Policy Controller overview

This page explains what Anthos Config Management's Policy Controller is and how it enforces policies by using constraints and constraint templates.

Policy Controller enables the enforcement of fully programmable policies for your clusters. These policies act as "guardrails" and prevent any changes to the configuration of the Kubernetes API from violating security, operational, or compliance controls.

You can set policies to actively block non-compliant API requests, or simply to audit the configuration of your clusters and report violations. Policy Controller is based on the open source Open Policy Agent Gatekeeper project and comes with a full library of pre-built policies for common security and compliance controls.

In addition to actively controlling your Kubernetes environment, you can optionally use Policy Controller as a way to analyze configuration for compliance before deployment. This helps provide valuable feedback during the process of configuration changes and ensures any non-compliant changes are caught early before they might be rejected during application.

Constraints

Policy Controller enforces your clusters' compliance using objects called constraints. For example, you can use the following constraints:

• Require each namespace to have at least one label. This constraint can be used to ensure accurate tracking of resource consumption when using GKE Usage Metering, for example.
• Enforce many of the same requirements as PodSecurityPolicies, but with the added ability to audit your configuration before enforcing it, ensuring any policy changes aren't disruptive to running workloads.
• Restrict the repositories a given container image can be pulled from. This constraint ensures any attempt to pull containers from unknown sources is denied, protecting your clusters from running potentially malicious software.

These are just a few of the constraints provided as part of the constraint library that is included with the Policy Controller installation. This library contains numerous policies that help enforce best practices and limit risk.

Constraints can be applied directly to your clusters using the Kubernetes API, or distributed to a set of clusters from a central Git repository by using Config Sync.

To learn more, see Creating constraints.

Constraint templates

Policy Controller also lets you add your own custom policies through creating constraint templates. Constraint templates define policy parameters, error messages, and custom logic.

Once created, these templates let anyone invoke the policy using a constraint, which sets the parameters, and defines the scope of resources and namespaces to which the policy applies. This separation lets subject-matter experts write policies once and then enable others to use them in various contexts without the need to write or manage policy code.

To learn more, see Write a constraint template.

Policy Controller RBAC and permissions

Policy Controller includes highly privileged workloads. The permissions for these workloads are covered in the Open Policy Agent Gatekeeper operations documentation.

What's next

• Learn how to Install Policy Controller.
• Use the constraint template library provided by Google.
• Learn how to use constraints instead of PodSecurityPolicies.