Policy Controller overview

This page explains what Policy Controller is and how you can use it to help ensure your Kubernetes clusters and workloads are running in a secure and compliant manner.

Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters. These policies act as guardrails and can help with best practices, security, and compliance management of your clusters and fleet. Based on the open source Open Policy Agent Gatekeeper project, Policy Controller is fully integrated with Google Cloud, includes a built-in dashboard, for observability, and comes with a full library of pre-built policies for common security and compliance controls.

Policy Controller is available with a Google Kubernetes Engine (GKE) Enterprise edition license.

Policy Controller benefits

  • Integrated with Google Cloud: Platform admins can install Policy Controller by using the Google Cloud console, by using Terraform, or by using Google Cloud CLI on any cluster connected to your fleet. Policy Controller works with other Google Cloud services like Config Sync, metrics, and Cloud Monitoring.
  • Supports multiple enforcement points: In addition to both audit and admission control for your cluster, Policy Controller can optionally enable a shift-left approach to analyse and catch non-compliant changes prior to application.
  • Pre-built policy bundles: Policy Controller comes with a full library of pre-built policies for common security and compliance controls. These include both Policy bundles, which are built and maintained by Google, and the constraint template library.
  • Supports custom policies: If policy customization is required beyond what is available using the constraint template library, Policy Controller additionally supports the development of custom constraint templates.
  • Built-in observability: Policy Controller includes a Google Cloud console dashboard, providing an overview for the state of all the policies applied to your fleet (including unregistered clusters). From the dashboard, view compliance and enforcement status to help you troubleshoot, and get opinionated recommendations to resolve policy violations.

Policy bundles

You can use policy bundles to apply a number of constraints that are grouped under a specific Kubernetes standard, security, or compliance theme. These policy bundles are built and maintained by Google and are therefore ready for you to use without having to write any code. For example, you can use the following policy bundles:

Policy Controller bundles overview provides more details and a list of currently available policy bundles.

Constraints

Policy Controller enforces your clusters' compliance using objects called constraints. You can think of constraints as the "building blocks" of policy. Each constraint defines a specific change to the Kubernetes API that is allowed or disallowed on the cluster it's applied to. You can set policies to either actively block non-compliant API requests or audit the configuration of your clusters and report violations. In either case, you can view warning messages with details on what violation occurred on a cluster. With that information, you can remediate problems. For example, you can use the following individual constraints:

These are just a few of the constraints provided in the constraint template library included with Policy Controller. This library contains numerous policies that you can use to help enforce best practices and limit risk. If you require more customization beyond what is available in the constraint template library, you can also create custom constraint templates.

Constraints can be applied directly to your clusters using the Kubernetes API, or distributed to a set of clusters from a source of truth by using Config Sync.

What's next