Harden your Kubernetes clusters and monitor workload compliance at scale with new PCI DSS policy bundle
Poonam Lamba
Product Manager, Google
Andrew Peabody
Technical Solutions Consultant, Google Cloud
Try Google Cloud
Start building on Google Cloud with $300 in free credits and 20+ always free products.
Free trialPCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. Google Cloud undergoes a third-party audit to certify individual products against the PCI DSS at least annually, and customers can build off of these attestations to measure their applications’ compliance. This blog can help you evaluate your new and existing applications for PCI DSS compliance.
Policy Controller enables the enforcement of fully programmable policies for your clusters. A Policy bundle is an out-of-the-box set of constraints that are created and maintained by Google Cloud. Policy bundles help audit your cluster resources against Kubernetes standards, industry standards, or Google Cloud-recommended best practices. Many policy bundles are available now, and they can be easily used by a new or existing user as-is without writing a single line of code. You can also view the status of Policy bundle coverage and compliance for your fleet of clusters using Policy Controller dashboard.
The PCI DSS v3.2.1 Policy bundle
Security administrators from your organization can view the alignment for your applications with the PCI DSS requirements by viewing the violations for the PCI DSS Policy bundle. Each constraint in the PCI DSS bundle also has the PCI DSS control number listed which can be mapped back to PCI requirements, these mappings may be used during the compliance reporting, as needed. More information on how to view the list of violations is covered in the next section in this blog.
The PCI DSS v3.2.1 Policy bundle includes policies focusing on the following areas:
Secure networks and systems
Ensures requirements for a firewall by requiring all apps to contain a specified audit label.
Ensures requirements for network-controls by requiring all apps to contain a specified annotation.
Requires that every namespace defined in the cluster has a NetworkPolicy.
Requires a valid app.kubernetes.io/managed-by= label on RoleBinding resources.
Restricts the creation of resources using a default service account.
Restricts pods from using the default namespace.
Secure systems and applications
Enforce all PeerAuthentications cannot overwrite strict mTLS.
Requires the presence of an anti-virus daemonset.
Enforce the presence and enablement of Anthos Config Management.
Enforce Cloud Armor configuration on BackendConfig resources.
Strong access control and monitoring
Restricts the use of basic-auth type secrets.
Ensures consistent and correct time on Nodes by ensuring the usage of Container-Optimized OS as the OS image.
Using the PCI DSS v3.2.1 Policy bundle
The PCI DSS v.3.2.1 Policy bundle can be installed on Anthos Cluster(s) with Policy Controller v1.14.0 or higher. The policies included are configured in "audit" mode by default, so they do not impact any of your existing or new workloads. You can apply Policy bundles using kubectl (demonstrated just below), kpt, or Config Sync.
1. Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
2. Install Policy Controller on your Anthos cluster with the referential constraints and the Policy Controller Constraint Template Library enabled.
3. Save the following YAML manifest to a file as policycontroller-config.yaml. The manifest configures Policy Controller to watch specific kinds of objects.
Note: If you already have an existing Config in the gatekeeper-system namespace, you must include all previous customization settings to preserve your changes.
4. Apply the policycontroller-config.yaml manifest:
4. Preview the policy constraints with kubectl
5. Apply the policy constraints with kubectl:
The output will be similar to the following:
6. Verify that policy constraints have been installed and check if violations exist across the cluster:
The output is similar to the following:
In order to remediate the violations, we recommend that you update your resource(s) yaml — some guidelines are included here. Each violation will also include steps to fix the violation, which can be viewed both from CLI and the Policy Controller dashboard.
Viewing the PCI DSS Policy bundle violations on Policy Dashboard
Violations on the cluster can also be viewed in the UI using the Policy Controller Dashboard.
Monitoring the cluster(s) for PCI DSS Policy Bundle violations
The PCI DSS policy bundle by default has its enforcement action set to dryrun, which is the configuration for Policy Controller to show you violations without blocking or aborting any resources. This gives you the ability to audit your clusters, share any violations with workload owners and collaborate on fixing critical security issues.
All policy violations are automatically recorded in Cloud Logging and can be found by applying these filters in the Logs Explorer:
You can also set up log based alerts using Cloud Monitoring for whenever policy violations occur to get notified.
Policy Controller includes the metrics related to policy usage such as number of constraints, constraint templates, audit violations detected just to name a few (see list of metrics exposed). These metrics can be exported to cloud monitoring and/or prometheus at install time (blog, docs). You can also set up alerts based on metrics.
Conclusion
Policy Controller enables the enforcement of both Google created and maintained Policy bundles and custom policies for your cluster which prevent changes to the Kubernetes API from violating security, operational, or compliance controls. Optionally, Policy Controller can also be used to analyze configuration for compliance before deployment to your Kubernetes cluster.
Get started today
The easiest way to get started with Anthos Policy Controller is to install Policy Controller and try out some of the other Google created and maintained Policy bundles: