Apply policy bundles and monitor policy compliance at scale for Kubernetes clusters
Poonam Lamba
Product Manager, Google
Try Google Cloud
Start building on Google Cloud with $300 in free credits and 20+ always free products.
Free trialAs more enterprise customers are adopting a hybrid and multi cloud strategy, centralized security and governance become increasingly important as workloads are distributed across the environments. Anthos is our cloud-centric container platform to run modern applications anywhere consistently and at scale. Anthos Config Management (ACM) automates policy and security for Kubernetes clusters and is comprised of Config Sync, Config Controller, and Policy Controller. Config Sync reconciles the state of clusters with one or more Git repositories. Config Controller is a hosted service that allows administrators to manage Google Cloud Platform (GCP) resources in a declarative fashion. This blog covers the enhancements we have brought to the Policy Controller component.
As a key component of ACM, Policy Controller enables the enforcement of fully programmable policies for your clusters. These policies act as "guardrails" and prevent any changes from violating security, operational, or compliance controls. Policy Controller can help accelerate your application modernization efforts by helping developers release code quickly and safely.
We are thrilled to announce the launch of our new built-in Policy Controller Dashboard, a powerful tool that makes it easy to manage and monitor the policy guardrails applied to your Fleet of clusters.
With Policy Controller Dashboard, Platform and Security Admins can:
Get an at-a-glance view for the state of all the policies applied to Fleet of clusters including enforcement status (dryrun or enforced)
Easily troubleshoot and resolve policy violations by referring to opinionated recommendations for each violation
Get visibility into compliance status of the cluster resources
Policy Controller Dashboard is designed to be user friendly and intuitive, making it easy for users of all skill levels to manage and monitor violations for their fleet of clusters. It allows you to have a centralized view of Policy violations and take action if necessary.
The dashboard can also show you which of your resources are affected by a specific policy, and can make opinionated suggestions on how to fix the problem.
Introducing Policy Bundles
Policy bundle is an out-of-the-box set of constraints that are created and maintained by Google. The bundles help audit your cluster resources against kubernetes standards, industry standards, or Google recommended best practices.
Policy bundles are available now, and can be easily used by a new or existing user as-is i.e. without writing a single line of code. Users will view the status of Policy bundle coverage for the fleet from the Policy Controller dashboard i.e. if you have 4 clusters in your fleet and you have applied the PCI DSS 3.2.1 bundle on all 4 clusters then the dashboard will show a 100% coverage for your fleet. In addition to coverage, the dashboard will also show the overall state of compliance for each bundle for the entire fleet of clusters.
Following policy bundles are available now with Anthos:
PCI DSS 3.2.1: Helps audit your cluster resources against the PCI-DSS 3.2.1 industry standard
CIS Kubernetes Benchmark 1.5.1 : Helps audit your cluster resources against the CIS Kubernetes Benchmark, a set of recommendations for configuring Kubernetes to support a robust security posture.
PSS Baseline: Helps audit your cluster resources against the PSS - Baseline
PSS Restricted: Helps audit your cluster resources against the PSS - Restricted
PSP: Helps audit your cluster resources against Pod Security Policies
Policy Essentials: Helps audit your cluster resources against Google recommended best practices for containerized workloads
Anthos Service Mesh Security : Helps audit your cluster for recommended Anthos Service Mesh best practices
Get started today
The easiest way to get started with Anthos Policy Controller is to just install Policy controller and try applying a policy bundle to audit your fleet of clusters against a standard such as CIS benchmark.
You can also Try Policy controller to audit your cluster against Policy Essentials bundle.