Stay organized with collections Save and categorize content based on your preferences.

Policy Controller bundles

This page describes what Policy Controller bundles are and provides an overview of the available policy bundles.

You can use Policy Controller to apply individual constraints to your cluster or write your own custom policies. You can also use policy bundles, which let you audit your clusters without writing any constraints. Policy bundles are a group of constraints that can help apply best practices, meet industry standards, or solve regulatory problems across your cluster resources.

You can use policy bundles to your existing clusters to check if your workloads are compliant. When you apply a policy bundle, it audits your cluster by applying constraints with the dryrun enforcement type. The dryrun enforcement type lets you see violations without blocking your workloads. For more information about enforcement actions, see Auditing using constraints.

For example, one type of policy bundle is the CIS Kubernetes Benchmark bundle, which can help audit your cluster resources against the CIS Kubernetes Benchmark. This benchmark is a set of recommendations for configuring Kubernetes resources to support a strong security posture.

Policy bundles are created and maintained by Google. You can view more details about your policy coverage, including coverage per bundle, in the Policy Controller dashboard.

Policy bundles are included with an Anthos license.

Available Policy Controller bundles

The following table lists the available policy bundles. Select the name of the policy bundle to read documentation on how to apply the bundle, audit resources, and enforce policies.

Bundle name Description Type Includes referential constraints
CIS Kubernetes Benchmark Audit compliance of your clusters against the against the CIS Kubernetes Benchmark, a set of recommendations for configuring Kubernetes to support a strong security posture. Kubernetes standard Yes
Pod Security Policy Apply protections based on the Kubernetes Pod Security Policy (PSP). Kubernetes standard No
Pod Security Standards Baseline Apply protections based on the Kubernetes Pod Security Standards (PSS) Baseline policy. Kubernetes standard No
Pod Security Standards Restricted Apply protections based on the Kubernetes Pod Security Standards (PSS) Restricted policy. Kubernetes standard No
Anthos Service Mesh security Audit the compliance of your Anthos Service Mesh security vulnerabilities and best practices. Best practices Yes
Policy Essentials Apply best practices to your cluster resources. Best practices No
PCI-DSS v3.2.1 Apply protections based on the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1. Industry standard Yes

What's next