Use PCI-DSS v4.0 policy constraints
Policy Controller comes with a default library of constraint templates that can be used with the PCI-DSS v4.0 bundle to evaluate the compliance of your cluster resources against some aspects of the Payment Card Industry Data Security Standard (PCI-DSS) v4.0.
PCI-DSS v4.0 policy bundle constraints
| Constraint Name | Constraint Description | Control IDs |
|---|---|---|
| pci-dss-v4.0-require-apps-annotations | Requires that all apps in the cluster have a network-controls/date annotation.
|
2.2.5 |
| pci-dss-v4.0-require-av-daemonset | Requires the presence of an Anti-Virus DaemonSet.
|
5.2.1, 5.2.2, 5.2.3, 5.3.1, 5.3.2, 5.3.5 |
| pci-dss-v4.0-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | 2.2.1, 2.2.4, 6.2.3, 6.3.1, 6.3.2 |
| pci-dss-v4.0-require-cloudarmor-backendconfig | Enforces Google Cloud Armor configuration on BackendConfig resources.
|
6.4.1, 6.4.2 |
| pci-dss-v4.0-require-config-management | Requires that Config Management is running with Drift Prevention enabled and at least one RootSync object on the cluster.
|
1.2.8, 2.2.6, 5.3.5, 6.3.2, 6.5.1 |
| pci-dss-v4.0-require-default-deny-network-policies | Requires that every namespace defined in the cluster have a default deny NetworkPolicy for egress.
|
1.3.2, 1.4.4 |
| pci-dss-v4.0-require-managed-by-label | Requires all apps have a valid app.kubernetes.io/managed-by label.
|
1.2.8, 2.2.6, 5.3.5, 6.3.2, 6.5.1 |
| pci-dss-v4.0-require-namespace-network-policies | Requires that every Namespace defined in the cluster has a NetworkPolicy.
|
1.2.5, 1.2.6, 1.4.1, 1.4.4 |
| pci-dss-v4.0-require-peer-authentication-strict-mtls | Ensures PeerAuthentications cannot overwrite strict mTLS. | 2.2.7, 4.2.1, 8.3.2 |
| pci-dss-v4.0-require-valid-network-ranges | Restricts CIDR ranges permitted for use with ingress and egress. | 1.3.1, 1.3.2, 1.4.2, 1.4.4 |
| pci-dss-v4.0-resources-have-required-labels | Requires all apps to contain a specified label to meet firewall requirements. | 1.2.7 |
| pci-dss-v4.0-restrict-cluster-admin-role | Restricts the use of the cluster-admin role.
|
7.2.1, 7.2.2, 7.2.5, 8.2.4 |
| pci-dss-v4.0-restrict-creation-with-default-serviceaccount | Restricts the creation of resources using a default service account. Has no effect during audit. | 2.2.2 |
| pci-dss-v4.0-restrict-default-namespace | Restricts pods from using the default namespace. | 2.2.3 |
| pci-dss-v4.0-restrict-ingress | Restricts the creation of Ingress objects.
|
1.3.1, 1.4.2, 1.4.4 |
| pci-dss-v4.0-restrict-node-image | Ensures consistent and correct time on Nodes by allowing only Container-Optimized OS or Ubuntu as the OS image. | 10.6.1, 10.6.2, 10.6.3 |
| pci-dss-v4.0-restrict-pods-exec | Restricts the use of pods/exec in Roles and ClusterRoles.
|
8.6.1 |
| pci-dss-v4.0-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | 7.3.2, 8.2.1, 8.2.2, 8.2.4 |
| pci-dss-v4.0-restrict-role-wildcards | Restricts the use of wildcards in Roles and ClusterRoles.
|
7.3.3, 8.2.4 |
| pci-dss-v4.0-restrict-storageclass | Restricts StorageClass to a list of StorageClass which encrypt by default.
|
3.3.2, 3.3.3 |
Before you begin
- Install and initialize the
Google Cloud CLI,
which provides the
gcloudandkubectlcommands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed. - Install Policy Controller v1.16.0 or higher on your cluster with the default library of constraint templates. You must also enable support for referential constraints as this bundle contains referential constraints.
Configure Policy Controller for referential constraints
Save the following YAML manifest to a file as
policycontroller-config.yaml. The manifest configures Policy Controller to watch specific kinds of objects.apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: "gatekeeper-system" spec: sync: syncOnly: - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" - group: "admissionregistration.k8s.io" version: "v1" kind: "ValidatingWebhookConfiguration" - group: "storage.k8s.io" version: "v1" kind: "StorageClass"Apply the
policycontroller-config.yamlmanifest:kubectl apply -f policycontroller-config.yaml
Configure your cluster's workload for PCI-DSS v4.0
- All apps (
ReplicaSet,Deployment,StatefulSet,DaemonSet) must include anetwork-controls/dateannotation with the schema ofYYYY-MM-DD. - An antivirus solution is required. The default is the presence of a
daemonsetnamedclamavin theclamavNamespace, however thedaemonset's name and namespace can be customized to your implementation in thepci-dss-v4.0-require-av-daemonsetconstraint. - Enablement and configuration of Binary Authorization is required in
pci-dss-v4.0-require-binauthz. - All
BackendConfigmust be configured for CloudArmor. - The presence and enablement of Config Sync is required.
