Policy Controller bundles

This page describes what Policy Controller bundles are and provides an overview of the available policy bundles.

You can use Policy Controller to apply individual constraints to your cluster or write your own custom policies. You can also use policy bundles, which let you audit your clusters without writing any constraints. Policy bundles are a group of constraints that can help apply best practices, meet industry standards, or solve regulatory problems across your cluster resources.

You can apply policy bundles to your existing clusters to check if your workloads are compliant. When you apply a policy bundle, it audits your cluster by applying constraints with the dryrun enforcement type. The dryrun enforcement type lets you see violations without blocking your workloads. It's also recommended when testing new constraints or performing migration actions, like upgrading platforms, to switch enforcement actions from deny to warn or dryrun so that you can test that your policies work as expected. For more information about enforcement actions, see Auditing using constraints.

For example, one type of policy bundle is the CIS Kubernetes Benchmark bundle, which can help audit your cluster resources against the CIS Kubernetes Benchmark. This benchmark is a set of recommendations for configuring Kubernetes resources to support a strong security posture.

Policy bundles are created and maintained by Google. You can view more details about your policy coverage, including coverage per bundle, in the Policy Controller dashboard.

Policy bundles are included with an Anthos license.

Available Policy Controller bundles

The following table lists the available policy bundles. Select the name of the policy bundle to read documentation on how to apply the bundle, audit resources, and enforce policies.

Bundle name Description Type Includes referential constraints
CIS Kubernetes Benchmark Audit compliance of your clusters against the CIS Kubernetes Benchmark, a set of recommendations for configuring Kubernetes to support a strong security posture. Kubernetes standard Yes
Cost and Reliability (Preview) The Cost and Reliability bundle helps adopt best practices for running cost-efficient GKE clusters without compromising the performance or reliability of workloads. Kubernetes standard Yes
Pod Security Policy Apply protections based on the Kubernetes Pod Security Policy (PSP). Kubernetes standard No
Pod Security Standards Baseline Apply protections based on the Kubernetes Pod Security Standards (PSS) Baseline policy. Kubernetes standard No
Pod Security Standards Restricted Apply protections based on the Kubernetes Pod Security Standards (PSS) Restricted policy. Kubernetes standard No
Anthos Service Mesh security Audit the compliance of your Anthos Service Mesh security vulnerabilities and best practices. Best practices Yes
Policy Essentials Apply best practices to your cluster resources. Best practices No
NIST SP 800-53 Rev. 5 The NIST SP 800-53 Rev. 5 bundle implements controls listed in NIST Special Publication (SP) 800-53, Revision 5. The bundle may help organizations protect their systems and data from a variety of threats by implementing out-of-the-box security and privacy policies. Industry standard Yes
NIST SP 800-190 The NIST SP 800-190 bundle implements controls listed in NIST Special Publication (SP) 800-190, Application Container Security Guide. The bundle is intended to help organizations with application container security including image security, container runtime security, network security and host system security to name a few.  Industry standard Yes
NSA CISA Kubernetes Hardening Guide v1.2 Apply protections based on the NSA CISA Kubernetes Hardening Guide v1.2. Industry standard Yes
PCI-DSS v3.2.1 Apply protections based on the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1. Industry standard Yes

What's next