Policy Controller bundles
This page describes what Policy Controller bundles are and provides an overview of the available policy bundles.
You can use Policy Controller to apply individual constraints to your cluster or write your own custom policies. You can also use policy bundles, which let you audit your clusters without writing any constraints. Policy bundles are a group of constraints that can help apply best practices, meet industry standards, or solve regulatory problems across your cluster resources.
You can apply policy bundles to your existing clusters to check if your workloads
are compliant. When you apply a policy bundle, it audits your cluster by applying
constraints with the
dryrun enforcement type. The
dryrun enforcement type
lets you see violations without blocking your workloads. It's also recommended
when testing new constraints or performing migration actions, like upgrading platforms,
to switch enforcement actions from
dryrun so that you can
test that your policies work as expected. For more information about enforcement
Auditing using constraints.
For example, one type of policy bundle is the CIS Kubernetes Benchmark bundle, which can help audit your cluster resources against the CIS Kubernetes Benchmark. This benchmark is a set of recommendations for configuring Kubernetes resources to support a strong security posture.
Policy bundles are created and maintained by Google. You can view more details about your policy coverage, including coverage per bundle, in the Policy Controller dashboard.
Policy bundles are included with an Anthos license.
Available Policy Controller bundles
The following table lists the available policy bundles. Select the name of the policy bundle to read documentation on how to apply the bundle, audit resources, and enforce policies.
|Bundle name||Description||Type||Includes referential constraints|
|CIS Kubernetes Benchmark||Audit compliance of your clusters against the CIS Kubernetes Benchmark, a set of recommendations for configuring Kubernetes to support a strong security posture.||Kubernetes standard||Yes|
|Cost and Reliability (Preview)||The Cost and Reliability bundle helps adopt best practices for running cost-efficient GKE clusters without compromising the performance or reliability of workloads.||Kubernetes standard||Yes|
|Pod Security Policy||Apply protections based on the Kubernetes Pod Security Policy (PSP).||Kubernetes standard||No|
|Pod Security Standards Baseline||Apply protections based on the Kubernetes Pod Security Standards (PSS) Baseline policy.||Kubernetes standard||No|
|Pod Security Standards Restricted||Apply protections based on the Kubernetes Pod Security Standards (PSS) Restricted policy.||Kubernetes standard||No|
|Anthos Service Mesh security||Audit the compliance of your Anthos Service Mesh security vulnerabilities and best practices.||Best practices||Yes|
|Policy Essentials||Apply best practices to your cluster resources.||Best practices||No|
|NIST SP 800-53 Rev. 5||The NIST SP 800-53 Rev. 5 bundle implements controls listed in NIST Special Publication (SP) 800-53, Revision 5. The bundle may help organizations protect their systems and data from a variety of threats by implementing out-of-the-box security and privacy policies.||Industry standard||Yes|
|NIST SP 800-190||The NIST SP 800-190 bundle implements controls listed in NIST Special Publication (SP) 800-190, Application Container Security Guide. The bundle is intended to help organizations with application container security including image security, container runtime security, network security and host system security to name a few.||Industry standard||Yes|
|NSA CISA Kubernetes Hardening Guide v1.2||Apply protections based on the NSA CISA Kubernetes Hardening Guide v1.2.||Industry standard||Yes|
|PCI-DSS v3.2.1||Apply protections based on the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1.||Industry standard||Yes|
- Try Policy Controller at no charge.
- Learn more about applying individual constraints.
- Apply best practices to your clusters.
- Take a tutorial on using policy bundles in your CI/CD pipeline to shift left.