Use CIS Google Kubernetes Engine Benchmark v1.4.0 policy constraints

Policy Controller comes with a default library of constraint templates that can be used with the Center for Internet Security (CIS) GKE v1.4.0 policy bundle to help audit the compliance of your GKE on Google Cloud cluster against the CIS Google Kubernetes Engine (GKE) Benchmarks v1.4.0. This benchmark is a set of recommended security controls for configuring GKE.

This bundle of constraints includes controls in the following domains:

  • RBAC and service accounts
  • Pod Security Policies
  • Network policies and CNI
  • Secrets management
  • Extensible Admission Control
  • General policies
  • Managed Services

CIS GKE v1.4.0 policy bundle constraints

Constraint Name Constraint Description Control IDs
cis-gke-v1.4.0-restrict-apparmor Restricts the AppArmor profile for Pods. 4.6.3
cis-gke-v1.4.0-restrict-creation-with-default-serviceaccount Restrict resource creation using a default ServiceAccount. 4.1.5
cis-gke-v1.4.0-restrict-loadbalancer Disallows all services with type LoadBalancer. 5.6.8
cis-gke-v1.4.0-restrict-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. 4.4.2
cis-gke-v1.4.0-require-binauthz Requires the Binary Authorization Validating Admission Webhook. 4.5.1, 5.1.1, 5.1.4, 5.10.5
cis-gke-v1.4.0-require-cos-node-image Requires Container-Optimized OS as the node OS image. 5.5.1
cis-gke-v1.4.0-require-gke-metadata-server-enabled Requires the GKE Metadata Service is enabled on each node in the cluster. 5.4.2
cis-gke-v1.4.0-require-ingress.class-gce Requires that all Ingress objects have a kubernetes.io/ingress.class: gce annotation. 5.6.8
cis-gke-v1.4.0-require-managed-certificates Requires that all Ingress objects have a networking.gke.io/managed-certificates annotation. 5.6.8
cis-gke-v1.4.0-require-namespace-networkpolicy Requires that every Namespace defined in the cluster has a NetworkPolicy. 4.3.2
cis-gke-v1.4.0-require-seccomp-default Requires that all Ingress objects have a networking.gke.io/managed-certificates annotation. 4.6.2
cis-gke-v1.4.0-require-securitycontext Requires that pods define securityContext. 4.6.3
cis-gke-v1.4.0-restrict-capabilities Containers must drop all capabilities, and are not permitted to add back any capabilities. 4.2.7, 4.2.8, 4.6.3, 5.10.3
cis-gke-v1.4.0-restrict-cluster-admin-role Restricts the use of the cluster-admin role. 4.1.1
cis-gke-v1.4.0-restrict-default-namespace Restricts pods from using the default Namespace. 4.6.1, 4.6.4
cis-gke-v1.4.0-restrict-env-var-secrets Restricts the use of secrets as environment variables in container definitions. 4.4.1
cis-gke-v1.4.0-restrict-host-namespace Restricts containers with hostPID or hostIPC set to true. 4.2.2, 4.2.3, 5.10.3
cis-gke-v1.4.0-restrict-hostnetwork Restricts containers from running with the hostNetwork flag set to true. 4.2.4, 5.10.3
cis-gke-v1.4.0-restrict-pods-create Restricts the creation of pods in Roles and ClusterRoles. 4.1.4
cis-gke-v1.4.0-restrict-privilege-escalation Restricts containers with allowPrivilegeEscalation set to true. 4.2.5, 5.10.3
cis-gke-v1.4.0-restrict-privileged-containers Restricts containers with securityContext.privileged set to true. 4.2.1, 5.10.3
cis-gke-v1.4.0-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. 5.8.3
cis-gke-v1.4.0-restrict-role-wildcards Restricts the use of wildcards in Roles and ClusterRoles. 4.1.3
cis-gke-v1.4.0-restrict-root-containers Restricts containers from running as the root user. 4.2.6, 5.10.3
cis-gke-v1.4.0-restrict-role-secrets Restricts the use of secrets in Roles and ClusterRoles. 4.1.2
cis-gke-v1.4.0-restrict-automountserviceaccounttoken Restricts the use of service account tokens for pods. 4.1.5, 4.1.6
cis-gke-v1.4.0-restrict-selinux Cannot set the SELinux type or set a custom SELinux user or role option. 4.6.3

Before you begin

  1. Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
  2. Install Policy Controller on your cluster with the default library of constraint templates. You must also enable support for referential constraints, as this bundle contains referential constraints.

