cloudoperators · mikolajkucinski · Jun 18, 2026 · Jun 7, 2026 · Jun 7, 2026 · Jun 18, 2026
@@ -4,8 +4,8 @@
 apiVersion: v2
 description: Helm chart deploying OPA Gatekeeper ConstraintTemplates and Constraints for Kubernetes admission control.
 name: gatekeeper-config
-version: 0.1.0
-appVersion: 0.1.0
+version: 0.2.0
+appVersion: 0.2.0
 icon: https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/logo/gatekeeper-horizontal-color.png
 keywords:
   - gatekeeper

@@ -0,0 +1,20 @@
+{{- if .Values.policies.forbiddenClusterwideObjects.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: GkForbiddenClusterwideObjects
+metadata:
+  name: forbidden-clusterwide-objects
+  labels:
+    severity: 'debug'
+spec:
+  enforcementAction: {{ .Values.policies.forbiddenClusterwideObjects.enforcementAction }}
+  match:
+    kinds:
+      - apiGroups: ["admissionregistration.k8s.io"]
+        kinds: ["MutatingWebhookConfiguration", "ValidatingWebhookConfiguration"]
+    scope: Cluster
+  parameters:
+    allowedWebhooks:
+      {{- toYaml .Values.policies.forbiddenClusterwideObjects.allowedWebhooks | nindent 6 }}
+{{- end }}
@@ -0,0 +1,24 @@
+{{- if .Values.policies.imagesFromApprovedRegistries.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: GkImagesFromApprovedRegistries
+metadata:
+  name: images-from-approved-registries
+  labels:
+    severity: 'warning'
+spec:
+  enforcementAction: {{ .Values.policies.imagesFromApprovedRegistries.enforcementAction }}
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment", "DaemonSet", "StatefulSet", "ReplicaSet"]
+      - apiGroups: [""]
+        kinds: ["Pod"]
+      - apiGroups: ["batch"]
+        kinds: ["Job", "CronJob"]
+    scope: Namespaced
+  parameters:
+    allowedRegistries:
+      {{- toYaml .Values.policies.imagesFromApprovedRegistries.allowedRegistries | nindent 6 }}
+{{- end }}
@@ -0,0 +1,24 @@
+{{- if .Values.policies.pciForbiddenImages.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: GkPCIForbiddenImages
+metadata:
+  name: pci-forbidden-images
+  labels:
+    severity: 'error'
+spec:
+  enforcementAction: {{ .Values.policies.pciForbiddenImages.enforcementAction }}
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment", "DaemonSet", "StatefulSet", "ReplicaSet"]
+      - apiGroups: [""]
+        kinds: ["Pod"]
+      - apiGroups: ["batch"]
+        kinds: ["Job", "CronJob"]
+    scope: Namespaced
+  parameters:
+    patterns:
+      {{- toYaml .Values.policies.pciForbiddenImages.patterns | nindent 6 }}
+{{- end }}
@@ -0,0 +1,24 @@
+{{- if .Values.policies.podRequiredLabels.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: GkPodRequiredLabels
+metadata:
+  name: pod-required-labels
+  labels:
+    severity: 'warning'
+spec:
+  enforcementAction: {{ .Values.policies.podRequiredLabels.enforcementAction }}
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment", "DaemonSet", "StatefulSet", "ReplicaSet"]
+      - apiGroups: [""]
+        kinds: ["Pod"]
+      - apiGroups: ["batch"]
+        kinds: ["Job", "CronJob"]
+    scope: Namespaced
+  parameters:
+    requiredLabels:
+      {{- toYaml .Values.policies.podRequiredLabels.requiredLabels | nindent 6 }}
+{{- end }}
@@ -0,0 +1,24 @@
+{{- if .Values.policies.podSecurityV2.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: GkPodSecurityV2
+metadata:
+  name: pod-security-v2
+  labels:
+    severity: 'debug'
+spec:
+  enforcementAction: {{ .Values.policies.podSecurityV2.enforcementAction }}
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment", "DaemonSet", "StatefulSet", "ReplicaSet"]
+      - apiGroups: [""]
+        kinds: ["Pod"]
+      - apiGroups: ["batch"]
+        kinds: ["Job", "CronJob"]
+    scope: Namespaced
+  parameters:
+    allowlist:
+      {{- toYaml .Values.policies.podSecurityV2.allowlist | nindent 6 }}
+{{- end }}
@@ -0,0 +1,44 @@
+{{- if .Values.policies.forbiddenClusterwideObjects.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: gkforbiddenclusterwideobjects
+spec:
+  crd:
+    spec:
+      names:
+        kind: GkForbiddenClusterwideObjects
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            allowedWebhooks:
+              type: array
+              items:
+                description: name of an admission webhook that is allowed to exist
+                type: string
+
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            libs:
+              - |
+{{ include "gatekeeper-config.lib.add_support_labels" . | indent 16 }}
+            rego: |
+              package forbiddenclusterwideobjects
+
+              import data.lib.add_support_labels
+
+              iro := input.review.object
+
+              violation contains {"msg": add_support_labels.from_k8s_object(iro, msg)} if {
+                  webhook := iro.webhooks[_]
+                  not webhook.name in {n | n := input.parameters.allowedWebhooks[_]}
