Policy Controller comes with a default library of constraint templates that can be used with the Pod Security Policy bundle to achieve many of the same protections as Kubernetes Pod Security Policy (PSP), with the added ability to test your policies before enforcing them and exclude coverage of specific resources.
This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly.
This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
The bundle includes these constraints which provide parameters which map to the following Kubernetes Pod Security Policy (PSP) Field Names (Control IDs):
Constraint Name | Constraint Description | Control ID |
---|---|---|
psp-v2022-psp-allow-privilege-escalation | Restricting escalation to root privileges | allowPrivilegeEscalation |
psp-v2022-psp-apparmor | The AppArmor profile used by containers | annotations |
psp-v2022-psp-capabilities | Linux capabilities | allowedCapabilities, requiredDropCapabilities |
psp-v2022-flexvolume-drivers | Allow specific FlexVolume drivers | allowedFlexVolumes |
psp-v2022-psp-forbidden-sysctls | The sysctl profile used by containers | forbiddenSysctls |
psp-v2022-psp-fsgroup | Allocating an FSGroup that owns the pod's volumes | fsGroup |
psp-v2022-psp-host-filesystem | Usage of the host filesystem | allowedHostPaths |
psp-v2022-psp-host-namespace | Usage of host namespaces | hostPID, hostIPC |
psp-v2022-psp-host-network-ports | Usage of host networking and ports | hostNetwork, hostPorts |
psp-v2022-psp-privileged-container | Running of privileged containers | privileged |
psp-v2022-psp-proc-mount | The Allowed Proc Mount types for the container | allowedProcMountTypes |
psp-v2022-psp-readonlyrootfilesystem | Requiring the use of a read-only root file system | readOnlyRootFilesystem |
psp-v2022-psp-seccomp | The seccomp profile used by containers | annotations |
psp-v2022-psp-selinux-v2 | The SELinux context of the container | seLinux |
psp-v2022-psp-pods-allowed-user-ranges | The user and group IDs of the container | runAsUser, runAsGroup, supplementalGroups, fsGroup |
psp-v2022-psp-volume-types | Usage of volume types | volumes |
Before you begin
- Install and initialize the
Google Cloud CLI,
which provides the
gcloud
andkubectl
commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed. - Install Policy Controller on your cluster with the default library of constraint templates.
Audit Pod Security Policy policy bundle
Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.
You can apply these policies with spec.enforcementAction
set to dryrun
using kubectl,
kpt,
or
Config Sync.
kubectl
(Optional) Preview the policy constraints with kubectl:
kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
Apply the policy constraints with kubectl:
kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
The output is the following:
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation created k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges created k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor created k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities created k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup created k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers created k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls created k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem created k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace created k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports created k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container created k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount created k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem created k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2 created k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp created k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types created
Verify that policy constraints have been installed and check if violations exist across the cluster:
kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
The output is similar to the following:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types 0
(Optional) Adjust the PSP Field Name
parameters
in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example inpsp-host-network-ports
:parameters: hostNetwork: true min: 80 max: 9000
kpt
Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Download the Pod Security Policy (PSP) v2022 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval psp-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
Initialize the working directory with kpt, which creates a resource to track changes:
cd psp-v2022 kpt live init
(Optional) Adjust the PSP Field Name
parameters
in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example inpsp-host-network-ports
:parameters: hostNetwork: true min: 80 max: 9000
Apply the policy constraints with kpt:
kpt live apply
Verify that policy constraints have been installed and check if violations exist across the cluster:
kpt live status --output table --poll-until current
A status of
CURRENT
confirms successful installation of the constraints.
Config Sync
- Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
To create or append
.gitignore
withresourcegroup.yaml
:echo resourcegroup.yaml >> .gitignore
Create a dedicated
policies
directory:mkdir -p policies
Download the Pod Security Policy (PSP) v2022 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022 policies/psp-v2022
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval policies/psp-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
(Optional) Adjust the PSP Field Name
parameters
in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example inpsp-host-network-ports
:parameters: hostNetwork: true min: 80 max: 9000
(Optional) Preview the policy constraints to be created:
kpt live init policies/psp-v2022 kpt live apply --dry-run policies/psp-v2022
The output is the following:
Dry-run strategy: client inventory update started inventory update finished apply phase started k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2 apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types apply skipped: inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch) apply phase finished inventory update started inventory update finished apply result: 16 attempted, 0 successful, 16 skipped, 0 failed
If your sync directory for Config Sync uses Kustomize, add
policies/psp-v2022
to your rootkustomization.yaml
. Otherwise remove thepolicies/psp-v2022/kustomization.yaml
file:rm SYNC_ROOT_DIR/policies/psp-v2022/kustomization.yaml
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/psp-v2022 git commit -m 'Adding Pod Security Policy audit enforcement' git push
Verify the status of the installation:
watch gcloud beta container fleet config-management status --project PROJECT_ID
A status of
SYNCED
confirms the installation of the policies.
View policy violations
Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.
You can also use kubectl
to view violations on the cluster using the following command:
kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
If violations are present, a listing of the violation messages per constraint can be viewed with:
kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
Change Pod Security Policy policy bundle enforcement action
Once you've reviewed policy violations on your cluster, you can consider
changing the enforcement mode so the Admission Controller will either warn
on
or even deny
block non-compliant resource from getting applied to the cluster.
kubectl
Use kubectl to set the policies' enforcement action to
warn
:kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'
Verify that policy constraints enforcement action have been updated:
kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022
kpt
Run the
set-enforcement-action
kpt function to set the policies' enforcement action towarn
:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Apply the policy constraints:
kpt live apply
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Run the
set-enforcement-action
kpt function to set the policies' enforcement action towarn
:kpt fn eval policies/psp-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/psp-v2022 git commit -m 'Adding Pod Security Policy policy bundle warn enforcement' git push
Verify the status of the installation:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the installation of the policies.
Test policy enforcement
Create a non-compliant resource on the cluster using the following command:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
namespace: default
name: wp-non-compliant
labels:
app: wordpress
spec:
containers:
- image: wordpress
name: wordpress
ports:
- containerPort: 80
name: wordpress
EOF
The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:
Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"} Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"} Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/runAsUser Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"} Warning: [psp-v2022-psp-allow-privilege-escalation] Privilege escalation container is not allowed: wordpress Warning: [psp-v2022-psp-seccomp] Seccomp profile 'not configured' is not allowed for container 'wordpress'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "docker/default", "runtime/default"} Warning: [psp-v2022-psp-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["must_drop"] or "ALL" Warning: [psp-v2022-psp-readonlyrootfilesystem] only read-only root filesystem container is allowed: wordpress pod/wp-non-compliant created
Remove Pod Security Policy policy bundle
If needed, the Pod Security Policy policy bundle can be removed from the cluster.
kubectl
Use kubectl to remove the policies:
kubectl delete constraint -l policycontroller.gke.io/bundleName=psp-v2022
kpt
Remove the policies:
kpt live destroy
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Push changes to the Config Sync repo:
git rm -r SYNC_ROOT_DIR/policies/psp-v2022 git commit -m 'Removing PSP policies' git push
Verify the status:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the removal of the policies.