Policy Controller bundles
This page describes what Policy Controller bundles are and provides an overview of the available policy bundles.
You can use Policy Controller to apply individual constraints to your cluster or write your own custom policies. You can also use policy bundles, which let you audit your clusters without writing any constraints. Policy bundles are a group of constraints that can help apply best practices, meet industry standards, or solve regulatory problems across your cluster resources.
You can use policy bundles to your existing clusters to check if your workloads
are compliant. When you apply a policy bundle, it audits your cluster by applying
constraints with the
dryrun enforcement type. The
dryrun enforcement type
lets you see violations without blocking your workloads. For more information
about enforcement actions, see
Auditing using constraints.
For example, one type of policy bundle is the CIS Kubernetes Benchmark bundle, which can help audit your cluster resources against the CIS Kubernetes Benchmark. This benchmark is a set of recommendations for configuring Kubernetes resources to support a strong security posture.
Policy bundles are created and maintained by Google. You can view more details about your policy coverage, including coverage per bundle, in the Policy Controller dashboard.
Policy bundles are included with an Anthos license.
Available Policy Controller bundles
The following table lists the available policy bundles. Select the name of the policy bundle to read documentation on how to apply the bundle, audit resources, and enforce policies.
|Bundle name||Description||Type||Includes referential constraints|
|CIS Kubernetes Benchmark||Audit compliance of your clusters against the against the CIS Kubernetes Benchmark, a set of recommendations for configuring Kubernetes to support a strong security posture.||Kubernetes standard||Yes|
|Pod Security Policy||Apply protections based on the Kubernetes Pod Security Policy (PSP).||Kubernetes standard||No|
|Pod Security Standards Baseline||Apply protections based on the Kubernetes Pod Security Standards (PSS) Baseline policy.||Kubernetes standard||No|
|Pod Security Standards Restricted||Apply protections based on the Kubernetes Pod Security Standards (PSS) Restricted policy.||Kubernetes standard||No|
|Anthos Service Mesh security||Audit the compliance of your Anthos Service Mesh security vulnerabilities and best practices.||Best practices||Yes|
|Policy Essentials||Apply best practices to your cluster resources.||Best practices||No|
|PCI-DSS v3.2.1||Apply protections based on the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1.||Industry standard||Yes|
- Try the free trial of Policy Controller.
- Learn more about applying individual constraints.
- Apply best practices to your clusters.
- Take a tutorial on using policy bundles in your CI/CD pipeline to shift left.