+                  msg := sprintf("webhook %q does not match the configured allowlist", [webhook.name])
+              }
+{{- end }}
@@ -0,0 +1,54 @@
+{{- if .Values.policies.imagesFromApprovedRegistries.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: gkimagesfromapprovedregistries
+spec:
+  crd:
+    spec:
+      names:
+        kind: GkImagesFromApprovedRegistries
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            allowedRegistries:
+              type: array
+              items:
+                description: allowed registry prefix
+                type: string
+
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            libs:
+              - |
+{{ include "gatekeeper-config.lib.add_support_labels" . | indent 16 }}
+              - |
+{{ include "gatekeeper-config.lib.traversal" . | indent 16 }}
+            rego: |
+              package imagesfromapprovedregistries
+
+              import data.lib.add_support_labels
+              import data.lib.traversal
+
+              iro := input.review.object
+              containers := traversal.find_container_specs(iro)
+
+              violation contains {"msg": add_support_labels.from_k8s_object(iro, msg)} if {
+                  container := containers[_]
+                  image := container.image
+                  not image_from_approved_registry(image)
+                  msg := sprintf("container %q uses an image from an unapproved registry: %s", [container.name, image])
+              }
+
+              image_from_approved_registry(image) if {
+                  prefix := input.parameters.allowedRegistries[_]
+                  startswith(image, prefix)
+              }
+{{- end }}
@@ -0,0 +1,51 @@
+{{- if .Values.policies.pciForbiddenImages.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: gkpciforbiddenimages
+spec:
+  crd:
+    spec:
+      names:
+        kind: GkPCIForbiddenImages
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            patterns:
+              type: array
+              items:
+                description: regex pattern matched against the container image reference
+                type: string
+
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            libs:
+              - |
+{{ include "gatekeeper-config.lib.add_support_labels" . | indent 16 }}
+              - |
+{{ include "gatekeeper-config.lib.traversal" . | indent 16 }}
+            rego: |
+              package pciforbiddenimages
+
+              import data.lib.add_support_labels
+              import data.lib.traversal
+
+              iro := input.review.object
+              containers := traversal.find_container_specs(iro)
+
+              violation contains {"msg": add_support_labels.from_k8s_object(iro, msg)} if {
+                  container := containers[_]
+
+                  pattern := input.parameters.patterns[_]
+                  regex.match(pattern, container.image)
+
+                  msg := sprintf("container %q uses forbidden image: %s", [container.name, container.image])
+              }
+{{- end }}
@@ -0,0 +1,57 @@
+{{- if .Values.policies.podRequiredLabels.enabled }}
+# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: gkpodrequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: GkPodRequiredLabels
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            requiredLabels:
+              type: array
+              items:
+                description: required label key
+                type: string
+
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: Rego
+          source:
+            version: "v1"
+            libs:
+              - |
+{{ include "gatekeeper-config.lib.add_support_labels" . | indent 16 }}
+              - |
+{{ include "gatekeeper-config.lib.traversal" . | indent 16 }}
+            rego: |
+              package podrequiredlabels
+
+              import data.lib.add_support_labels
+              import data.lib.traversal
+
+              iro := input.review.object
+              pod := traversal.find_pod(iro)
+
+              # The labels that matter for ownership/routing are on the pod
+              # template metadata, not the workload metadata, so the lookup
+              # uses `pod` rather than `iro`.
+              #
+              # `object.get(..., null) == null` is the right idiom for "label
+              # missing": `not object.get(...)` is a no-op because null is a
+              # defined value (so `not null` is false, not true), which would
+              # make this rule silently never fire.
+              violation contains {"msg": add_support_labels.from_k8s_object(iro, msg)} if {
+                  pod.isFound
+                  labelKey := input.parameters.requiredLabels[_]
+                  object.get(pod, ["metadata", "labels", labelKey], null) == null
+                  msg := sprintf("pod is missing required label: %s", [labelKey])
+              }
+{{- end }}