Try Policy Controller
You can create a trial report of Policy Controller in the Google Cloud console to audit your GKE clusters. This trial lets you audit a cluster against the Policy Essentials bundle, a set of baseline policies based on Google-recommended best practices. You can then view any policy violations in a dashboard in the Google Cloud console.
The trial does not install Policy Controller on your clusters and does not incur any billing charges. You can install Policy Controller to leverage more capabilities such as policy enforcement at CI/CD or admission time, continuous auditing of clusters, and access to the full constraint template library, which you can use to apply constraints to enforce policies without writing custom constraints.
To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:
Before you begin
Ensure you have access to a Google Kubernetes Engine cluster that is running a Kubernetes version 1.14.x or later.
To get the permissions that you need to try Policy Controller, ask your administrator to grant you the Kubernetes Engine Cluster Admin (
roles/container.clusterAdmin
) IAM role on your project. For more information about granting roles, see Manage roles.This predefined role contains the permissions required to try Policy Controller. The exact permissions required are:
- container.clusterRoleBindings.create
- container.clusterRoles.create
- container.configMaps.create
- container.jobs.create
- container.namespaces.create
- container.networkPolicies.create
- container.roleBindings.create
- container.roles.create
container.serviceAccounts.create
You might also be able to get these permissions with custom roles or other predefined roles.
Create a Policy Controller trial report
-
In the Google Cloud console:
If you use Google Kubernetes Engine, go to the GKE Policy page under the Config & Policy section.
If you use GKE Enterprise, go to the GKE Enterprise Policy page under the Config & Policy section.
Select Try Policy Controller.
Select the cluster that you want to audit for the Policy Controller trial.
Select Create report.
After a few minutes, you will see the report generated for your cluster. You can view the number of policy violations in your cluster and details of those violations.
To delete the report, along with resources created to run the trial, select Delete report.
What's next
- Learn more about Policy Controller.
- Learn more about Policy Controller bundles.
- Install Policy Controller.
- Learn how to create a constraint.
- Use the constraint template library provided by Google.
- Find out how to Use CIS Kubernetes Benchmark policy constraints.