- Every
Namespacedefined in the cluster have a default denyNetworkPolicyfor egress, permitted exceptions can be specific inpci-dss-v4.0-require-namespace-network-policies. - The use of Config Sync for
configmanagement.gke.iois required by default, however the permittedapp.kubernetes.io/managed-byvalue can be customized in thepci-dss-v4.0-enforce-managed-by-configmanagement-labelconstraint. - Every
Namespacedefined in the cluster must have aNetworkPolicy. - If using Anthos Service Mesh, ASM PeerAuthentication must use strict mTLS
spec.mtls.mode: STRICT. - Only permitted IP ranges can be used for Ingress and Express, these can be specified in
pci-dss-v4.0-require-valid-network-ranges. - All apps (
ReplicaSet,Deployment,StatefulSet, andDaemonSet) must include apci-dss-firewall-audit labelwith the schema ofpci-dss-[0-9]{4}q[1-4]. - The use of the cluster-admin
ClusterRoleis not permitted. - Resources cannot be created using the default service account.
- The default
Namespacecannot be used for pods. - Only permitted Ingress objects (
Ingress,Gateway, andServicetypes ofNodePortandLoadBalancer) can be created, these can be specified inpci-dss-v4.0-restrict-ingress. - All nodes must use Container-Optimized OS or Ubuntu for their image for consistent time.
- The use of the wildcard character or the
pods/execpermission inRolesandClusterRolesis not permitted. - Only permitted subjects can be used in RBAC bindings, your domain name(s) can be specified in
pci-dss-v4.0-restrict-rbac-subjects. - The use of encrypt by default
StorageClassis required inpci-dss-v4.0-restrict-storageclass.
Audit PCI-DSS v4.0 policy bundle
Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the PCI-DSS v4.0 policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.
You can apply these policies with spec.enforcementAction set to dryrun using kubectl,
kpt,
or
Config Sync.
kubectl
(Optional) Preview the policy constraints with kubectl:
kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v4.0
Apply the policy constraints with kubectl:
kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v4.0
The output is the following:
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v4.0-require-peer-authentication-strict-mtls created k8sblockallingress.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-ingress created k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-creation-with-default-serviceaccount created k8senforcecloudarmorbackendconfig.constraints.gatekeeper.sh/pci-dss-v4.0-require-cloudarmor-backendconfig created k8senforceconfigmanagement.constraints.gatekeeper.sh/pci-dss-v4.0-require-config-management created k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-role-wildcards created k8srequirebinauthz.constraints.gatekeeper.sh/pci-dss-v4.0-require-binauthz created k8srequirecosnodeimage.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-node-image created k8srequiredaemonsets.constraints.gatekeeper.sh/pci-dss-v4.0-require-av-daemonset created k8srequiredefaultdenyegresspolicy.constraints.gatekeeper.sh/pci-dss-v4.0-require-default-deny-network-policies created k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/pci-dss-v4.0-require-namespace-network-policies created k8srequirevalidrangesfornetworks.constraints.gatekeeper.sh/pci-dss-v4.0-require-valid-network-ranges created k8srequiredannotations.constraints.gatekeeper.sh/pci-dss-v4.0-require-apps-annotations created k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-require-managed-by-label created k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-resources-have-required-labels created k8srestrictnamespaces.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-default-namespace created k8srestrictrbacsubjects.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-rbac-subjects created k8srestrictrolebindings.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-cluster-admin-role created k8srestrictrolerules.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-pods-exec created k8sstorageclass.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-storageclass created
Verify that policy constraints have been installed and check if violations exist across the cluster:
kubectl get constraints -l policycontroller.gke.io/bundleName=pci-dss-v4.0
The output is similar to the following:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v4.0-require-peer-authentication-strict-mtls dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sblockallingress.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-ingress dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-creation-with-default-serviceaccount dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8senforcecloudarmorbackendconfig.constraints.gatekeeper.sh/pci-dss-v4.0-require-cloudarmor-backendconfig dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8senforceconfigmanagement.constraints.gatekeeper.sh/pci-dss-v4.0-require-config-management dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-role-wildcards dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirebinauthz.constraints.gatekeeper.sh/pci-dss-v4.0-require-binauthz dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirecosnodeimage.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-node-image dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredaemonsets.constraints.gatekeeper.sh/pci-dss-v4.0-require-av-daemonset dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredannotations.constraints.gatekeeper.sh/pci-dss-v4.0-require-apps-annotations dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredefaultdenyegresspolicy.constraints.gatekeeper.sh/pci-dss-v4.0-require-default-deny-network-policies dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-require-managed-by-label dryrun 0 k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-resources-have-required-labels dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/pci-dss-v4.0-require-namespace-network-policies dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirevalidrangesfornetworks.constraints.gatekeeper.sh/pci-dss-v4.0-require-valid-network-ranges dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictnamespaces.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-default-namespace dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictrbacsubjects.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-rbac-subjects dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictrolebindings.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-cluster-admin-role dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictrolerules.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-pods-exec dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sstorageclass.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-storageclass dryrun 0
kpt
Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Download the PCI-DSS v4.0 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v4.0
Run the
set-enforcement-actionkpt function to set the policies' enforcement action todryrun:kpt fn eval pci-dss-v4.0 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
Initialize the working directory with kpt, which creates a resource to track changes:
cd pci-dss-v4.0 kpt live init
Apply the policy constraints with kpt:
kpt live apply
Verify that policy constraints have been installed and check if violations exist across the cluster:
kpt live status --output table --poll-until current
A status of
CURRENTconfirms successful installation of the constraints.
