apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sazurev1reservedtaints annotations: description: Restricts the CriticalAddonsOnly taint to just the system pool spec: crd: spec: names: kind: K8sAzureV1ReservedTaints validation: openAPIV3Schema: type: object properties: reservedTaints: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sazurev1reservedtaints is_system_pool(node) { node.metadata.labels["kubernetes.azure.com/mode"] == "system" } is_system_pool(node) { node.metadata.labels["kubernetes.azure.com/mode"] == "System" } violation[{"msg": msg}] { node := input.review.object # did the customer try to add a taint with key "CriticalAddonsOnly" to a non-system pool? taints := {x | x = node.spec.taints[_].key} not is_system_pool(node) taint := taints[_] restrictedTaint := input.parameters.reservedTaints[_] regex.match(restrictedTaint,taint) msg := sprintf("Taint with key <%s> is reserved for the system pool only",[taint]) }