Configure Policy Controller for referential constraints

  1. Save the following YAML manifest to a file as policycontroller-config.yaml. The manifest configures Policy Controller to watch specific kinds of objects.

    apiVersion: config.gatekeeper.sh/v1alpha1
    kind: Config
    metadata:
      name: config
      namespace: "gatekeeper-system"
    spec:
      sync:
        syncOnly:
          - group: "admissionregistration.k8s.io"
            version: "v1"
            kind: "ValidatingWebhookConfiguration"
          - group: "networking.k8s.io"
            version: "v1"
            kind: "NetworkPolicy"
    
  2. Apply the policycontroller-config.yaml manifest:

    kubectl apply -f policycontroller-config.yaml
    

Configure your cluster and workload

  1. Enablement and configuration of Google Groups for RBAC is required in cis-gke-v1.4.0-restrict-rbac-subjects.
  2. Enablement and configuration of Binary Authorization is required in cis-gke-v1.4.0-require-binauthz.

Audit CIS GKE v1.4.0 policies with Policy Controller

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the CIS GKE v1.4.0 policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal and address violations.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt, or Config Sync.

kubectl

  1. (Optional) Preview the policy constraints with kubectl:

    kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/cis-gke-v1.4.0
    
  2. Apply the policy constraints with kubectl:

    kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/cis-gke-v1.4.0
    

    The output is the following:

    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-creation-with-default-serviceaccount created
    k8sblockloadbalancer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-loadbalancer created
    k8sblockobjectsoftype.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-secrets-of-type-basic-auth created
    k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-env-var-secrets created
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privilege-escalation created
    k8spspallowedusers.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-root-containers created
    k8spspapparmor.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-apparmor created
    k8spspcapabilities.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-capabilities created
    k8spsphostnamespace.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-host-namespace created
    k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-hostnetwork created
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privileged-containers created
    k8spspselinuxv2.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-selinux created
    k8spspseccomp.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-seccomp-default created
    k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-securitycontext created
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-wildcards created
    k8srequirebinauthz.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-binauthz created
    k8srequirecosnodeimage.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-cos-node-image created
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-namespace-networkpolicy created
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-ingress.class-gce created
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-managed-certificates created
    k8srequiredlabels.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-gke-metadata-server-enabled created
    k8srestrictautomountserviceaccounttokens.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-automountserviceaccounttoken created
    k8srestrictnamespaces.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-default-namespace created
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-rbac-subjects created
    k8srestrictrolebindings.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-cluster-admin-role created
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-pods-create created
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-secrets created
    
  3. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kubectl get constraints -l policycontroller.gke.io/bundleName=cis-gke-v1.4.0
    

    The output is similar to the following:

    NAME                                                                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-creation-with-default-serviceaccount   dryrun               0
    
    NAME                                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sblockloadbalancer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-loadbalancer   dryrun               0
    
    NAME                                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sblockobjectsoftype.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-secrets-of-type-basic-auth   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-env-var-secrets   dryrun               0
    
    NAME                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-securitycontext   dryrun               0
    
    NAME                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-wildcards   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspallowedusers.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-root-containers   dryrun               0
    
    NAME                                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privilege-escalation   dryrun               0
    
    NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspapparmor.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-apparmor   dryrun               0
    
    NAME                                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspcapabilities.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-capabilities   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnamespace.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-host-namespace   dryrun               0
    
    NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-hostnetwork   dryrun               0
    
    NAME                                                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privileged-containers   dryrun               0
    
