Constraint Types
Reference for all constraint type classifications.
Table of contents
- Overview
- NetworkIngress
- NetworkEgress
- Admission
- ResourceLimit
- MeshPolicy
- MissingResource
- Unknown
- Type Distribution
- Filtering by Type
Overview
Potoo normalizes all policy types into a common constraint model. Each constraint has a type field that classifies what kind of restriction it represents.
NetworkIngress
Inbound network traffic restrictions.
Meaning
Controls which traffic can reach workloads in the namespace.
Sources
- Kubernetes NetworkPolicy (with
policyTypes: ["Ingress"]) - CiliumNetworkPolicy (ingress rules)
- CiliumClusterwideNetworkPolicy (ingress rules)
- Istio AuthorizationPolicy (ALLOW/DENY actions)
Effects
deny- Traffic is blocked by defaultrestrict- Traffic allowed only from specific sources
Common Errors
connection refused
connection reset by peer
no route to host (from external caller)
Example Constraint
name: frontend-only
type: NetworkIngress
severity: Critical
effect: deny
summary: "Only allows ingress from frontend pods"
tags: [network, ingress, pod-selector]
Remediation Patterns
- Request exception from platform team
- Add caller to allowed source list
- Use service mesh for internal traffic
NetworkEgress
Outbound network traffic restrictions.
Meaning
Controls which traffic workloads can send from the namespace.
Sources
- Kubernetes NetworkPolicy (with
policyTypes: ["Egress"]) - CiliumNetworkPolicy (egress rules)
- CiliumClusterwideNetworkPolicy (egress rules)
- Istio AuthorizationPolicy (egress rules)
Effects
deny- All egress blocked by defaultrestrict- Egress allowed only to specific destinations/ports
Common Errors
connection timed out
dial tcp: i/o timeout
no route to host
connection refused (to external service)
Example Constraint
name: restrict-egress
type: NetworkEgress
severity: Critical
effect: deny
summary: "Egress restricted to ports 443, 8443"
tags: [network, egress, port-restriction]
Remediation Patterns
- Request egress exception for specific destination
- Route through approved egress proxy
- Use internal service instead of external
Admission
Admission controller rejections.
Meaning
Policies that accept or reject Kubernetes resource creation/modification.
Sources
- ValidatingWebhookConfiguration
- MutatingWebhookConfiguration (when mutation fails)
- OPA Gatekeeper Constraints
- Kyverno ClusterPolicy/Policy
- Custom admission webhooks
Effects
deny- Resource rejectedwarn- Warning issued but allowedaudit- Logged but allowed
Common Errors
admission webhook "xxx" denied the request
Error from server (Forbidden): xxx is not allowed
denied by policy "xxx"
validation failed: xxx
Example Constraint
name: require-resource-limits
type: Admission
severity: Critical
effect: deny
summary: "Containers must have resource limits"
tags: [admission, resources, gatekeeper]
Remediation Patterns
- Modify resource to comply with policy
- Add required labels/annotations
- Set resource limits/requests
- Request policy exception
ResourceLimit
Resource quota and limit restrictions.
Meaning
Controls resource consumption within a namespace.
Sources
- ResourceQuota
- LimitRange
Effects
limit- Consumption capped at thresholdrestrict- Specific resource types restricted
Common Errors
exceeded quota: requested cpu 2, limit 1
forbidden: exceeded quota
unable to schedule pod: insufficient cpu
Example Constraint
name: compute-quota
type: ResourceLimit
severity: Warning
effect: limit
summary: "CPU usage at 78% of quota"
metrics:
cpu:
hard: "4"
used: "3.12"
percentUsed: 78.0
tags: [quota, cpu, memory]
Remediation Patterns
- Reduce resource requests
- Request quota increase
- Clean up unused resources
- Optimize application resource usage
MeshPolicy
Service mesh authorization policies.
Meaning
Controls service-to-service communication within a service mesh.
Sources
- Istio AuthorizationPolicy
- Istio PeerAuthentication
- Linkerd ServerAuthorization
Effects
deny- Request rejected at mesh layerrestrict- Only specific identities allowedrequire- Mutual TLS required
Common Errors
RBAC: access denied
upstream connect error
403 Forbidden (from Envoy)
connection reset (mTLS failure)
Example Constraint
name: require-mtls
type: MeshPolicy
severity: Critical
effect: require
summary: "mTLS required for all pod-to-pod traffic"
tags: [mesh, istio, mtls]
Remediation Patterns
- Enable Istio sidecar injection
- Configure correct ServiceAccount
- Add workload to allowed principals
- Check mTLS configuration
MissingResource
Expected companion resources not found.
Meaning
A resource that should exist (based on annotations or conventions) is missing.
Sources
- Missing ServiceMonitor/PodMonitor (for workloads with a
metricsorhttp-metricsport) - Missing VirtualService/DestinationRule (for workloads with Istio sidecar)
- Missing PeerAuthentication (for namespaces with Istio injection enabled)
- Missing ClusterIssuer/Issuer (for workloads with cert-manager annotations)
See Missing Resource Detection for the full list of built-in rules and their detection logic.
Effects
missing- Required resource doesn’t exist
Common Errors
(No error - resource silently not working)
Metrics not appearing in Prometheus
Traffic not being routed through mesh
Example Constraint
name: missing-prometheus-monitor-api-server
type: MissingResource
severity: Warning
effect: missing
summary: "Workload exposes a metrics port but has no ServiceMonitor or PodMonitor"
tags: [prometheus, monitoring, missing-resource]
Remediation Patterns
- Create the missing resource
- Remove the annotation if not needed
- Use provided YAML template
Unknown
Unclassified constraint from generic adapter.
Meaning
A policy from a custom CRD registered via ConstraintProfile, parsed by the generic adapter.
Sources
- Any CRD registered with
adapter: generic - Unrecognized policy CRDs
Effects
- Varies by source
Example Constraint
name: custom-policy-1
type: Unknown
severity: Info
effect: unknown
summary: "Custom policy (see source for details)"
tags: []
Remediation Patterns
- Consult documentation for the custom policy type
- Contact platform team
Type Distribution
Typical distribution in a production cluster:
| Type | Typical Count | Notes |
|---|---|---|
| NetworkEgress | 30-50% | Most common restriction |
| NetworkIngress | 10-20% | Default deny ingress |
| Admission | 15-25% | Compliance policies |
| ResourceLimit | 10-20% | Quotas per namespace |
| MeshPolicy | 5-15% | If service mesh enabled |
| MissingResource | 5-10% | Monitoring gaps |
| Unknown | 1-5% | Custom policies |
Filtering by Type
CLI
potoo query -n my-namespace --type NetworkEgress
MCP Tool
{
"tool": "potoo_query",
"params": {
"namespace": "my-namespace",
"constraint_type": "NetworkEgress"
}
}
kubectl
kubectl get cr constraints -n my-namespace -o json | \
jq '.status.constraints[] | select(.type == "NetworkEgress")'