Stay organized with collections Save and categorize content based on your preferences.

Use Policy Essentials v2022 policy constraints

Policy Controller comes with a default library of constraint templates that can be used with the Policy Essentials v2022 bundle to apply Google recommended best practices to your cluster resources.

This bundle of constraints addresses and enforces policies in the following domains:

  • RBAC and service accounts
  • Pod Security Policies
  • Container Network Interface (CNI)
  • Secrets management
  • General policies

The bundle includes these constraints:

Constraint Control description
no-secrets-as-env-vars Prefer using Secrets as files over Secrets as environment variables
pods-require-security-context Apply Security Context to your Pods and containers
prohibit-role-wildcard-access Minimize the use of wildcards in Roles and ClusterRoles.
psp-allow-privilege-escalation-container Minimize the admission of containers with allowPrivilegeEscalation
psp-capabilities Minimize the admission of containers with the NET_RAW capability, added capabilities, and/or capabilities assigned.
psp-host-namespace Minimize the admission of containers wanting to share the host process ID namespace and/or host IPC namespace
psp-host-network-ports Minimize the admission of containers wanting to share the host network namespace
psp-privileged-container Minimize the admission of privileged containers
psp-pods-must-run-as-nonroot Minimize the admission of root containers
psp-seccomp-default Ensure that the seccomp profile is set to runtime/default or docker/default in your Pod definitions
restrict-clusteradmin-rolebindings Minimize the use of the cluster-admin role.

Before you begin

  1. Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
  2. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
  3. If you are using Anthos Config Management for the first time, enable Anthos Config Management.
  4. Install Policy Controller on your cluster with the default library of constraint templates.

Audit with Policy Controller

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kpt or Config Sync.

kpt

  1. Download the Policy Essentials v2022 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/policy-essentials-v2022
    
  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policy-essentials-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
      -- enforcementAction=dryrun
    
  3. Initialize the working directory with kpt, which creates a resource to track changes:

    cd policy-essentials-v2022
    kpt live init
    
  4. Apply the policy constraints with kpt:

    kpt live apply
    

    The output is the following:

    k8spspseccomp.constraints.gatekeeper.sh/policy-essentials-v2022-psp-seccomp-docker-default created
    k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/policy-essentials-v2022-pods-require-security-context created
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/policy-essentials-v2022-prohibit-role-wildcard-access created
    k8snoenvvarsecrets.constraints.gatekeeper.sh/policy-essentials-v2022-no-secrets-as-env-vars created
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/policy-essentials-v2022-psp-allow-privilege-escalation-container created
    k8spspallowedusers.constraints.gatekeeper.sh/policy-essentials-v2022-psp-pods-must-run-as-nonroot created
    k8spsphostnetworkingports.constraints.gatekeeper.sh/policy-essentials-v2022-psp-host-network-ports created
    k8srestrictrolebindings.constraints.gatekeeper.sh/policy-essentials-v2022-restrict-clusteradmin-rolebindings created
    k8spspcapabilities.constraints.gatekeeper.sh/policy-essentials-v2022-psp-capabilities created
    k8spsphostnamespace.constraints.gatekeeper.sh/policy-essentials-v2022-psp-host-namespace created
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/policy-essentials-v2022-psp-privileged-container created
    11 resource(s) applied. 11 created, 0 unchanged, 0 configured, 0 failed
    
  5. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kpt live status --output table --poll-until current
    

    A status of CURRENT confirms successful installation of the constraints.

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    
  2. Create a dedicated policies directory:

    mkdir -p policies
    
  3. Download the Policy Essentials v2022 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/policy-essentials-v2022 policies/policy-essentials
    
  4. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policies/policy-essentials/policy-essentials-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
    
  5. (Optional) Preview the policy constraints that will be created:

    kpt live init policies/policy-essentials/policy-essentials-v2022
    kpt live apply --dry-run policies/policy-essentials/policy-essentials-v2022
    

    The output is the following:

    k8spsphostnamespace.constraints.gatekeeper.sh/policy-essentials-v2022-psp-host-namespace created (dry-run)
    k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/policy-essentials-v2022-pods-require-security-context created (dry-run)
    k8srestrictnamespaces.constraints.gatekeeper.sh/policy-essentials-v2022-restrict-default-namespace created (dry-run)
    k8srestrictrolebindings.constraints.gatekeeper.sh/policy-essentials-v2022-restrict-clusteradmin-rolebindings created (dry-run)
    k8snoenvvarsecrets.constraints.gatekeeper.sh/policy-essentials-v2022-no-secrets-as-env-vars created (dry-run)
    k8spspallowedusers.constraints.gatekeeper.sh/policy-essentials-v2022-psp-pods-must-run-as-nonroot created (dry-run)
    k8spsphostnetworkingports.constraints.gatekeeper.sh/policy-essentials-v2022-psp-host-network-ports created (dry-run)
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/policy-essentials-v2022-psp-privileged-container created (dry-run)
    k8spspseccomp.constraints.gatekeeper.sh/policy-essentials-v2022-psp-seccomp-docker-default created (dry-run)
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/policy-essentials-v2022-prohibit-role-wildcard-access created (dry-run)
    k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/policy-essentials-v2022-psp-allow-privilege-escalation-container created (dry-run)
    k8spspcapabilities.constraints.gatekeeper.sh/policy-essentials-v2022-psp-capabilities created (dry-run)
    11 resource(s) applied. 11 created, 0 unchanged, 0 configured, 0 failed (dry-run)
    
  6. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/policy-essentials
    git commit -m 'Adding Policy Essentials v2022 policy audit enforcement'
    git push
    
  7. Verify the status of the installation:

    watch gcloud beta container fleet config-management status --project PROJECT_ID
    

    A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed using the following command:

kubectl get constraint -o json | jq -cC '.items[]| [.kind,.status.totalViolations]'

If you prefer to view the violations in Cloud Logging, go to the Logs Explorer page.

Go to Logs Explorer

Use the following filters in the Query editor to monitor the violations logs:

resource.type="k8s_container"
resource.labels.location=CLUSTER_LOCATION
resource.labels.namespace_name="gatekeeper-system"
resource.labels.pod_name:"gatekeeper-audit-"
jsonPayload.process: "audit"
jsonPayload.event_type: "violation_audited"
jsonPayload.constraint_name:*
jsonPayload.constraint_namespace:*

Enforce Policy Essentials v2022 policies

Once you've reviewed policy violations on your cluster, the next step is to enforce these policies so that the Admission Controller blocks any non-compliant resource from getting applied to the cluster.

kpt

  1. Run the set-enforcement-action kpt function to set the policies' enforcement action to deny:

    kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
    
  2. Apply the policy constraints:

    kpt live apply
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    
  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to deny:

    kpt fn eval policies/policy-essentials/policy-essentials-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
    
  3. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/policy-essentials
    git commit -m 'Enforcing Policy Essentials v2022 policies for GKE'
    git push
    
  4. Verify the status of the installation:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Perform a quick test to confirm the policy enforcement and blocking of non-compliant resources on the cluster.

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce an error listing out the policy violations that this resource violates. For example:

Error from server (Forbidden): error when creating "STDIN":
admission webhook "validation.gatekeeper.sh" denied the request:
[policy-essentials-v2022-psp-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["NET_RAW"] or "ALL"