    NAME                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspseccomp.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-seccomp-default   dryrun               0
    
    NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspselinuxv2.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-selinux   dryrun               0
    
    NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirebinauthz.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-binauthz   dryrun               0
    
    NAME                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirecosnodeimage.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-cos-node-image   dryrun               0
    
    NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-ingress.class-gce      dryrun               0
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-managed-certificates   dryrun               0
    
    NAME                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequiredlabels.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-gke-metadata-server-enabled   dryrun               0
    
    NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-namespace-networkpolicy   dryrun               0
    
    NAME                                                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictautomountserviceaccounttokens.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-automountserviceaccounttoken   dryrun               0
    
    NAME                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictnamespaces.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-default-namespace   dryrun               0
    
    NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-rbac-subjects   dryrun               0
    
    NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictrolebindings.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-cluster-admin-role   dryrun               0
    
    NAME                                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-pods-create    dryrun               0
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-secrets   dryrun               0
    

kpt

  1. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

  2. Download the CIS policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/cis-gke-v1.4.0
    
  3. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval cis-gke-v1.4.0 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
      -- enforcementAction=dryrun
    
  4. Initialize the working directory with kpt, which creates a resource to track changes:

    cd cis-gke-v1.4.0
    kpt live init
    
  5. Apply the policy constraints with kpt:

    kpt live apply
    

    The output is the following:

    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-creation-with-default-serviceaccount created
    k8sblockloadbalancer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-loadbalancer created
    k8sblockobjectsoftype.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-secrets-of-type-basic-auth created
    k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-env-var-secrets created
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privilege-escalation created
    k8spspallowedusers.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-root-containers created
    k8spspapparmor.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-apparmor created
    k8spspcapabilities.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-capabilities created
    k8spsphostnamespace.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-host-namespace created
    k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-hostnetwork created
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privileged-containers created
    k8spspselinuxv2.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-selinux created
    k8spspseccomp.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-seccomp-default created
    k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-securitycontext created
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-wildcards created
    k8srequirebinauthz.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-binauthz created
    k8srequirecosnodeimage.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-cos-node-image created
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-namespace-networkpolicy created
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-ingress.class-gce created
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-managed-certificates created
    k8srequiredlabels.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-gke-metadata-server-enabled created
    k8srestrictautomountserviceaccounttokens.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-automountserviceaccounttoken created
    k8srestrictnamespaces.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-default-namespace created
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-rbac-subjects created
    k8srestrictrolebindings.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-cluster-admin-role created
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-pods-create created
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-secrets created
    27 resource(s) applied. 27 created, 0 unchanged, 0 configured, 0 failed
    
  6. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kpt live status --output table --poll-until current
    

    A status of CURRENT confirms successful installation of the constraints.

Config Sync

  1. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    

    To create or append .gitignore with resourcegroup.yaml:

    echo resourcegroup.yaml >> .gitignore
    

  2. Create a dedicated policies directory:

    mkdir -p policies
    
  3. Download the CIS GKE v1.4.0 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/cis-gke-v1.4.0 policies/cis-gke-v1.4.0
    
  4. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policies/cis-gke-v1.4.0 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
    
  5. (Optional) Preview the policy constraints to be created:

    kpt live init policies/cis-gke-v1.4.0
    kpt live apply --dry-run policies/cis-gke-v1.4.0
    

    The output is the following:

