Use Anthos Service Mesh security policy constraints

Policy Controller comes with a default library of constraint templates that can be used with the Anthos Service Mesh security bundle to audit the compliance of your mesh security vulnerabilities and best practices.

This bundle of constraints addresses and enforces policies in the following domains:

  • Anthos Service Mesh enforce mTLS traffic
  • Anthos Service Mesh AuthorizationPolicy best practices
  • Anthos Service Mesh workload security enforcement

To take a tutorial that shows you how to utilize this bundle, see Strengthen your app's security with Anthos Service Mesh and Anthos Config Management.

The bundle includes these constraints:

Constraint Control ID Description
asm-ingressgateway-label 1.1.1 Enforce the istio ingressgateway label usage only on ingressgateway pods
asm-sidecar-injection 1.1.2 Enforce the istio proxy sidecar always been injected to workload pods
asm-authz-policy-mesh-default-deny 1.2.1 Enforce the mesh level default deny AuthorizationPolicy
asm-authz-policy-normalization 1.2.2 Enforce the AuthorizationPolicy normalization
asm-authz-policy-safe-pattern 1.2.3 Enforce the AuthorizationPolicy safe patterns
asm-peer-authn-mesh-strict-mtls 1.3.1 Enforce the mesh level strict mtls PeerAuthentication
asm-peer-authn-strict-mtls 1.3.2 Enforce all PeerAuthentications cannot overwrite strict mtls

Bundle profiles

In the Anthos Service Mesh security policy bundle, you can use two profiles based on the strictness level. Low strictness level has fewer constraints applied, which provides more flexibility. High strictness level has more constraints applied, which provides more secure policy control.

Low strictness level

The low strictness level profile has the following policy constraints:

  • The label istio:ingressgateway can only be used by Istio ingress gateway Pods.

  • In AuthorizationPolicy, the hosts or notHosts fields can only be used by selecting Istio ingress gateway which has the label istio:ingressgateway.

  • In AuthorizationPolicy, when the methods or notMethods fields are used, the values must be uppercase letters.

  • In AuthorizationPolicy, when the request.headers field is used, the values cannot contain white spaces.

  • In AuthorizationPolicy, when the paths or notPaths fields are used, the values must be normalized values.

High strictness level

The high strictness level includes all of the constraints from the low strictness level as well as the following constraints:

  • For all workload Pods, annotation sidecar.istio.io/inject: false cannot be applied to bypass proxy injection.

  • A mesh level AuthorizationPolicy that defines a default deny rule is enforced.

  • The AuthorizationPolicy must follow either ALLOW-with-positive-matching or DENY-with-negative-match.

  • In AuthorizationPolicy, when the hosts or notHosts fields are used, the values must be pairs of <host-name> and <host-name>:*.

  • A mesh level PeerAuthentication that defines strict mTLS is enforced.

  • For all PeerAuthentication in the mesh, the mTLS mode can only be either UNSET or STRICT, to follow strict mTLS.

Bundle settings

KPT setter Description
strictness-level Anthos Service Mesh bundle strictness level profile, options: "High", "Low"(default)

Before you begin

  1. Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
  2. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
  3. If you are using Anthos Config Management for the first time, enable Anthos Config Management, the security policy templates are available from version 1.11.0.
  4. Create, or make sure you have access to, a cluster running Kubernetes version of 1.14.x or later with Policy Controller installed on the cluster. For details on Policy Controller installation refer to Install Policy Controller.

