Use Anthos Service Mesh security policy constraints
Policy Controller comes with a default library of constraint templates that can be used with the Anthos Service Mesh security bundle to audit the compliance of your mesh security vulnerabilities and best practices.
This bundle of constraints addresses and enforces policies in the following domains:
- Anthos Service Mesh enforce mTLS traffic
- Anthos Service Mesh AuthorizationPolicy best practices
- Anthos Service Mesh workload security enforcement
To take a tutorial that shows you how to utilize this bundle, see Strengthen your app's security with Anthos Service Mesh and Anthos Config Management.
The bundle includes these constraints:
Constraint Name | Constraint Description | Control ID |
---|---|---|
asm-policy-v0.0.1-asm-ingressgateway-label | Enforce the istio ingressgateway label usage only on ingressgateway pods | 1.1.1 |
asm-policy-v0.0.1-asm-sidecar-injection | Enforce the istio proxy sidecar always been injected to workload pods | 1.1.2 |
asm-policy-v0.0.1-asm-authz-policy-mesh-default-deny | Enforce the mesh level default deny AuthorizationPolicy | 1.2.1 |
asm-policy-v0.0.1-asm-authz-policy-normalization | Enforce the AuthorizationPolicy normalization | 1.2.2 |
asm-policy-v0.0.1-asm-authz-policy-safe-pattern | Enforce the AuthorizationPolicy safe patterns | 1.2.3 |
asm-policy-v0.0.1-asm-peer-authn-mesh-strict-mtls | Enforce the mesh level strict mtls PeerAuthentication | 1.3.1 |
asm-policy-v0.0.1-asm-peer-authn-strict-mtls | Enforce all PeerAuthentications cannot overwrite strict mtls | 1.3.2 |
asm-policy-v0.0.1-asm-request-authn-prohibited-output-headers | Enforce the jwtRules outputPayloadToHeader to not contain well known HTTP request headers | 1.4.1 |
Bundle profiles
In the Anthos Service Mesh security policy bundle, you can use two profiles based on the strictness level. Low strictness level has fewer constraints applied, which provides more flexibility. High strictness level has more constraints applied, which provides more secure policy control.
Low strictness level
The low strictness level profile has the following policy constraints:
The label
istio:ingressgateway
can only be used by Istio ingress gateway Pods.In
AuthorizationPolicy
, thehosts
ornotHosts
fields can only be used by selecting Istio ingress gateway which has the labelistio:ingressgateway
.In
AuthorizationPolicy
, when themethods
ornotMethods
fields are used, the values must be uppercase letters.In
AuthorizationPolicy
, when therequest.headers
field is used, the values cannot contain white spaces.In
AuthorizationPolicy
, when thepaths
ornotPaths
fields are used, the values must be normalized values.
High strictness level
The high strictness level includes all of the constraints from the low strictness level as well as the following constraints:
For all workload Pods, annotation
sidecar.istio.io/inject: false
cannot be applied to bypass proxy injection.A mesh level
AuthorizationPolicy
that defines a default deny rule is enforced.The
AuthorizationPolicy
must follow either ALLOW-with-positive-matching or DENY-with-negative-match.In
AuthorizationPolicy
, when thehosts
ornotHosts
fields are used, the values must be pairs of<host-name>
and<host-name>:*
.A mesh level
PeerAuthentication
that defines strict mTLS is enforced.For all
PeerAuthentication
in the mesh, the mTLS mode can only be eitherUNSET
orSTRICT
, to follow strict mTLS.
Bundle settings
KPT setter | Description |
---|---|
strictness-level | Anthos Service Mesh bundle strictness level profile, options are `Low` or `High` (default) |
Before you begin
- Install and initialize the
Google Cloud CLI,
which provides the
gcloud
andkubectl
commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed. - Install Policy Controller on your cluster with the default library of constraint templates. You must also enable support for referential constraints, as this bundle contains referential constraints, which are listed in the overview table.
- Ensure that Anthos Service Mesh is installed on your cluster.
Configure Policy Controller for referential constraints
Save the following YAML manifest as
policycontroller-config.yaml
:apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: "gatekeeper-system" spec: sync: syncOnly: - group: "" version: "v1" kind: "Namespace" - group: "security.istio.io" version: "v1beta1" kind: "AuthorizationPolicy" - group: "security.istio.io" version: "v1beta1" kind: "PeerAuthentication"
This manifest configures Policy Controller to watch specific kinds of objects.
Apply the
policycontroller-config.yaml
manifest:kubectl apply -f policycontroller-config.yaml
Audit Anthos Service Mesh Security policies with Policy Controller
Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Anthos Service Mesh security policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.
You can apply these policies with spec.enforcementAction
set to dryrun
using kubectl,
kpt,
or
Config Sync.