Config Sync
- Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
To create or append
.gitignorewithresourcegroup.yaml:echo resourcegroup.yaml >> .gitignore
Create a dedicated
policiesdirectory:mkdir -p policies
Download the PCI-DSS v4.0 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v4.0 policies/pci-dss-v4.0
Run the
set-enforcement-actionkpt function to set the policies' enforcement action todryrun:kpt fn eval policies/pci-dss-v4.0 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
(Optional) Preview the policy constraints to be created:
kpt live init policies/pci-dss-v4.0 kpt live apply --dry-run policies/pci-dss-v4.0
If your sync directory for Config Sync uses Kustomize, add
policies/pci-dss-v4.0to your rootkustomization.yaml. Otherwise remove thepolicies/pci-dss-v4.0/kustomization.yamlfile:rm SYNC_ROOT_DIR/policies/pci-dss-v4.0/kustomization.yaml
Push changes to the Config Sync repository:
git add SYNC_ROOT_DIR/policies/pci-dss-v4.0 git commit -m 'Adding PCI-DSS v4.0 policy audit enforcement' git push
Verify the status of the installation:
watch gcloud beta container fleet config-management status --project PROJECT_ID
A status of
SYNCEDconfirms the installation of the policies.
View policy violations
Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.
You can also use kubectl to view violations on the cluster using the following command:
kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v4.0 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
If violations are present, a listing of the violation messages per constraint can be viewed with:
kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v4.0 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
Change PCI-DSS v4.0 policy bundle enforcement action
Once you've reviewed policy violations on your cluster, you can consider
changing the enforcement mode so the Admission Controller will either warn on
or even deny block non-compliant resource from getting applied to the cluster.
kubectl
Use kubectl to set the policies' enforcement action to
warn:kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v4.0 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'Verify that policy constraints enforcement action have been updated:
kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v4.0
kpt
Run the
set-enforcement-actionkpt function to set the policies' enforcement action towarn:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Apply the policy constraints:
kpt live apply
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Run the
set-enforcement-actionkpt function to set the policies' enforcement action towarn:kpt fn eval policies/pci-dss-v4.0 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Push changes to the Config Sync repository:
git add SYNC_ROOT_DIR/policies/pci-dss-v4.0 git commit -m 'Adding PCI-DSS v4.0 policy bundle warn enforcement' git push
Verify the status of the installation:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repository showing up in the
SYNCEDcolumn confirms the installation of the policies.
Test policy enforcement
Create a non-compliant resource on the cluster using the following command:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
namespace: default
name: wp-non-compliant
labels:
app: wordpress
spec:
containers:
- image: wordpress
name: wordpress
ports:
- containerPort: 80
name: wordpress
EOF
The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:
Warning: [pci-dss-v4.0-restrict-default-namespace] <default> namespace is restricted pod/wp-non-compliant created
Remove PCI-DSS v4.0 policy bundle
If needed, the PCI-DSS v4.0 policy bundle can be removed from the cluster.
kubectl
Use kubectl to remove the policies:
kubectl delete constraint -l policycontroller.gke.io/bundleName=pci-dss-v4.0
kpt
Remove the policies:
kpt live destroy
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Push changes to the Config Sync repository:
git rm -r SYNC_ROOT_DIR/policies/pci-dss-v4.0 git commit -m 'Removing PCI-DSS v4.0 policies' git push
Verify the status:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repository showing up in the
SYNCEDcolumn confirms the removal of the policies.