apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sazurepodenforcelabels spec: crd: spec: names: kind: K8sAzurePodEnforceLabels listKind: K8sAzurePodEnforceLabelsList plural: k8sazurepodenforcelabels singular: k8sazurepodenforcelabels validation: # Schema for the `parameters` field openAPIV3Schema: properties: labels: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sazurepodenforcelabels violation[{"msg": msg, "details": {"missing_labels": missing}}] { required := {label | label := input.parameters.labels[_]} provided := {label | input.review.object.metadata.labels[label]} missing := required - provided count(missing) > 0 msg := sprintf("you must provide labels: %v", [missing]) }