Use NIST SP 800-53 Rev. 5 policy constraints

Policy Controller comes with a default library of constraint templates that can be used with the NIST SP 800-53 Rev. 5 bundle which implements controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5. The bundle may help organizations protect their systems and data from a variety of threats by implementing out-of-the-box security and privacy policies.

NIST SP 800-53 Rev. 5 policy bundle constraints

Constraint Name	Constraint Description	Control ID
nist-sp-800-53-r5-block-secrets-of-type-basic-auth	Restricts the use of basic-auth type secrets.	AC-16 Security and Privacy Attributes
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.	AC-16 Security and Privacy Attributes
nist-sp-800-53-r5-restrict-rbac-subjects	Restricts the use of names in RBAC subjects to permitted values.	AC-2 Account Management
nist-sp-800-53-r5-restrict-rbac-subjects	Restricts the use of names in RBAC subjects to permitted values.	AC-3 Access Enforcement
nist-sp-800-53-r5-block-secrets-of-type-basic-auth	Restricts the use of basic-auth type secrets.	AC-4 Information Flow Enforcement
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-53-r5-require-namespace-network-policies	Requires that every namespace defined in the cluster has a NetworkPolicy.
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	AC-6 Least Privilege
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings	Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-restrict-repos	Restricts container images to an allowed `repos` list.
nist-sp-800-53-r5-restrict-role-wildcards	Restricts the use of wildcards in `Roles` and `ClusterRoles`.
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	AU-10 Non-Repudiation
nist-sp-800-53-r5-nodes-have-consistent-time	Ensures consistent and correct time on Nodes by allowing only Container-Optimized OS (COS) or Ubuntu as the OS image.	AU-8 Time Stamps
nist-sp-800-53-r5-require-namespace-network-policies	Requires that every namespace defined in the cluster has a NetworkPolicy.	CA-9 Internal System Connections
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	CM-14 Signed Components
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.	CM-2 Baseline Configuration
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.	CM-2 Baseline Configuration
nist-sp-800-53-r5-apparmor	Restricts AppArmor profiles allowed for Pods.	CM-3 Configuration Change Control
nist-sp-800-53-r5-block-secrets-of-type-basic-auth	Restricts the use of basic-auth type secrets.
nist-sp-800-53-r5-capabilities	Restricts additional Capabilities allowed for Pods.
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-host-namespaces	Restricts containers with `hostPID` or `hostIPC` set to `true`.
nist-sp-800-53-r5-host-network	Restricts containers from running with the `hostNetwork` flag set to `true`.
nist-sp-800-53-r5-privileged-containers	Restricts containers with `securityContext.privileged` set to `true`.
nist-sp-800-53-r5-proc-mount-type	Requires the default `/proc` masks for Pods
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types	Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-seccomp	Seccomp profile must not be explicitly set to `Unconfined`.
nist-sp-800-53-r5-selinux	Restricts the SELinux configuration for Pods.
nist-sp-800-53-r5-sysctls	Restricts the allowed Sysctls for Pods.
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.	CM-4 Security Impact Analysis
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings	Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.	CM-5 Access Restrictions for Change
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings	Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-block-secrets-of-type-basic-auth	Restricts the use of basic-auth type secrets.	CM-6 Configuration Settings
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types	Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-apparmor	Restricts AppArmor profiles allowed for Pods.	CM-7 Least Functionality
nist-sp-800-53-r5-capabilities	Restricts additional Capabilities allowed for Pods.
nist-sp-800-53-r5-host-namespaces	Restricts containers with `hostPID` or `hostIPC` set to `true`.
nist-sp-800-53-r5-host-network	Restricts containers from running with the `hostNetwork` flag set to `true`.
nist-sp-800-53-r5-privileged-containers	Restricts containers with `securityContext.privileged` set to `true`.
nist-sp-800-53-r5-proc-mount-type	Requires the default `/proc` masks for Pods
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings	Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types	Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-seccomp	Seccomp profile must not be explicitly set to `Unconfined`.
nist-sp-800-53-r5-selinux	Restricts the SELinux configuration for Pods.
nist-sp-800-53-r5-sysctls	Restricts the allowed Sysctls for Pods.
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.	CP-10 Information System Recovery and Reconstitution
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.	CP-10 Information System Recovery and Reconstitution
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.	CP-9 System Backup
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.	CP-9 System Backup
nist-sp-800-53-r5-restrict-rbac-subjects	Restricts the use of names in RBAC subjects to permitted values.	IA-2 Identification and Authentication (Organizational Users)
nist-sp-800-53-r5-block-creation-with-default-serviceaccount	Restrict resource creation using a default service account.	IA-4 Identifier Management
nist-sp-800-53-r5-restrict-rbac-subjects	Restricts the use of names in RBAC subjects to permitted values.	IA-4 Identifier Management
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	IA-5 Authenticator Management
nist-sp-800-53-r5-restrict-rbac-subjects	Restricts the use of names in RBAC subjects to permitted values.	IA-5 Authenticator Management
nist-sp-800-53-r5-restrict-rbac-subjects	Restricts the use of names in RBAC subjects to permitted values.	MA-4 Nonlocal Maintenance
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.	PL-1 Policy and Procedures
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.	PL-1 Policy and Procedures
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	RA-5 Vulnerability Scanning
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.	SA-10 Developer Configuration Management
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.	SA-10 Developer Configuration Management
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	SA-11 Trusted Path
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	SA-3 System Development Life Cycle
nist-sp-800-53-r5-block-secrets-of-type-basic-auth	Restricts the use of basic-auth type secrets.	SA-8 Security and Privacy Engineering Principles
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types	Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	SC-12 Cryptographic Key Establishment and Management
nist-sp-800-53-r5-restrict-storageclass	Restricts `StorageClass` to a list of `StorageClass` which encrypt by default.	SC-28 Protection of Information at Rest
nist-sp-800-53-r5-require-namespace-network-policies	Requires that every namespace defined in the cluster has a NetworkPolicy.	SC-4 Information in Shared Resources
nist-sp-800-53-r5-cpu-and-memory-limits-required	Requires Pods specify cpu and memory limits.	SC-6 Resource Availability
nist-sp-800-53-r5-block-secrets-of-type-basic-auth	Restricts the use of basic-auth type secrets.	SC-7 Boundary Protection
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-require-namespace-network-policies	Requires that every namespace defined in the cluster has a NetworkPolicy.
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types	Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-asm-peer-authn-strict-mtls	Ensures PeerAuthentications cannot overwrite strict mTLS.	SC-8 Transmission Confidentiality and Integrity
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	SI-12 Information Management and Retention
nist-sp-800-53-r5-restrict-storageclass	Restricts `StorageClass` to a list of `StorageClass` which encrypt by default.	SI-12 Information Management and Retention
nist-sp-800-53-r5-require-av-daemonset	Requires the presence of an Anti-Virus daemonset.	SI-3 Malicious Code Protection
nist-sp-800-53-r5-block-secrets-of-type-basic-auth	Restricts the use of basic-auth type secrets.	SI-7 Software, Firmware, and Information Integrity
nist-sp-800-53-r5-enforce-config-management	Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-53-r5-require-managed-by-label	Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-hostpath-volumes	Restricts the use of HostPath volumes.
nist-sp-800-53-r5-require-binauthz	Requires the Binary Authorization Validating Admission Webhook.	SR-4 Provenance

