K8s Security Pro
#17 Supply Chain enterprise

OPA/Gatekeeper Constraint Templates

Two OPA/Gatekeeper ConstraintTemplates with Rego policies: require resource limits on all containers and disallow privileged containers with privilege escalation.

CIS Benchmark
5.2.15.2.65.2.75.2.8
MITRE ATT&CK
T1496T1611

Overview

This template provides two OPA/Gatekeeper ConstraintTemplates with corresponding Constraint instances: one that requires CPU and memory resource limits on all containers (including init and ephemeral), and one that blocks privileged containers and privilege escalation. These policies are evaluated at admission time, rejecting non-compliant resources before they run.

Security threat addressed: Without admission control, developers can deploy containers without resource limits (enabling cryptojacking) or with privileged access (enabling container escape). Gatekeeper prevents these misconfigurations at the API server level.

When to use: Deploy Gatekeeper in every production cluster. Start with dryrun enforcement to identify violations, then move to warn, and finally deny for hard enforcement.

Threat Model

  • Admission-time enforcement: Non-compliant resources are rejected before they run, providing stronger guarantees than runtime detection.
  • Resource hijacking prevention: Requiring CPU/memory limits caps the resources a compromised container can consume.
  • Container escape prevention: Blocking privileged mode and privilege escalation eliminates the most common escape vectors.
  • Rego policy flexibility: Gatekeeper’s Rego language supports arbitrarily complex policies beyond what PSS provides.

MITRE ATT&CK:

  • T1496 — Resource Hijacking: Without resource limits, compromised containers monopolize node resources for cryptomining.
  • T1611 — Escape to Host: Privileged containers and privilege escalation enable container-to-host escape.

Real-world scenario: A developer creates a Deployment without resource limits. Gatekeeper’s webhook intercepts the API request and returns a clear error message explaining which containers are missing limits, preventing the deployment before any pods are created.

YAML Source

# ConstraintTemplate -- K8sRequireResourceLimits
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequireresourcelimits
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
spec:
  crd:
    spec:
      names:
        kind: K8sRequireResourceLimits
      validation:
        openAPIV3Schema:
          type: object
          properties:
            resources:
              type: array
              items:
                type: string
                enum: [cpu, memory]
          required: [resources]
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequireresourcelimits
        violation[{"msg": msg}] {
          container := input_containers[_]
          required := input.parameters.resources[_]
          not has_resource_limit(container, required)
          msg := sprintf(
            "Container '%v' does not have a resource limit for '%v'.",
            [container.name, required]
          )
        }
# ... truncated -- get full Rego policies and privileged container template at k8s-security.pro/pricing

Get the complete template with both ConstraintTemplates (resource limits + no-privileged), Constraint instances, rollout strategy guide, and helper functions in the Enterprise tier.

Installation

kubectl:

# Install Gatekeeper
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper gatekeeper/gatekeeper -n gatekeeper-system --create-namespace

# Apply templates and constraints
kubectl apply -f 17_gatekeeper_constraint.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# Verify Gatekeeper is running
kubectl get pods -n gatekeeper-system

# Check ConstraintTemplates
kubectl get constrainttemplates

# Check Constraints
kubectl get constraints

# Test resource limits enforcement
kubectl run test-no-limits --image=nginx --restart=Never
# Expected: Error -- does not have a resource limit

# Check audit results
kubectl get k8srequireresourcelimits -o yaml | grep -A5 violations

CIS Benchmark References

  • 5.2.1 — Ensure that the cluster has at least one active policy control mechanism in place. Gatekeeper satisfies this requirement.
  • 5.2.6 — Minimize the admission of containers lacking resource limits. The K8sRequireResourceLimits template enforces this.
  • 5.2.7 — Minimize the admission of privileged containers. The K8sDisallowPrivilegedContainers template enforces this.
  • 5.2.8 — Minimize the admission of containers with allowPrivilegeEscalation. The privileged containers template checks this.

MITRE ATT&CK References

  • T1496 — Resource Hijacking: Requiring resource limits prevents unbounded CPU/memory consumption for cryptojacking.
  • T1611 — Escape to Host: Blocking privileged mode and privilege escalation removes the primary container escape vectors.

Further Reading

Get Full Access to This Template

This template is included in the Enterprise tier and above.

View Pricing Plans
← All Templates Get All Templates →