Stay organized with collections Save and categorize content based on your preferences.

Policy Controller overview

This page explains what Anthos Config Management's Policy Controller is and how it enforces policies by using constraints and constraint templates.

Policy Controller enables the enforcement of fully programmable policies for your clusters. These policies act as "guardrails" and prevent any changes to the configuration of the Kubernetes API from violating security, operational, or compliance controls.

You can set policies to actively block non-compliant API requests, or simply to audit the configuration of your clusters and report violations. Policy Controller is based on the open source Open Policy Agent Gatekeeper project and comes with a full library of pre-built policies for common security and compliance controls.

In addition to actively controlling your Kubernetes environment, you can optionally use Policy Controller as a way to analyze configuration for compliance before deployment. This helps provide valuable feedback during the process of configuration changes and ensures any non-compliant changes are caught early before they might be rejected during application.


Policy Controller enforces your clusters' compliance using objects called constraints. For example, you can use the following constraints:

These are just a few of the constraints provided as part of the constraint library that is included with the Policy Controller installation. This library contains numerous policies that help enforce best practices and limit risk.

Constraints can be applied directly to your clusters using the Kubernetes API, or distributed to a set of clusters from a central Git repository by using Config Sync.

To learn more, see Creating constraints.

Constraint templates

Policy Controller also lets you add your own custom policies through creating constraint templates. Constraint templates define policy parameters, error messages, and custom logic.

Once created, these templates let anyone invoke the policy using a constraint, which sets the parameters, and defines the scope of resources and namespaces to which the policy applies. This separation lets subject-matter experts write policies once and then enable others to use them in various contexts without the need to write or manage policy code.

To learn more, see Write a constraint template.

Policy Controller RBAC and permissions

Policy Controller includes highly privileged workloads. The permissions for these workloads are covered in the Open Policy Agent Gatekeeper operations documentation.

What's next