This page describes Anthos Policy Controller, a Kubernetes dynamic admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or arbitrary business rules.
Policy Controller enforces your clusters' compliance with policies called constraints. For example:
- You can require each Namespace to have at least one label. This is required if you use GKE Usage Metering, for example.
- You can enforce many of the same requirements as PodSecurityPolicies, but with the added ability to audit your configuration before enforcing it. An incorrect PodSecurityPolicy can disrupt workloads. Policy Controller allows you to test constraints before enforcing them, and verify that a given policy works as intended without risking disruption of your workloads.
- You can restrict the repositories a given container image be pulled from. See
the examples in the
allowed-reposdirectory in the Gatekeeper project repository.
Along with constraints, Policy Controller also introduces constraint templates. Constraint templates allow you to define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject-matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.
Policy Controller is integrated into Anthos Config Management v1.1 and higher. Policy Controller is built using Gatekeeper, an open source project.