    Dry-run strategy: client
    inventory update started
    inventory update finished
    apply phase started
    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-creation-with-default-serviceaccount successful
    k8sblockloadbalancer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-loadbalancer successful
    k8sblockobjectsoftype.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-secrets-of-type-basic-auth successful
    k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-env-var-secrets successful
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privilege-escalation successful
    k8spspallowedusers.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-root-containers successful
    k8spspapparmor.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-apparmor successful
    k8spspcapabilities.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-capabilities successful
    k8spsphostnamespace.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-host-namespace successful
    k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-hostnetwork successful
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-privileged-containers successful
    k8spspselinuxv2.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-selinux successful
    k8spspseccomp.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-seccomp-default successful
    k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-securitycontext successful
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-wildcards successful
    k8srequirebinauthz.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-binauthz successful
    k8srequirecosnodeimage.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-cos-node-image successful
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-namespace-networkpolicy successful
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-ingress.class-gce successful
    k8srequiredannotations.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-managed-certificates successful
    k8srequiredlabels.constraints.gatekeeper.sh/cis-gke-v1.4.0-require-gke-metadata-server-enabled successful
    k8srestrictautomountserviceaccounttokens.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-automountserviceaccounttoken successful
    k8srestrictnamespaces.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-default-namespace successful
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-rbac-subjects successful
    k8srestrictrolebindings.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-cluster-admin-role successful
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-pods-create successful
    k8srestrictrolerules.constraints.gatekeeper.sh/cis-gke-v1.4.0-restrict-role-secrets successful
    apply phase finished
    inventory update started
    inventory update finished
    apply result: 27 attempted, 27 successful, 0 skipped, 0 failed
    
  6. If your sync directory for Config Sync uses Kustomize, add policies/cis-gke-v1.4.0 to your root kustomization.yaml. Otherwise remove the policies/cis-gke-v1.4.0/kustomization.yaml file:

    rm SYNC_ROOT_DIR/policies/cis-gke-v1.4.0/kustomization.yaml
    
  7. Push changes to the Config Sync repository:

    git add SYNC_ROOT_DIR/policies/cis-gke-v1.4.0
    git commit -m 'Adding CIS GKE v1.4.0 policy bundle'
    git push
    
  8. Verify the status of the installation:

    watch gcloud beta container fleet config-management status --project PROJECT_ID
    

    A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l policycontroller.gke.io/bundleName=cis-gke-v1.4.0 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l policycontroller.gke.io/bundleName=cis-gke-v1.4.0 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change CIS GKE v1.4.0 policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

  1. Use kubectl to set the policies' enforcement action to warn:

    kubectl get constraint -l policycontroller.gke.io/bundleName=cis-gke-v1.4.0 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'
    
  2. Verify that policy constraints enforcement action have been updated:

    kubectl get constraints -l policycontroller.gke.io/bundleName=cis-gke-v1.4.0
    

kpt

  1. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
    
  2. Apply the policy constraints:

    kpt live apply
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    
  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval policies/cis-gke-v1.4.0 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
    
  3. Push changes to the Config Sync repository:

    git add SYNC_ROOT_DIR/policies/cis-gke-v1.4.0
    git commit -m 'Adding CIS GKE v1.4.0 policy bundle warn enforcement'
    git push
    
  4. Verify the status of the installation:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repository showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [cis-gke-v1.4.0-restrict-default-namespace] <default> namespace is restricted
Warning: [cis-gke-v1.4.0-restrict-root-containers] Container wordpress is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0
Warning: [cis-gke-v1.4.0-restrict-privilege-escalation] Privilege escalation container is not allowed: wordpress
Warning: [cis-gke-v1.4.0-require-seccomp-default] Seccomp profile 'not configured' is not allowed for container 'wordpress'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "docker/default", "runtime/default"}
Warning: [cis-gke-v1.4.0-restrict-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["ALL"] or "ALL"
Warning: [cis-gke-v1.4.0-require-securitycontext] securityContext must be defined for all Pod containers
pod/wp-non-compliant created

Remove CIS GKE v1.4.0 policy bundle

If needed, the CIS GKE v1.4.0 policy bundle can be removed from the cluster.

kubectl

Use kubectl to remove the policies:

  kubectl delete constraint -l policycontroller.gke.io/bundleName=cis-gke-v1.4.0
  

kpt

Remove the policies:

  kpt live destroy
  

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Push changes to the Config Sync repository:

    git rm -r SYNC_ROOT_DIR/policies/cis-gke-v1.4.0
    git commit -m 'Removing CIS GKE v1.4.0 policy bundle'
    git push
    
  2. Verify the status:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repository showing up in the SYNCED column confirms the removal of the policies.