This page explains how to use Policy Controller dashboards to view your policy coverage and cluster violations.
This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce, and who set up alerting and monitor IT systems for performance and vulnerabilities. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
Use the Google Cloud console to view a dashboard that contains information about your policy coverage. The dashboard shows information such as the following:
- The number of clusters in a fleet (including unregistered clusters) that have Policy Controller installed.
- The number of clusters with Policy Controller installed that contain policy violations.
- The number of constraints applied to your clusters per enforcement action.
If you are using Policy Controller bundles, you can see an overview of your compliance based on the standards in one or more bundles. This overview is aggregated at a fleet level and also includes your unregistered clusters (Preview).
Before you begin
Make sure that your clusters are registered to a fleet and that your clusters have Policy Controller installed.
To get the permissions that you need to use the Policy Controller dashboard, ask your administrator to grant you the following IAM roles:
- GKE Hub Viewer (
roles/gkehub.viewer
) on the project containing your fleet - Monitoring Viewer (
roles/monitoring.viewer
) on each project with a cluster in your fleet
For more information about granting roles, see Manage access.
- GKE Hub Viewer (
View Policy Controller status
You can view information about your policy coverage in the Google Cloud console.
-
In the Google Cloud console, go to the GKE Enterprise Policy page under the Posture Management section.
On the Dashboard tab, see an overview of your Policy Controller coverage with the following information:
- Policy Controller coverage shows the number of clusters with and without Policy Controller installed.
- Clusters in violation shows the number of clusters without any violations and the number of clusters with violations. The violations are based on which constraints are applied to the cluster.
- Enforcement action shows the type of action specified in each constraint. For more information about enforcement actions, see Auditing using constraints.
- Compliance by standards an overview of your compliance based on the standards in one or more Policy Controller bundles. If you are not using any bundles, the status in this section shows as "100% not applied".
To view more detailed information about policy violations in your cluster, go to the Violations tab:
In the View by section, select one of the following options:
- Constraint: view a flat list of all constraints with violations in your cluster.
- Namespace: view constraints with violations, organized by the namespace that contains the resource with a violation.
- Resource kind: view constraints with violations, organized by the resource with a violation.
From any view, select the constraint name that you want to view.
The Details tab shows information about the violation, including the recommended action to resolve it.
The Affected Resources tab shows information about which resources are being evaluated by the constraint and have policy violations.
View policy findings in Security Command Center
After Policy Controller is installed, you can view policy violations in Security Command Center. This lets you view your security posture for your Google Cloud resources and your Kubernetes resources in the same place. You must have the Security Command Center activated in your organization at the Standard or Premium tier.
In Security Command Center, policy violations show as Misconfiguration
findings. The
category and next steps for each finding are the same as the constraint description
and remediation steps.
For more information about using Policy Controller in Security Command Center, see Policy Controller vulnerability findings.