Introducing Custom Organization Policy for GKE to harden security
Daniel L’Hommedieu
Product Manager
Compliance officers and platform engineering teams often find it challenging to ensure security, manage consistency, and oversee governance across multiple products, environments, and teams. Google Cloud's Organization Policy Service can help tackle this challenge with a policy-based approach that simplifies policy administration across Google Cloud resources and projects.
We’re excited to announce the Preview release of Custom Organization Policy, and to showcase the integration with Google Kubernetes Engine (GKE). Custom organization policy for GKE can improve security and efficiency using guardrails you define tailored to your organization's needs, and it’s offered to Google Cloud customers at no additional cost.
A policy is a statement of intent, such as “all clusters must be configured for auto-upgrade,” that gets implemented by the system. In our Organization Policy Service, a policy constraint is used to define the intent (auto-upgrade is enabled), and a policy is used to apply the constraint to a specific resource like a project or folder. Custom organization policy can extend the capability of our Organization Policy Service by helping you author your own custom constraints.
Let’s break down five ways Custom Organization Policy can help engineering organizations improve security and efficiency.
1. Consolidate and customize policy administration
Establishing and maintaining consistent configuration and security standards across multiple services, products, and teams can be challenging. Cloud solutions are the sum of many parts and securing them often requires deep collaboration across multiple teams and stakeholders.
Our Organization Policy Service helps consolidate and simplify policy administration, providing a single framework to efficiently manage policy enforcement across your organizational hierarchy. Organization Policy supports integration with GKE and other Google Cloud services using built-in policy constraints.
With the Preview of Custom Organization Policy for GKE, we’re excited to provide you the flexibility to define and enforce policies customized to your business and team needs. Built-in and custom policy constraints are designed to be used together. Custom organization policies behave just like built-in organization policies and can be integrated into CI/CD workflows to deliver policy changes as code.
2. Grow beyond out-of-the-box security defaults
GKE can provide security “out of the box” by implementing security best practices as default values. For example, GKE uses shielded nodes, enables Cloud Logging, and disables the Kubernetes web dashboard by default. While our defaults are a solid baseline, compliance officers might have specific requirements when they attest security during audits. Your platform teams might also want to put guardrails in place to ensure these defaults and your organization's own best practices are followed. Custom organization policy for GKE helps with both of these requirements.
At Google Cloud, we recommend managing security governance and compliance through policy. Policy establishes clear definitions and contracts across the multiple systems, processes, and teams involved. With a policy-based approach, you have additional opportunities to automate and integrate with other tools and processes to help reduce overhead and friction when tackling continuous compliance and security posture management.
The addition of Custom Organization Policy for GKE provides you with additional flexibility to define your security goals and engineering standards as policy, and to implement guardrails and enforcement at scale.
3. Powerful policy without add-ons
Custom Organization Policy for GKE comes ready-to-use for customers at no additional cost, and doesn't require installation of additional cluster components. You simply define your custom policy constraints in a YAML file and then apply them to your Google Cloud resources using Cloud Shell or API.
Because Organization Policy Service is built into GKE, it can reduce the burden on platform and security teams of managing the lifecycle of another add-on, and allow administrators to easily author new policy constraints.
You can also use Custom Organization Policy alongside popular third-party policy solutions such as Gatekeeper OPA or Kyverno. Custom Organization Policy enforces constraints on the GKE API (your clusters and node pools), while the other solutions can cover resources inside your Kubernetes clusters, such as your Deployments.
4. Cover niche exemptions to your rules
Wouldn’t it be nice if cloud security and governance was “all or nothing”? But like the saying goes, “every rule has an exception”. Security and platform teams often face the challenge of defining and implementing org-wide best practices while also supporting an exemption process for scenarios where those standards cannot be met.
Organization Policy provides tools for administrators to manage policy across different projects and resources using policy inheritance and the Organization Policy resource hierarchy. Admins can use the same framework to manage exemptions; it’s as easy as modifying a policy to include a new condition that exempts a specific resource. For example, to make an exemption for a specific GKE cluster, a new condition that identifies that cluster by tag can be added to the organization policy.
5. Drive efficiency through consistency
Engineering organizations are increasingly looking to policy solutions to codify engineering standards, implement guardrails for developers, and integrate continuous compliance and security upstream in the development process using automation.
Custom Organization Policy for GKE provides your organization a simple way to help define and enforce engineering standards for GKE clusters and node pools. The structured, policy-focused approach means that each constraint and policy can be consistent in syntax and readability. This feature can drastically reduce developer onboarding and learning times, and can minimize the need to maintain documentation that defines engineering guidelines and how to audit and enforce them.
Engineering standards and guardrails are integral to establishing security culture, driving development efficiency, and reducing friction in cross-team collaboration. Policy provides a clear and consistent representation of these standards, and the ability to audit and enforce them.
Get started today
The preview of Custom Organization Policy for GKE is a simple way to introduce flexible and powerful policy into your organization's toolkit, and is built-in and ready to use at no additional cost. Whether it’s improving security, ensuring compliance, or implementing engineering standards, Custom Organization Policy can help.
Looking for a few examples to get started? Check out the examples on the Custom Organization Policy for GKE documentation. Want to know more about building security guardrails for developers on Google Cloud? Give this blog post a read.