Create a `ConstraintTemplate` manifest with `apiVersion: templates.gatekeeper.sh/v1` (v1 is current since Gatekeeper 3.6.0) and define the Rego policy in `spec.targets[].rego`.
The Rego in the template must use `package` matching the `spec.crd.spec.names.kind` lowercased, and define a `violation[{"msg": msg}]` rule.
Apply the ConstraintTemplate with `kubectl apply -f constraint-template.yaml`; Gatekeeper CRDs the generated constraint kind within seconds.
Create a `Constraint` manifest using the new CRD kind (e.g., `kind: K8sRequiredLabels`) referencing the ConstraintTemplate by its kind, listing required label keys in the parameters.
Test the constraint by applying a non-compliant resource and confirming Gatekeeper returns an admission denial message.
Use `kubectl get constraints` and `kubectl describe <ConstraintKind> <name>` to view violation counts and recent audit results.
Known gotchas
Gatekeeper runs in two modes: admission (blocks at creation) and audit (scans existing resources on a schedule); a new Constraint only blocks future resources unless audit also detects existing violations.
The `v1beta1` ConstraintTemplate apiVersion is legacy; always use `templates.gatekeeper.sh/v1` for new templates to get the structural schema requirement and avoid deprecation warnings.
Rego in Gatekeeper must use Rego v1 syntax if the Gatekeeper version requires it; mixing v0 and v1 syntax in the same template causes cryptic parse errors.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp