This section describes how to create a constraint.

Prerequisites

  • You need to join a cluster and have the cluster-admin permission in the cluster. For more information, see Cluster Members and Cluster Roles.

  • The KubeSphere platform needs to have the Gatekeeper extension installed and enabled.

  • A constraint template has been created.

Steps

  1. Log in to the KubeSphere web console with a user who has cluster-admin permissions and enter your cluster.

  2. Click Gatekeeper > Constraints in the left navigation pane.

  3. Click Create on the page.

  4. In the Create Constraint dialog box, set the following parameters, then click OK.

    Parameter Description

    Constraint Name

    The name of the constraint.

    Constraint Type

    The constraint template used by the constraint.

    enforcementAction

    The enforcementAction field defines the action to take for constraint violations. It is set to deny by default, meaning any admission request that violates the constraint is denied by default. For more information, refer to Constraint Violation Handling.

    Match Kinds

    The match field defines the resources to which the constraint applies. For more information, refer to match.

    kinds accepts a list of objects containing apiGroups and kinds fields, which list the groups/kinds of objects the constraint applies to. If multiple groups/kinds objects are specified, a resource is in scope for the constraint if it matches any one of those objects.

    Namespace Labels

    Identifiable key-value pairs set for the namespace where the object resides or for the object itself if the object is a namespace.

    Parameters

    Used to describe the intent of the constraint. For more information, refer to parameters.

    You can view the created constraint on the Constraints page.