Jump to Content
Containers & Kubernetes

Apply policy bundles and monitor policy compliance at scale for Kubernetes clusters

January 23, 2023
https://storage.googleapis.com/gweb-cloudblog-publish/images/containers_2022_zkS4v11.max-2500x2500.jpg
Poonam Lamba

Product Manager, Google Cloud

Try Google Cloud

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Free trial

As more enterprise customers are adopting a hybrid and multi cloud strategy, centralized security and governance become increasingly important as workloads are distributed across the environments. Anthos is our cloud-centric container platform to run modern applications anywhere consistently and at scale. Anthos Config Management (ACM) automates policy and security for Kubernetes clusters and is comprised of Config Sync, Config Controller, and Policy Controller. Config Sync reconciles the state of clusters with one or more Git repositories. Config Controller is a hosted service that allows administrators to manage Google Cloud Platform (GCP) resources in a declarative fashion. This blog covers the enhancements we have brought to the Policy Controller component. 

As a key component of ACM, Policy Controller enables the enforcement of fully programmable policies for your clusters. These policies act as "guardrails" and prevent any changes from violating security, operational, or compliance controls. Policy Controller can help accelerate your application modernization efforts by helping developers release code quickly and safely. 

We are thrilled to announce the launch of our new built-in Policy Controller Dashboard, a powerful tool that makes it easy to manage and monitor the policy guardrails applied to your Fleet of clusters. 

With Policy Controller Dashboard, Platform and Security Admins can:

  • Get an at-a-glance view for the state of all the policies applied to Fleet of clusters including enforcement status (dryrun or enforced)

  • Easily troubleshoot and resolve policy violations by referring to opinionated recommendations for each violation

  • Get visibility into compliance status of the cluster resources

Policy Controller Dashboard is designed to be user friendly and intuitive, making it easy for users of all skill levels to manage and monitor violations for their fleet of clusters. It allows you to have a centralized view of Policy violations and take action if necessary.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_The_Anthos_Policy_Controller_dashboard.max-1300x1300.jpg
The Anthos Policy Controller dashboard

The dashboard can also show you which of your resources are affected by a specific policy, and can make opinionated suggestions on how to fix the problem.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_Identifying_resources_affected_by_vulner.max-1700x1700.jpg
Identifying resources affected by vulnerabilities

Introducing Policy Bundles

Policy bundle is an out-of-the-box set of constraints that are created and maintained by Google. The bundles help audit your cluster resources against kubernetes standards, industry standards, or Google recommended best practices. 

Policy bundles are available now, and can be easily used by a new or existing user as-is i.e. without writing a single line of code. Users will view the status of Policy bundle coverage for the fleet from the Policy Controller dashboard i.e. if you have 4 clusters in your fleet and you have applied the PCI DSS 3.2.1 bundle on all 4 clusters then the dashboard will show a 100% coverage for your fleet. In addition to coverage, the dashboard will also show the overall state of compliance for each bundle for the entire fleet of clusters.

Following policy bundles are available now with Anthos:

Get started today

The easiest way to get started with Anthos Policy Controller is to just install Policy controller and try applying a policy bundle to audit your fleet of clusters against a standard such as CIS benchmark.

You can also Try Policy controller to audit your cluster against Policy Essentials bundle.

Posted in