the list of existing constraints on the Constraints page
  • Click New Constraint
  • Provide a name for the new constraint and select an Artifact Sync
  • To upload the files from the system, select Upload files manually (or) to use the files available from the git repository, select Pull files from repository
  • Select a Constraint Template through which the constraint parameters will be applied
  • Click Create to proceed or Cancel to abort the process

OPA New Constraint

Below is an example of a constraint code set to 3 minimum replicas and 50 maximum replicas. Applications that enters with less than 3 replicas and more than 50 replicas are not allowed.

kind: K8sReplicaLimits
  name: replica-limits
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
    - min_replicas: 3
      max_replicas: 50
  • Click Choose File and upload the YAML file (if the Upload files manually option was chosen)
  • Select the name of the repository from the drop-down and enter the path for the YAML file (if the Pull files from repository option was chosen)
  • Click Advanced Settings (optional) to select any of the provided options. Refer Constraint Templates for more information on Advanced Settings

OPA Upload Yaml file

  • Click Save & Exit

Edit / Delete Constraints

  • Click the Delete icon to delete or Edit icon to edit the existing constraints


Constraint Types

Two types of Constraints are Custom and System

  • Constraints created by customers are listed as Custom
  • Constraints created by system for reference are listed as System. Users can edit but cannot delete the System Constraints


Users with Namespace Admin role do not have access to Constraints page