Before you begin

Install and initialize the Google Cloud CLI , which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
Install Policy Controller v1.15.2 or higher on your cluster with the default library of constraint templates. You must also enable support for referential constraints as this bundle contains referential constraints.

Configure Policy Controller for referential constraints

Save the following YAML manifest to a file as policycontroller-config.yaml. The manifest configures Policy Controller to watch specific kinds of objects.

apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  name: config
  namespace: "gatekeeper-system"
spec:
  sync:
    syncOnly:
      - group: "apps"
        version: "v1"
        kind: "DaemonSet"
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"
      - group: "configsync.gke.io"
        version: "v1beta1"
        kind: "RootSync"
      - group: "storage.k8s.io"
        version: "v1"
        kind: "StorageClass"
      - group: "admissionregistration.k8s.io"
        version: "v1"
        kind: "ValidatingWebhookConfiguration"

Apply the policycontroller-config.yaml manifest:

kubectl apply -f policycontroller-config.yaml

Configure your cluster and workload

Enablement and configuration of Config Sync including Drift Prevention admission webhook is required in nist-sp-800-53-r5-enforce-config-management.
An antivirus solution is required. The default is the presence of a daemonset named clamav in the clamav namespace, however the daemonset's name and namespace can be customized to your implementation in the nist-sp-800-53-r5-require-av-daemonset constraint.
Container images are limited to an allowed repos list, which can be customized if required in nist-sp-800-53-r5-restrict-repos.
Nodes must use Container-Optimized OS or Ubuntu for their image in nist-sp-800-53-r5-nodes-have-consistent-time.
Use of storage classes is limited to an allowed list, which can be customized to add additional classes with default encryption in nist-sp-800-53-r5-restrict-storageclass.
Enablement and configuration of Binary Authorization is required in nist-sp-800-53-r5-require-binauthz.

Note: Binary Authorization is available for Google Kubernetes Engine (GKE), and in Preview for GKE on Google Distributed Cloud.

