Anthos Config Management's Policy Controller is a Kubernetes dynamic admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or arbitrary business rules.
Policy Controller enforces your clusters' compliance with policies called constraints. For example, you can create the following constraints:
- Require each namespace to have at least one label. This constraint is required if you use GKE Usage Metering, for example.
- Enforce many of the same requirements as PodSecurityPolicies, but with the added ability to audit your configuration before enforcing it. An incorrect PodSecurityPolicy can disrupt workloads. Policy Controller lets you test constraints before enforcing them, and verify that a given policy works as intended without risking disruption of your workloads.
- Restrict the repositories a given container image can be pulled from. For
examples, see the
allowedreposdirectory in the Gatekeeper Library project repository.
To learn more, see Creating constraints.
Along with constraints, Policy Controller also introduces constraint templates. Constraint templates let you define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject-matter expertise. In addition to separating concerns, constraint templates also separate the logic of the constraint from its definition.
Policy Controller is integrated into Anthos Config Management v1.1 and higher. Policy Controller is built from the Gatekeeper open source project.
- Learn how to Install Policy Controller.
- Use the constraint template library provided by Google.
- Learn how to use constraints instead of PodSecurityPolicies.