Policy Controller comes with a default library of constraint templates that can be used with the PCI-DSS v3.2.1 bundle to evaluate the compliance of your cluster resources against some aspects of the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1.
This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
PCI-DSS v3.2.1 policy bundle constraints
Constraint Name | Constraint Description | Control ID | Profile |
---|---|---|---|
pci-dss-v3.2.1-resources-have-required-labels | Ensures requirements for a firewall by requiring all apps to contain a specified label. | 1.1.4 | Standard |
pci-dss-v3.2.1-apps-must-have-certain-set-of-annotations | Ensures requirements for network-controls by requiring all apps to contain a specified annotation. | 1.1.5, 2.4 | Standard |
pci-dss-v3.2.1-require-default-deny-network-policies | Requires that every namespace defined in the cluster have a default deny NetworkPolicy for egress. |
1.2, 1.3, 2.2.2 | Extended |
pci-dss-v3.2.1-block-all-ingress | Restricts the creation of ingress objects. | 1.2, 1.3 | Extended |
pci-dss-v3.2.1-require-valid-network-ranges | Restricts CIDR ranges permitted for use with ingress and egress. | 1.2, 1.3.2 | Extended |
pci-dss-v3.2.1-require-namespace-network-policies | Requires that every namespace defined in the cluster has a NetworkPolicy. | 1.2 | Standard |
pci-dss-v3.2.1-enforce-managed-by-configmanagement-label | Requires a valid app.kubernetes.io/managed-by= label on RoleBinding resources. |
1.2.2, 8.1.2 | Standard |
pci-dss-v3.2.1-block-creation-with-default-serviceaccount | Restricts the creation of resources using a default service account. | 2.1 | Standard |
pci-dss-v3.2.1-restrict-default-namespace | Restricts pods from using the default namespace. | 2.1 | Standard |
pci-dss-v3.2.1-asm-peer-authn-strict-mtls | Enforce all PeerAuthentications cannot overwrite strict mMTLS. | 4.1 | Standard |
pci-dss-v3.2.1-require-av-daemonset | Requires the presence of an Anti-Virus daemonset. | 5.1.1, 5.3 | Standard |
pci-dss-v3.2.1-enforce-config-management | Enforce the presence and enablement of Config Sync. | 5.3, 6.1, 6.4 | Standard |
pci-dss-v3.2.1-enforce-cloudarmor-backendconfig | Enforce Cloud Armor configuration on BackendConfig resources. |
6.5, 6.6 | Standard |
pci-dss-v3.2.1-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | 8.1, 8.1.5 | Extended |
pci-dss-v3.2.1-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | 8.1.5, 8.2.3, 8.5 | Standard |
pci-dss-v3.2.1-nodes-have-consistent-time | Ensures consistent and correct time on Nodes by ensuring the usage of COS as the OS image. | 10.4.1, 10.4.3 | Standard |
Standard vs Extended bundle constraints
The PCI-DSS v3.2.1 bundle implements an opinionated set of policy requirements to achieve some aspects of the PCI-DSS v3.2.1 controls. In addition to modification on your workload to fit the Standard bundle's requirements, an optional set of extended constraints is also available which require customization for your environment.
Before you begin
- Install and initialize the
Google Cloud CLI,
which provides the
gcloud
andkubectl
commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed. - Install Policy Controller v1.14.3 or higher on your cluster with the default library of constraint templates. You must also enable support for referential constraints as this bundle contains referential constraints.
Configure Policy Controller for referential constraints
Save the following YAML manifest to a file as
policycontroller-config.yaml
. The manifest configures Policy Controller to watch specific kinds of objects.apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: "gatekeeper-system" spec: sync: syncOnly: - group: "apps" version: "v1" kind: "DaemonSet" - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy"
Apply the
policycontroller-config.yaml
manifest:kubectl apply -f policycontroller-config.yaml
Configure your cluster's workload for PCI-DSS v3.2.1
Standard Bundle
- All apps (
ReplicaSet
,Deployment
,StatefulSet
, andDaemonSet
) must include apci-dss-firewall-audit label
with the schema ofpci-dss-[0-9]{4}q[1-4]
. - All apps (
ReplicaSet
,Deployment
,StatefulSet
,DaemonSet
) must include anetwork-controls/date
annotation with the schema ofYYYY-MM-DD
. - Every
namespace
defined in the cluster must have aNetworkPolicy
. - The use of Config Sync for
configmanagement.gke.io
is required by default, however the permittedapp.kubernetes.io/managed-by
values can be customized in thepci-dss-v3.2.1-enforce-managed-by-configmanagement-label
constraint. - Resources cannot be created using the default service account.
