This page describes Policy Controller, a Kubernetes dynamic admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or arbitrary business rules.
Policy Controller enforces your clusters' compliance with policies called constraints. For example:
- You can require each namespace to have at least one label. This is required if you use GKE Usage Metering, for example.
- You can enforce many of the same requirements as PodSecurityPolicies, but with the added ability to audit your configuration before enforcing it. An incorrect PodSecurityPolicy can disrupt workloads. Policy Controller allows you to test constraints before enforcing them, and verify that a given policy works as intended without risking disruption of your workloads.
- You can restrict the repositories a given container image can be pulled from.
See the examples in the
allowedreposdirectory in the Gatekeeper Library project repository.
Along with constraints, Policy Controller also introduces constraint templates. Constraint templates allow you to define how a constraint works but delegate defining the specifics of the constraint to an individual or group with subject-matter expertise. In addition to separating concerns, this also separates the logic of the constraint from its definition.
Policy Controller is integrated into Anthos Config Management v1.1 and higher. Policy Controller is built from the Gatekeeper open source project.
What's next
- Install Policy Controller.
- Create a constraint.
- Use the constraint template library provided by Google.
- Learn how to use constraints instead of PodSecurityPolicies.