Use Anthos Service Mesh security policy constraints
Policy Controller comes with a default library of constraint templates that can be used with the Anthos Service Mesh security bundle to audit the compliance of your mesh security vulnerabilities and best practices.
This bundle of constraints addresses and enforces policies in the following domains:
- Anthos Service Mesh enforce mTLS traffic
- Anthos Service Mesh AuthorizationPolicy best practices
- Anthos Service Mesh workload security enforcement
To take a tutorial that shows you how to utilize this bundle, see Strengthen your app's security with Anthos Service Mesh and Anthos Config Management.
The bundle includes these constraints:
Constraint | Control ID | Description |
---|---|---|
asm-ingressgateway-label | 1.1.1 | Enforce the istio ingressgateway label usage only on ingressgateway pods |
asm-sidecar-injection | 1.1.2 | Enforce the istio proxy sidecar always been injected to workload pods |
asm-authz-policy-mesh-default-deny | 1.2.1 | Enforce the mesh level default deny AuthorizationPolicy |
asm-authz-policy-normalization | 1.2.2 | Enforce the AuthorizationPolicy normalization |
asm-authz-policy-safe-pattern | 1.2.3 | Enforce the AuthorizationPolicy safe patterns |
asm-peer-authn-mesh-strict-mtls | 1.3.1 | Enforce the mesh level strict mtls PeerAuthentication |
asm-peer-authn-strict-mtls | 1.3.2 | Enforce all PeerAuthentications cannot overwrite strict mtls |
Bundle profiles
In the Anthos Service Mesh security policy bundle, you can use two profiles based on the strictness level. Low strictness level has fewer constraints applied, which provides more flexibility. High strictness level has more constraints applied, which provides more secure policy control.
Low strictness level
The low strictness level profile has the following policy constraints:
The label
istio:ingressgateway
can only be used by Istio ingress gateway Pods.In
AuthorizationPolicy
, thehosts
ornotHosts
fields can only be used by selecting Istio ingress gateway which has the labelistio:ingressgateway
.In
AuthorizationPolicy
, when themethods
ornotMethods
fields are used, the values must be uppercase letters.In
AuthorizationPolicy
, when therequest.headers
field is used, the values cannot contain white spaces.In
AuthorizationPolicy
, when thepaths
ornotPaths
fields are used, the values must be normalized values.
High strictness level
The high strictness level includes all of the constraints from the low strictness level as well as the following constraints:
For all workload Pods, annotation
sidecar.istio.io/inject: false
cannot be applied to bypass proxy injection.A mesh level
AuthorizationPolicy
that defines a default deny rule is enforced.The
AuthorizationPolicy
must follow either ALLOW-with-positive-matching or DENY-with-negative-match.In
AuthorizationPolicy
, when thehosts
ornotHosts
fields are used, the values must be pairs of<host-name>
and<host-name>:*
.A mesh level
PeerAuthentication
that defines strict mTLS is enforced.For all
PeerAuthentication
in the mesh, the mTLS mode can only be eitherUNSET
orSTRICT
, to follow strict mTLS.
Bundle settings
KPT setter | Description |
---|---|
strictness-level | Anthos Service Mesh bundle strictness level profile, options: "High", "Low"(default) |
Before you begin
- Install and initialize the
Google Cloud CLI,
which provides the
gcloud
andkubectl
commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed. - Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
- If you are using Anthos Config Management for the first time, enable
Anthos Config Management, the security policy templates
are available from version
1.11.0
. - Create, or make sure you have access to, a cluster running Kubernetes version of 1.14.x or later with Policy Controller installed on the cluster. For details on Policy Controller installation refer to Install Policy Controller.
Audit Anthos Service Mesh Security policies with Policy Controller
Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Anthos Service Mesh security policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.
