[P1BIGROCKS-1783](https://jira.il2.dso.mil/browse/P1BIGROCKS-1783) Big Bang security policies are not robust and do not provide the ability to set enforcing: ## Community - Kubernetes Security Best Practices The community has created the following library of best security practices: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library * OPA should create these Templates * ClusterAuditor Should create the corresponding constraints with variables that * `deny`/`audit` for each constraint. Global option should be available to set all to deny * Log every policy to Elasticsearch * Variables when applicable (e.g., resources for big pods/pvcs) * Documentation for each policy * Each package should deploy without a violation for the policy. (This might be an exception on the constraint, or a modification of the package) * Given the standardization of how tenant namespaces are labeled (@adam.toy how is this done) or the standardization of how Big Bang namespaces are labeled (so we know non-BB namespaces). We should be able to enforce on non-BB packages. ## Priority List of Policies ### High * No `latest` tags * Allowed Repos * [No Privilege Escalation](https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/allow-privilege-escalation) * [Volume Types](https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/volumes) * [Read Only Root Filesystem](https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/read-only-root-filesystem) * [SELinux](https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/selinux/template.yaml) * [Allowed Capabilities](https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/capabilities/template.yaml) ### Medium ### Low cc: @kelly.yushko