Constraint Templates allow you to declare new Constraints. They are intended to work as a schema for Constraint parameters and enforce their behavior. The Constraint Templates view under OPA menu in Admin Panel allows adding, editing and deleting Constraint Templates.
Adding Constraint Templates
Constraint Templates can be added after clicking on the + Add Constraint Template icon in the top right corner of the view.
Spec is the only field that needs to be filled with a yaml. By clicking on + Add Constraint Template a new Constraint Template will be created.
Following example requires all labels that are described by the Constraint to be present:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
Editing Constraint Templates
Constraint Templates can be edited after clicking on the pencil icon that appears when hovering over one of the rows. The form is identical to the one from creation.
Deleting Constraint Templates
Constraint Templates can be deleted after clicking on the trash icon that appears when hovering over one of the rows. Please note, that the deletion of a Constraint Template will also delete all Constraints that are assigned to it.
