Policy Examples

SRExpert provides 50+ pre-built Gatekeeper policies organized by category. Use these policies to enforce security, best practices, and governance in your Kubernetes clusters.

How to Use

Go to Security > Gatekeeper in SRExpert
Click + Create Policy
Select a template from the dropdown
Configure target clusters and parameters
Click Create

For detailed instructions, see the Gatekeeper Overview.

Security Policies

This section contains critical policies to protect your clusters from security vulnerabilities.

Policy	Kind	Description	Severity
Block Privileged	`K8sBlockPrivileged`	Blocks privileged containers that have root access to the host	Critical
Block Host Network	`K8sBlockHostNetwork`	Prevents pods from using host network namespace	Critical
Block Host Path	`K8sBlockHostPath`	Prevents use of hostPath volumes that expose host filesystem	Critical
Block Host IPC	`K8sBlockHostIPC`	Prevents pods from using host IPC and PID namespaces	Critical
Block Cluster Admin	`K8sBlockClusterAdmin`	Prevents binding of cluster-admin role to users/groups	Critical
Block Special Groups	`K8sBlockSpecialGroups`	Prevents use of dangerous supplementalGroups (like docker group)	Critical
Block Wildcard Secrets	`K8sBlockWildcardSecrets`	Prevents RBAC rules with wildcard access to secrets	Critical
Require Non-Root	`K8sRequireNonRoot`	Requires containers to run as non-root user	High
Block Privilege Escalation	`K8sBlockPrivilegeEscalation`	Prevents privilege escalation in containers	High
Require Security Context	`K8sRequireSecurityContext`	Requires pods and containers to define securityContext	High
Read-Only Root Filesystem	`K8sReadOnlyRootFilesystem`	Requires containers to use read-only root filesystem	High
Require PSS	`K8sRequirePSS`	Requires namespaces to have Pod Security Standards labels	High
Seccomp Profile	`K8sSeccomp`	Requires pods to use RuntimeDefault or Localhost seccomp profile	High
Limit Capabilities	`K8sLimitCapabilities`	Limits Linux capabilities that containers can request	High
Drop Capabilities	`K8sDropCapabilities`	Requires containers to drop ALL capabilities by default	High
Block Bind Host Ports	`K8sBlockBindHostPorts`	Prevents containers from binding to host ports	High
Block External IPs	`K8sBlockExternalIPs`	Prevents services from using externalIPs	High
Block Default SA Token	`K8sBlockDefaultSAToken`	Prevents manual creation of default ServiceAccount token secrets	High
Require Ingress TLS	`K8sRequireIngressTLS`	Requires all Ingress resources to use TLS/HTTPS	High
Require Pod Security Policy	`K8sRequirePodSecurityPolicy`	Requires pods to reference a PodSecurityPolicy	High
Block Docker Images	`K8sBlockDockerImages`	Prevents use of public Docker Hub images without registry prefix	Medium
Block Wildcard Ingress	`K8sBlockWildcardIngress`	Prevents wildcard hosts in Ingress resources	Medium
AppArmor Profile	`K8sAppArmor`	Requires containers to use AppArmor profile	Medium
Require Service Account	`K8sRequireServiceAccountName`	Requires pods to explicitly define serviceAccountName	Medium
Block Automount SA Token	`K8sBlockAutomountSAToken`	Prevents automatic mounting of service account tokens	Medium

Reliability Policies

Ensure your applications are resilient and highly available.