You can apply these policies with spec.enforcementAction
set to dryrun
using
kpt
or
Config Sync.
kpt
Download the Anthos Service Mesh security policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
Run the kpt setter function to set Anthos Service Mesh security policies specific fields:
kpt fn eval asm-policy-v0.0.1 --image gcr.io/kpt-fn/apply-setters:v0.2.0 -- \ strictness-level="Low"
Initialize the working directory with kpt, which creates a resource to track changes:
cd asm-policy-v0.0.1 kpt live init
Apply the policy constraints with kpt:
kpt live apply
The output is the following:
asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-authz-policy-mesh-default-deny created asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-authz-policy-normalization created asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-authz-policy-safe-pattern created asmingressgatewaylabel.constraints.gatekeeper.sh/asm-ingressgateway-label created asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-mesh-strict-mtls created asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-strict-mtls created asmsidecarinjection.constraints.gatekeeper.sh/asm-sidecar-injection created 7 resource(s) applied. 7 created, 0 unchanged, 0 configured, 0 failed
Verify that policy constraints have been installed and check if violations exist across the cluster:
kpt live status --output table --poll-until current
A status of
CURRENT
confirms successful installation of the constraints.
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Download the Anthos Service Mesh security policy bundle from GitHub using kpt:
kpt pkg get git@github.com:GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1 policy/asm
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval policy/asm/asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
Run the kpt setter function to set Anthos Service Mesh security policies specific fields:
kpt fn eval policy/asm/asm-policy-v0.0.1 --image gcr.io/kpt-fn/apply-setters:v0.2.0 -- \ strictness-level="Low"
Preview the policy constraints that will be created:
kpt live init policy/asm/asm-policy-v0.0.1 kpt live apply --dry-run policy/asm/asm-policy-v0.0.1
The output is the following:
Dry-run strategy: client asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-authz-policy-mesh-default-deny created asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-authz-policy-normalization created asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-authz-policy-safe-pattern created asmingressgatewaylabel.constraints.gatekeeper.sh/asm-ingressgateway-label created asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-mesh-strict-mtls created asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-strict-mtls created asmsidecarinjection.constraints.gatekeeper.sh/asm-sidecar-injection created 7 resource(s) applied. 7 created, 0 unchanged, 0 configured, 0 failed
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policy/asm git commit -m 'Adding ASM security policy audit enforcement' git push
Verify the status of the installation:
watch gcloud beta container hub config-management status --project PROJECT_ID
A status of
SYNCED
confirms the installation of the policies.
View policy violations
Once the policy constraints are installed in audit mode, violations on the cluster can be viewed using the following command:
kubectl get constraint -o json | jq -cC '.items[]| [.kind,.status.totalViolations]'
If you prefer to view the violations in Cloud Logging, go to the Logs Explorer page.
Use the following filters in the Query editor to monitor the violations logs:
resource.type="k8s_container" resource.labels.location=CLUSTER_LOCATION resource.labels.namespace_name="gatekeeper-system" resource.labels.pod_name:"gatekeeper-audit-" jsonPayload.process: "audit" jsonPayload.event_type: "violation_audited" jsonPayload.constraint_name:* jsonPayload.constraint_namespace:*
Enforce Anthos Service Mesh security policies
Once you've reviewed policy violations on your cluster, the next step is to enforce these policies so that the Admission Controller blocks any non-compliant resource from getting applied to the cluster.
kpt
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todeny
:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
Apply the policy constraints:
kpt live apply
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todeny
:kpt fn eval policy/asm/asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policy/asm git commit -m 'Enforcing ASM security policies' git push
Verify the status of the installation:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the installation of the policies.
Test policy enforcement
Perform a quick test to confirm the policy enforcement and blocking of non-compliant resources on the cluster.
Create a non-compliant resource on the cluster using the following command:
cat <<EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: non-compliant-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
methods: ["get"]
EOF
The admission controller should produce an error listing out the policy violations that this resource violates, as shown in the following example::
Error from server (Forbidden): error when creating "STDIN": admission webhook "validation.gatekeeper.sh" denied the request: [asm-authz-policy-normalization] in rules-to-operation, methods or notMethods must be uppercase