kubectl
(Optional) Preview the policy constraints with kubectl:
kubectl kustomize https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1
Apply the policy constraints with kubectl:
kubectl apply -k https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1
The output is the following:
asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-mesh-default-deny created asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-normalization created asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-safe-pattern created asmingressgatewaylabel.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-ingressgateway-label created asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-peer-authn-mesh-strict-mtls created asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-peer-authn-strict-mtls created asmrequestauthnprohibitedoutputheaders.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-request-authn-prohibited-output-headers created asmsidecarinjection.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-sidecar-injection created
Verify that policy constraints have been installed and check if violations exist across the cluster:
kubectl get -k https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1
The output is similar to the following:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-mesh-default-deny dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-normalization dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-safe-pattern dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmingressgatewaylabel.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-ingressgateway-label dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-peer-authn-mesh-strict-mtls dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-peer-authn-strict-mtls dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmrequestauthnprohibitedoutputheaders.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-request-authn-prohibited-output-headers dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmsidecarinjection.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-sidecar-injection dryrun 0
kpt
Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Download the Anthos Service Mesh security policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
Run the kpt setter function to set Anthos Service Mesh security policies specific fields:
kpt fn eval asm-policy-v0.0.1 --image gcr.io/kpt-fn/apply-setters:v0.2.0 -- \ strictness-level="Low"
Initialize the working directory with kpt, which creates a resource to track changes:
cd asm-policy-v0.0.1 kpt live init
Apply the policy constraints with kpt:
kpt live apply
The output is the following:
asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-authz-policy-mesh-default-deny created asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-authz-policy-normalization created asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-authz-policy-safe-pattern created asmingressgatewaylabel.constraints.gatekeeper.sh/asm-ingressgateway-label created asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-mesh-strict-mtls created asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-peer-authn-strict-mtls created asmsidecarinjection.constraints.gatekeeper.sh/asm-sidecar-injection created 7 resource(s) applied. 7 created, 0 unchanged, 0 configured, 0 failed
Verify that policy constraints have been installed and check if violations exist across the cluster:
kpt live status --output table --poll-until current
A status of
CURRENT
confirms successful installation of the constraints.
Config Sync
Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
If you are using Anthos Config Management for the first time, enable Anthos Config Management.
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
To create or append
.gitignore
withresourcegroup.yaml
:echo resourcegroup.yaml >> .gitignore
Create a dedicated
policies
directory:mkdir -p policies
Download the Anthos Service Mesh security policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1 policies/asm-policy-v0.0.1
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval policies/asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
Run the kpt setter function to set Anthos Service Mesh security policies specific fields:
kpt fn eval policies/asm-policy-v0.0.1 --image gcr.io/kpt-fn/apply-setters:v0.2.0 -- \ strictness-level="Low"
(Optional) Preview the policy constraints to be created:
kpt live init policies/asm-policy-v0.0.1 kpt live apply --dry-run policies/asm-policy-v0.0.1
The output is the following:
Dry-run strategy: client inventory update started inventory update finished apply phase started asmauthzpolicydefaultdeny.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-mesh-default-deny apply successful asmauthzpolicynormalization.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-normalization apply successful asmauthzpolicysafepattern.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-authz-policy-safe-pattern apply successful asmingressgatewaylabel.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-ingressgateway-label apply successful asmpeerauthnmeshstrictmtls.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-peer-authn-mesh-strict-mtls apply successful asmpeerauthnstrictmtls.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-peer-authn-strict-mtls apply successful asmrequestauthnprohibitedoutputheaders.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-request-authn-prohibited-output-headers apply successful asmsidecarinjection.constraints.gatekeeper.sh/asm-policy-v0.0.1-asm-sidecar-injection apply successful apply phase finished inventory update started inventory update finished apply result: 8 attempted, 8 successful, 0 skipped, 0 failed
If your sync directory for Config Sync uses Kustomize, add
policies/asm-policy-v0.0.1
to your rootkustomization.yaml
. Otherwise remove thepolicies/asm-policy-v0.0.1/kustomization.yaml
file:rm SYNC_ROOT_DIR/policies/asm-policy-v0.0.1/kustomization.yaml
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/asm-policy-v0.0.1 git commit -m 'Adding ASM security policy audit enforcement' git push
Verify the status of the installation:
watch gcloud beta container fleet config-management status --project PROJECT_ID
A status of
SYNCED
confirms the installation of the policies.
View policy violations
Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.
You can also use kubectl
to view violations on the cluster using the following command:
kubectl get constraint -l policycontroller.gke.io/bundleName=asm-policy-v0.0.1 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
If violations are present, a listing of the violation messages per constraint can be viewed with:
kubectl get constraint -l policycontroller.gke.io/bundleName=asm-policy-v0.0.1 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
Enforce Anthos Service Mesh security policies
Once you've reviewed policy violations on your cluster, the next step is to enforce these policies so that the Admission Controller blocks any non-compliant resource from getting applied to the cluster.
kubectl
Use kubectl to set the policies' enforcement action to
deny
:kubectl get constraint -l policycontroller.gke.io/bundleName=asm-policy-v0.0.1 -o json | jq '.items[].spec.enforcementAction="deny"' | kubectl apply -f -
Verify that policy constraints enforcement action have been updated:
kubectl get -k https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/asm-policy-v0.0.1
kpt
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todeny
:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
Apply the policy constraints:
kpt live apply
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todeny
:kpt fn eval policies/asm-policy-v0.0.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/asm-policy-v0.0.1 git commit -m 'Enforcing ASM security policies' git push
Verify the status of the installation:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the installation of the policies.
Test policy enforcement
Perform a quick test to confirm the policy enforcement and blocking of non-compliant resources on the cluster.
Create a non-compliant resource on the cluster using the following command:
cat <<EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: non-compliant-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
methods: ["get"]
EOF
The admission controller should produce an error listing out the policy violations that this resource violates, as shown in the following example::
Error from server (Forbidden): error when creating "STDIN": admission webhook "validation.gatekeeper.sh" denied the request: [asm-policy-v0.0.1-asm-authz-policy-normalization] in rules-to-operation, methods or notMethods must be uppercase
Remove Anthos Service Mesh policies
If needed, the Anthos Service Mesh policies can be removed from the cluster.
kubectl
Use kubectl to remove the policies:
kubectl delete constraint -l policycontroller.gke.io/bundleName=asm-policy-v0.0.1
kpt
Remove the policies:
kpt live destroy
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Push changes to the Config Sync repo:
git rm -r SYNC_ROOT_DIR/policies/asm-policy-v0.0.1 git commit -m 'Removing Anthos Service Mesh policies' git push
Verify the status:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the removal of the policies.