Policy	Kind	Description	Severity
Require PDB	`K8sRequirePDB`	Requires HA deployments to have PodDisruptionBudget	Medium
Require Valid PDB	`K8sRequireValidPDB`	Requires PodDisruptionBudget to have valid minAvailable	Medium
Require Rolling Strategy	`K8sRequireRollingStrategy`	Requires deployments to use RollingUpdate strategy	Medium
Require Anti-Affinity	`K8sRequireAntiAffinity`	Requires HA deployments to use pod anti-affinity	Medium
Require CronJob Timeout	`K8sRequireCronJobTimeout`	Requires CronJobs to have activeDeadlineSeconds	Medium
Require Backup Annotation	`K8sRequireBackupAnnotation`	Requires StatefulSets to have backup strategy annotation	Medium
Require Lifecycle Hooks	`K8sRequireLifecycleHooks`	Requires containers to define preStop hook for graceful shutdown	Low
Require Startup Probe	`K8sRequireStartupProbe`	Requires slow-starting containers to have startupProbe	Low
Require Probe Period	`K8sRequireProbePeriod`	Requires probes to have appropriate periodSeconds	Low
Require HPA	`K8sRequireHPA`	Requires production deployments to have HPA configured	Low
Require Termination Grace	`K8sRequireTerminationGracePeriod`	Requires appropriate terminationGracePeriodSeconds	Low

Networking Policies

Control network access and traffic flow.

Policy	Kind	Description	Severity
Require Network Policy	`K8sRequireNetworkPolicy`	Requires deployments to have network-policy label	High
Require Egress Rules	`K8sRequireEgress`	Requires NetworkPolicy to define egress rules	High
Require Ingress Rules	`K8sRequireIngress`	Requires NetworkPolicy to define ingress rules	High

Best Practices

Enforce Kubernetes best practices across your clusters.

Policy	Kind	Description	Severity
Block Deprecated API	`K8sBlockDeprecatedAPI`	Blocks deprecated Kubernetes API versions	High
Require Resource Requests	`K8sRequireResourceRequests`	Requires containers to define CPU and memory requests	Medium
Block Priority Class High	`K8sBlockPriorityClassHigh`	Prevents non-system pods from using high priority classes	Medium
Block EmptyDir Size	`K8sBlockEmptyDirSize`	Requires emptyDir volumes to have sizeLimit	Medium
Require Owner Label	`K8sRequireOwnerLabel`	Requires owner labels for resource tracking	Medium
Block Default Namespace	`K8sBlockDefaultNamespace`	Prevents deployment of resources in default namespace	Low
Require Revision History	`K8sRequireRevisionHistory`	Requires appropriate revisionHistoryLimit	Low
Require Node Selector	`K8sRequireNodeSelector`	Requires pods to have nodeSelector for workload isolation	Low
Require Tolerations	`K8sRequireTolerations`	Requires pods to define tolerations for tainted nodes	Low
Require Container Resources	`K8sRequireContainerResources`	Requires container requests to match limits (guaranteed QoS)	Low

Governance Policies

Maintain consistent labeling and metadata standards.

Policy	Kind	Description	Severity
Require Valid Labels	`K8sRequireValidLabels`	Ensures labels follow naming conventions	Low
Require Annotations	`K8sRequireAnnotations`	Requires specific annotations for governance	Low

Cost Optimization Policies

Control cloud costs and resource usage.

Policy	Kind	Description	Severity
Require Limit Range	`K8sRequireLimitRange`	Requires namespaces to have LimitRange annotation	Medium
Require Namespace Quota	`K8sRequireNamespaceQuota`	Requires namespaces to have ResourceQuota annotation	Medium
Block LB Without Annotation	`K8sBlockLoadBalancerWithoutAnnotation`	Requires LoadBalancer services to have cost-tracking annotations	Medium
Limit Replicas	`K8sLimitReplicas`	Limits maximum number of replicas for cost control	Low

Severity Guide

Severity	Response Time	Description
Critical	Immediate	Security vulnerabilities that could lead to cluster compromise
High	Same day	Important security or reliability issues
Medium	Within a week	Best practices that improve security and operations
Low	When convenient	Recommendations for better organization and efficiency

Next Steps

Gatekeeper Overview - Learn how to create and manage policies
Kubernetes Setup - Install Gatekeeper in your cluster

Kubernetes Setup Network Policies