- The default
namespace
cannot be used for pods. - If using Cloud Service Mesh, ASM PeerAuthentication must use strict mTLS
spec.mtls.mode: STRICT
. - An antivirus solution is required. The default is the presence of a
daemonset
namedclamav
in thepci-dss-av
namespace
, however thedaemonset
's name and namespace can be customized to your implementation in thepci-dss-v3.2.1-require-av-daemonset
constraint. - The presence and enablement of Config Sync is required.
- All
BackendConfig
must be configured for CloudArmor. - The use of
basic-auth
type secrets is not permitted. - All nodes must use Google Container-Optimized OS for their image for consistent time.
Extended Bundle (optional with customization required)
- Every
namespace
defined in the cluster have a default denyNetworkPolicy
for egress, permitted exceptions can be specific inpci-dss-v3.2.1-require-namespace-network-policies
. - Only permitted Ingress objects (
Ingress
,Gateway
, andService
types ofNodePort
andLoadBalancer
) can be created, these can be specified inpci-dss-v3.2.1-block-all-ingress
. - Only permitted IP ranges can be used for Ingress and Express, these can be specified in
pci-dss-v3.2.1-require-valid-network-ranges
. - Only permitted subjects can be used in RBAC bindings, your domain name(s) can be specified in
pci-dss-v3.2.1-restrict-rbac-subjects
.
Audit PCI-DSS v3.2.1 policy bundle
Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the PCI-DSS v3.2.1 policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.
You can apply these policies with spec.enforcementAction
set to dryrun
using kubectl,
kpt,
or
Config Sync.
kubectl
(Optional) Preview the policy constraints with kubectl:
kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v3.2.1
Apply the policy constraints with kubectl:
kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v3.2.1
The output is the following:
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v3.2.1-asm-peer-authn-strict-mtls created k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-creation-with-default-serviceaccount created k8sblockobjectsoftype.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-secrets-of-type-basic-auth created k8senforcecloudarmorbackendconfig.constraints.gatekeeper.sh/pci-dss-v3.2.1-enforce-cloudarmor-backendconfig created k8senforceconfigmanagement.constraints.gatekeeper.sh/pci-dss-v3.2.1-enforce-config-management created k8srequirecosnodeimage.constraints.gatekeeper.sh/pci-dss-v3.2.1-nodes-have-consistent-time created k8srequiredaemonsets.constraints.gatekeeper.sh/pci-dss-v3.2.1-require-av-daemonset created k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/pci-dss-v3.2.1-require-namespace-network-policies created k8srequiredannotations.constraints.gatekeeper.sh/pci-dss-v3.2.1-apps-must-have-certain-set-of-annotations created k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v3.2.1-enforce-managed-by-configmanagement-label created k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v3.2.1-resources-have-required-labels created k8srestrictnamespaces.constraints.gatekeeper.sh/pci-dss-v3.2.1-restrict-default-namespace created
Verify that policy constraints have been installed and check if violations exist across the cluster:
kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v3.2.1
The output is similar to the following:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v3.2.1-asm-peer-authn-strict-mtls dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-creation-with-default-serviceaccount dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sblockobjectsoftype.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-secrets-of-type-basic-auth dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8senforcecloudarmorbackendconfig.constraints.gatekeeper.sh/pci-dss-v3.2.1-enforce-cloudarmor-backendconfig dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8senforceconfigmanagement.constraints.gatekeeper.sh/pci-dss-v3.2.1-enforce-config-management dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirecosnodeimage.constraints.gatekeeper.sh/pci-dss-v3.2.1-nodes-have-consistent-time dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredaemonsets.constraints.gatekeeper.sh/pci-dss-v3.2.1-require-av-daemonset dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/pci-dss-v3.2.1-require-namespace-network-policies dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredannotations.constraints.gatekeeper.sh/pci-dss-v3.2.1-apps-must-have-certain-set-of-annotations dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v3.2.1-enforce-managed-by-configmanagement-label dryrun 0 k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v3.2.1-resources-have-required-labels dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictnamespaces.constraints.gatekeeper.sh/pci-dss-v3.2.1-restrict-default-namespace dryrun 0
kpt
Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Download the PCI-DSS v3.2.1 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v3.2.1
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval pci-dss-v3.2.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
Initialize the working directory with kpt, which creates a resource to track changes:
cd pci-dss-v3.2.1 kpt live init
Apply the policy constraints with kpt:
kpt live apply
Verify that policy constraints have been installed and check if violations exist across the cluster:
kpt live status --output table --poll-until current
A status of
CURRENT
confirms successful installation of the constraints.