Audit NIST SP 800-53 Rev. 5 policy bundle

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the NIST SP 800-53 policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt , or Config Sync .

kubectl

(Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5

Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5

The output is the following:

asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls created
k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos created
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount created
k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth created
k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-53-r5-enforce-config-management created
k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor created
k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities created
k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls created
k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes created
k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces created
k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers created
k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type created
k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux created
k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp created
k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types created
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards created
k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-binauthz created
k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time created
k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset created
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies created
k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label created
k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required created
k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects created
k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings created
k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass created

Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5

The output is similar to the following:

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor   dryrun               0

NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-binauthz   dryrun               0

NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls   dryrun               0

NAME                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network   dryrun               0

NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces   dryrun               0

NAME                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset   dryrun               0

NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards   dryrun               0

NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount   dryrun               0

NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes   dryrun               0

NAME                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp   dryrun               0

NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls   dryrun               0

NAME                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required   dryrun               0

NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type   dryrun               0

NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth   dryrun               0

NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies   dryrun               0

NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities   dryrun               0

NAME                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass   dryrun               0

NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label   dryrun               0

NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos   dryrun               0

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux   dryrun               0

NAME                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-53-r5-enforce-config-management   dryrun               0

NAME                                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings   dryrun               0

NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time   dryrun               0

kpt

Install and setup kpt.

kpt is used in these instructions to customize and deploy Kubernetes resources.

Download the NIST SP 800-53 Rev. 5 policy bundle from GitHub using kpt:

kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5

Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

kpt fn eval nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
-- enforcementAction=dryrun

Initialize the working directory with kpt, which creates a resource to track changes:
```
cd nist-sp-800-53-r5 kpt live init
```
Apply the policy constraints with kpt:
```
kpt live apply
```
Verify that policy constraints have been installed and check if violations exist across the cluster:
```
kpt live status --output table --poll-until current
```
A status of CURRENT confirms successful installation of the constraints.

Config Sync

Install and setup kpt.

kpt is used in these instructions to customize and deploy Kubernetes resources.

Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
```
cd SYNC_ROOT_DIR
```
Note: Kpt v1.0.0-beta.17 and later automatically create a resourcegroup.yaml file during live init which shouldn't be checked into your Config Sync repo. If not already present, add resourcegroup.yaml to your repo's .gitignore file.

To create or append .gitignore with resourcegroup.yaml:
```
echo resourcegroup.yaml >> .gitignore
```
Create a dedicated policies directory:
```
mkdir -p policies
```

Download the NIST SP 800-53 Rev. 5 policy bundle from GitHub using kpt:

kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5 policies/nist-sp-800-53-r5

Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

kpt fn eval policies/nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun

(Optional) Preview the policy constraints to be created:

kpt live init policies/nist-sp-800-53-r5 kpt live apply --dry-run policies/nist-sp-800-53-r5

If your sync directory for Config Sync uses Kustomize, add policies/nist-sp-800-53-r5 to your root kustomization.yaml. Otherwise remove the policies/nist-sp-800-53-r5/kustomization.yaml file:
```
rm SYNC_ROOT_DIR/policies/nist-sp-800-53-r5/kustomization.yaml
```

Push changes to the Config Sync repo:

git add SYNC_ROOT_DIR/policies/nist-sp-800-53-r5 git commit -m 'Adding NIST SP 800-53 Rev. 5 policy audit enforcement'
git push

Verify the status of the installation:
```
watch gcloud beta container fleet config-management status --project PROJECT_ID
```
A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change NIST SP 800-53 Rev. 5 policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

Use kubectl to set the policies' enforcement action to warn:

kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

Verify that policy constraints enforcement action have been updated:

kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5

kpt

Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:
```
kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
```
Apply the policy constraints:
```
kpt live apply
```

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Change into the sync directory for Config Sync:
```
cd SYNC_ROOT_DIR
```

Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

kpt fn eval policies/nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn

Push changes to the Config Sync repo:

git add SYNC_ROOT_DIR/policies/nist-sp-800-53-r5
git commit -m 'Adding NIST SP 800-53 Rev. 5 policy warn enforcement'
git push

Verify the status of the installation:
```
gcloud alpha anthos config sync repo list --project PROJECT_ID
```
Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: wp-non-compliant
spec:
  containers:
    ‐ image: wordpress
      name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [nist-sp-800-53-r5-cpu-and-memory-limits-required] container <wordpress> does not have <{"cpu", "memory"}> limits defined
Warning: [nist-sp-800-53-r5-restrict-repos] container <wordpress> has an invalid image repo <wordpress>, allowed repos are ["gcr.io/gke-release/", "gcr.io/anthos-baremetal-release/", "gcr.io/config-management-release/", "gcr.io/kubebuilder/", "gcr.io/gkeconnect/", "gke.gcr.io/"]
pod/wp-non-compliant created

Remove NIST SP 800-53 Rev. 5 policy bundle

If needed, the NIST SP 800-53 Rev. 5 policy bundle can be removed from the cluster.

kubectl

Use kubectl to remove the policies:

kubectl delete constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5

kpt

Remove the policies:
```
kpt live destroy
```

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Push changes to the Config Sync repo:

git rm -r SYNC_ROOT_DIR/policies/nist-sp-800-53-r5
git commit -m 'Removing NIST SP 800-53 Rev. 5 policies'
git push

Verify the status:
```
gcloud alpha anthos config sync repo list --project PROJECT_ID
```
Your repo showing up in the SYNCED column confirms the removal of the policies.