Skip to main content


This repo contains common policies needed in Pod Security Policy but implemented as Constraints and Constraint Templates with Gatekeeper.

A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields.

An administrator can control the following by setting the field in PSP or by deploying the corresponding Gatekeeper constraint and constraint templates:

Control AspectField Names in PSPGatekeeper Constraint and Constraint Template
Running of privileged containersprivilegedprivileged-containers
Usage of host namespaceshostPID, hostIPChost-namespaces
Usage of host networking and portshostNetwork, hostPortshost-network-ports
Usage of volume typesvolumesvolumes
Usage of the host filesystemallowedHostPathshost-filesystem
Approved list of flex-volume driversallowedFlexVolumesflexvolume-drivers
Requiring the use of a read only root file systemreadOnlyRootFilesystemread-only-root-filesystem
The user and group IDs of the containerrunAsUser, runAsGroup, supplementalGroups, fsgroupusers
Restricting escalation to root privilegesallowPrivilegeEscalation, defaultAllowPrivilegeEscalationallow-privilege-escalation
Linux capabilitiesdefaultAddCapabilities, requiredDropCapabilities, allowedCapabilitiescapabilities
The SELinux context of the containerseLinuxseLinux
The allowed Proc mount types for the containerallowedProcMountTypesproc-mount
The AppArmor profile used by containersannotationsapparmor
The seccomp profile used by containersannotationsseccomp
The sysctl profile used by containersforbiddenSysctls,allowedUnsafeSysctlsforbidden-sysctls