Config Sync
- Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
To create or append
.gitignore
withresourcegroup.yaml
:echo resourcegroup.yaml >> .gitignore
Create a dedicated
policies
directory:mkdir -p policies
Download the PCI-DSS v3.2.1 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v3.2.1 policies/pci-dss-v3.2.1
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval policies/pci-dss-v3.2.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
(Optional) Preview the policy constraints to be created:
kpt live init policies/pci-dss-v3.2.1 kpt live apply --dry-run policies/pci-dss-v3.2.1
If your sync directory for Config Sync uses Kustomize, add
policies/pci-dss-v3.2.1
to your rootkustomization.yaml
. Otherwise remove thepolicies/pci-dss-v3.2.1/kustomization.yaml
file:rm SYNC_ROOT_DIR/policies/pci-dss-v3.2.1/kustomization.yaml
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/pci-dss-v3.2.1 git commit -m 'Adding PCI-DSS v3.2.1 policy audit enforcement' git push
Verify the status of the installation:
watch gcloud beta container fleet config-management status --project PROJECT_ID
A status of
SYNCED
confirms the installation of the policies.
View policy violations
Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.
You can also use kubectl
to view violations on the cluster using the following command:
kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v3.2.1 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
If violations are present, a listing of the violation messages per constraint can be viewed with:
kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v3.2.1 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
Change PCI-DSS v3.2.1 policy bundle enforcement action
Once you've reviewed policy violations on your cluster, you can consider
changing the enforcement mode so the Admission Controller will either warn
on
or even deny
block non-compliant resource from getting applied to the cluster.
kubectl
Use kubectl to set the policies' enforcement action to
warn
:kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v3.2.1 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'
Verify that policy constraints enforcement action have been updated:
kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v3.2.1
kpt
Run the
set-enforcement-action
kpt function to set the policies' enforcement action towarn
:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Apply the policy constraints:
kpt live apply
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Run the
set-enforcement-action
kpt function to set the policies' enforcement action towarn
:kpt fn eval policies/pci-dss-v3.2.1 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/pci-dss-v3.2.1 git commit -m 'Adding PCI-DSS v3.2.1 policy bundle warn enforcement' git push
Verify the status of the installation:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the installation of the policies.
Test policy enforcement
Create a non-compliant resource on the cluster using the following command:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
namespace: default
name: wp-non-compliant
labels:
app: wordpress
spec:
containers:
- image: wordpress
name: wordpress
ports:
- containerPort: 80
name: wordpress
EOF
The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:
Warning: [pci-dss-v3.2.1-restrict-default-namespace] <default> namespace is restricted pod/wp-non-compliant created
Remove PCI-DSS v3.2.1 policy bundle
If needed, the PCI-DSS v3.2.1 policy bundle can be removed from the cluster.
kubectl
Use kubectl to remove the policies:
kubectl delete constraint -l policycontroller.gke.io/bundleName=pci-dss-v3.2.1
kpt
Remove the policies:
kpt live destroy
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Push changes to the Config Sync repo:
git rm -r SYNC_ROOT_DIR/policies/pci-dss-v3.2.1 git commit -m 'Removing PCI-DSS v3.2.1 policies' git push
Verify the status:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the removal of the policies.