Audit Anthos Service Mesh Security policies with Policy Controller

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Anthos Service Mesh security policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kpt or Config Sync.

kpt

  1. Download the Anthos Service Mesh security policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1

  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
  -- enforcementAction=dryrun

  3. Run the kpt setter function to set Anthos Service Mesh security policies specific fields:

    kpt fn eval asm-policy-v0.0.1 --image gcr.io/kpt-fn/apply-setters:v0.2.0 -- \
strictness-level="Low"

  4. Initialize the working directory with kpt, which creates a resource to track changes:

    cd asm-policy-v0.0.1
kpt live init

  5. Apply the policy constraints with kpt:

    kpt live apply

    The output is the following:

    asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-authz-policy-mesh-default-deny created
asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-authz-policy-normalization created
asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-authz-policy-safe-pattern created
asmingressgatewaylabel.constraints.gatekeeper.sh/asm-ingressgateway-label created
asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-mesh-strict-mtls created
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-strict-mtls created
asmsidecarinjection.constraints.gatekeeper.sh/asm-sidecar-injection created
7 resource(s) applied. 7 created, 0 unchanged, 0 configured, 0 failed

  6. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kpt live status --output table --poll-until current

    A status of CURRENT confirms successful installation of the constraints.

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR

  2. Download the Anthos Service Mesh security policy bundle from GitHub using kpt:

    kpt pkg get git@github.com:GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1 policy/asm

  3. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policy/asm/asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun

  4. Run the kpt setter function to set Anthos Service Mesh security policies specific fields:

    kpt fn eval policy/asm/asm-policy-v0.0.1 --image gcr.io/kpt-fn/apply-setters:v0.2.0 -- \
strictness-level="Low"

  5. Preview the policy constraints that will be created:

    kpt live init policy/asm/asm-policy-v0.0.1
kpt live apply --dry-run policy/asm/asm-policy-v0.0.1

    The output is the following:

    Dry-run strategy: client
asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-authz-policy-mesh-default-deny created
asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-authz-policy-normalization created
asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-authz-policy-safe-pattern created
asmingressgatewaylabel.constraints.gatekeeper.sh/asm-ingressgateway-label created
asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-mesh-strict-mtls created
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-strict-mtls created
asmsidecarinjection.constraints.gatekeeper.sh/asm-sidecar-injection created
7 resource(s) applied. 7 created, 0 unchanged, 0 configured, 0 failed

  6. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policy/asm
git commit -m 'Adding ASM security policy audit enforcement'
git push

  7. Verify the status of the installation:

    watch gcloud beta container hub config-management status --project PROJECT_ID

    A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed using the following command:

kubectl get constraint -o json | jq -cC '.items[]| [.kind,.status.totalViolations]'

If you prefer to view the violations in Cloud Logging, go to the Logs Explorer page.

Go to Logs Explorer

Use the following filters in the Query editor to monitor the violations logs:

resource.type="k8s_container"
resource.labels.location=CLUSTER_LOCATION
resource.labels.namespace_name="gatekeeper-system"
resource.labels.pod_name:"gatekeeper-audit-"
jsonPayload.process: "audit"
jsonPayload.event_type: "violation_audited"
jsonPayload.constraint_name:*
jsonPayload.constraint_namespace:*

Enforce Anthos Service Mesh security policies

Once you've reviewed policy violations on your cluster, the next step is to enforce these policies so that the Admission Controller blocks any non-compliant resource from getting applied to the cluster.

kpt

  1. Run the set-enforcement-action kpt function to set the policies' enforcement action to deny:

    kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny

  2. Apply the policy constraints:

    kpt live apply

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR

  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to deny:

    kpt fn eval policy/asm/asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny

  3. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policy/asm
git commit -m 'Enforcing ASM security policies'
git push

  4. Verify the status of the installation:

    gcloud alpha anthos config sync repo list --project PROJECT_ID

    Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Perform a quick test to confirm the policy enforcement and blocking of non-compliant resources on the cluster.

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: non-compliant-authz-policy
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods: ["get"]
EOF

The admission controller should produce an error listing out the policy violations that this resource violates, as shown in the following example::

Error from server (Forbidden): error when creating "STDIN":
admission webhook "validation.gatekeeper.sh" denied the request:
[asm-authz-policy-normalization] in rules-to-operation, methods or notMethods must be uppercase