To enable this feature, first make sure OPA/Gatekeeper is activated.
This section allows to turn Open Policy Agent (OPA) / Gatekeeper policies on or off, and also set default parameters to be used by the policies.
|Add any image tags for containers that are not allowed in your cluster.
|Set global compute limits for your containers.
|Add globally allowed repositories for version control.
|Set policies for the host filesystem of all Kubernetes cluster nodes.
|Default user (UID) settings to force containers to run with. It is recommended to at least set 'runAsUser' to 'MustRunAsNonRoot' to disallow root.
|Whether a pod is allowed to access the host PID namespace/host IPC, or if a pod defines host aliases.
|Whether a pod can access ports on the host.
|Whether privileged containers can escalate to root privileges on the node.
|Whether to allow containers with sufficient capabilities granted to obtain escalated access.
|Determine what system controls are allowed or not.
|Prevents an application from accessing files it should not access.
|Reduces the chance that a kernel vulnerability will be successfully exploited.
Please see the OPA Gatekeeper policy library as it is the source for the policies here. We made a selection of usable policies for Otomi and adapted them to be used by Conftest as well for static analysis of manifests generated by Otomi.