Policy Controller overview
This page explains what Policy Controller is and how you can use it to help ensure your Kubernetes clusters and workloads are running in a secure and compliant manner.
Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters. These policies act as "guardrails" and can help with best practices, security, and compliance management of your clusters and fleet. Based on the open source Open Policy Agent Gatekeeper project, Policy Controller is fully integrated with Google Cloud, includes a built-in dashboard for observability, and comes with a full library of pre-built policies for common security and compliance controls.
Policy Controller benefits
- Integrated with Google Cloud: Platform admins can install Policy Controller by using the Google Cloud console, by using Terraform, or by using Google Cloud CLI on any cluster connected to your fleet. Policy Controller works with other Google Cloud services like Config Sync, metrics, and Cloud Monitoring.
- Supports multiple enforcement points: In addition to both audit and admission control for your cluster, Policy Controller can optionally enable a shift-left approach to analyse and catch non-compliant changes prior to application.
- Pre-built policy bundles: Policy Controller comes with a full library of pre-built policies for common security and compliance controls. These include both Policy bundles, which are built and maintained by Google, and the constraint template library.
- Supports custom policies: If policy customization is required beyond what is available using the constraint template library, Policy Controller additionally supports the development of custom constraint templates.
- Built-in observability: Policy Controller includes a Google Cloud console dashboard, providing an overview for the state of all the policies applied to your fleet. From the dashboard, view compliance and enforcement status to help you troubleshoot, and get opinionated recommendations to resolve policy violations.
You can use policy bundles to apply a number of constraints that are grouped under a specific Kubernetes standard, security, or compliance theme. These policy bundles are built and maintained by Google and are therefore ready for you to use without having to write any code. For example, you can use the following policy bundles:
- Enforce many of the same requirements as PodSecurityPolicies, but with the added ability to audit your configuration before enforcing it, ensuring any policy changes aren't disruptive to running workloads.
- Use constraints compatible with Anthos Service Mesh to audit the compliance of your mesh security vulnerabilities and best practices.
- Apply general best practices to your cluster resources to help strengthen your security posture. This bundle is also used in Policy Controller's Try Before You Buy feature, so you can try this set of baseline policies on-demand at no extra cost.
Policy Controller bundles overview provides more details and a list of currently available policy bundles.
Policy Controller enforces your clusters' compliance using objects called constraints. You can think of constraints as the "building blocks" of policy. Each constraint defines a specific change to the Kubernetes API that is allowed or disallowed on the cluster it's applied to. You can set policies to either actively block non-compliant API requests or audit the configuration of your clusters and report violations. In either case, you can view warning messages with details on what violation occurred on a cluster. With that information, you can remediate problems. For example, you can use the following individual constraints:
- Require each namespace to have at least one label. This constraint can be used to ensure accurate tracking of resource consumption when using GKE Usage Metering, for example.
- Restrict the repositories a given container image can be pulled from. This constraint ensures any attempt to pull containers from unknown sources is denied, protecting your clusters from running potentially malicious software.
- Control whether or not a container can run in privileged mode. This constraint controls the ability of any container to enable privileged mode, which gives you control over which containers (if any) can run with unrestricted policy.
These are just a few of the constraints provided in the constraint template library included with Policy Controller. This library contains numerous policies that you can use to help enforce best practices and limit risk. If you require more customization beyond what is available in the constraint template library, you can also create custom constraint templates.
Constraints can be applied directly to your clusters using the Kubernetes API, or distributed to a set of clusters from a source of truth by using Config Sync.
- Try the free trial of Policy Controller.
- Learn how to Install Policy Controller.
- Apply a policy bundle.
- Create your own constraints.