mygithub.libinneed.workers.dev/plexsystems/konstraint
Konstraint is a CLI tool to assist with the creation and management of templates and constraints when using Gatekeeper.
go install github.com/plexsystems/konstraint@latest
A docker image is also provided for each release:
docker run -v $PWD:/konstraint ghcr.io/plexsystems/konstraint create /konstraint/examples
To create the Gatekeeper resources, use konstraint create <policy_dir>.
To generate the accompanying documentation, use konstraint doc <policy_dir>.
Both commands support the --output flag to specify where to save the output. For more detailed usage documentation, see the CLI Documentation.
When writing policies for Gatekeeper, the Rego must be added to ConstraintTemplates in order for Gatekeeper to enforce the policy. This creates a scenario in which the Rego is written in a .rego file, and then copied into the ConstraintTemplate. When a change is needed to be made to the Rego, both instances must be updated.
Gatekeeper supports importing libraries into ConstraintTemplates with the libs field. If a change is required to the imported library, every template must be updated to include this new change.
With Gatekeeper, policies are evaluated in the context of an AdmissionReview. This means that policies are typically written with a prefix of input.review.object.
With Conftest, policies are written against yaml files.
This creates a scenario where the policy needs to be written differently depending upon the context in which the policy is being evaluated in.
In the examples/lib directory, there are multiple libraries that enable policies to be written for both Conftest and Gatekeeper.
You can include as little or as many of these libraries into your policies as desired.
By first validating the Kubernetes manifests with Conftest on a local machine, we can catch manifests that would otherwise violate policy without needing to deploy to a cluster running Gatekeeper.
Konstraint ran without error, but I don't see any new files.
This typically means no policies were found, or the policies did not have any violation[] rules, so they are not compatible with Gatekeeper.
For more information, see How Constraints are Created.
My ConstraintTemplates are missing the input parameters
Input parameters can be specified by using one or more @parameter <name> <type> tags in the comment header block. If you use input parameters, Konstraint will skip generating the Constraint resource for that policy.
For more information, see Using Input Parameters.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
This episode explores the hard problem of reachability analysis, from static analysis limits to handling dynamic languages and massive dependency trees.
Security News
/Research
Malicious Nx npm versions stole secrets and wallet info using AI CLI tools; Socket’s AI scanner detected the supply chain attack and flagged the malware.
Security News
CISA’s 2025 draft SBOM guidance adds new fields like hashes, licenses, and tool metadata to make software inventories more actionable.