Use NIST SP 800-190 policy constraints

Policy Controller comes with a default library of constraint templates that can be used with the NIST SP 800-190 bundle which implements controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-190, Application Container Security Guide. The bundle is intended to help organizations with application container security including image security, container runtime security, network security and host system security to name a few.

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly.

NIST SP 800-190 policy bundle constraints

Constraint Name Constraint Description Control ID
nist-sp-800-190-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. AC-2 Account Management
nist-sp-800-190-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. AC-3 Access Enforcement
nist-sp-800-190-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. AC-4 Information Flow Enforcement
nist-sp-800-190-require-binauthz Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-190-require-namespace-network-policies Requires that every namespace defined in the cluster has a NetworkPolicy.
nist-sp-800-190-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-190-require-binauthz Requires the Binary Authorization Validating Admission Webhook. AC-6 Least Privilege
nist-sp-800-190-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-190-restrict-repos Restricts container images to an allowed `repos` list.
nist-sp-800-190-restrict-role-wildcards Restricts the use of wildcards in `Roles` and `ClusterRoles`.
nist-sp-800-190-nodes-have-consistent-time Ensures consistent and correct time on Nodes by allowing only Container-Optimized OS(COS) or Ubuntu as the OS image. AU-8 Time Stamps
nist-sp-800-190-require-namespace-network-policies Requires that every namespace defined in the cluster has a NetworkPolicy. CA-9 Internal System Connections
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CM-2 Baseline Configuration
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-apparmor Restricts AppArmor profiles allowed for Pods. CM-3 Configuration Change Control
nist-sp-800-190-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets.
nist-sp-800-190-capabilities Restricts additional Capabilities allowed for Pods.
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-190-host-namespaces Restricts containers with `hostPID` or `hostIPC` set to `true`.
nist-sp-800-190-host-network Restricts containers from running with the `hostNetwork` flag set to `true`.
nist-sp-800-190-privileged-containers Restricts containers with `securityContext.privileged` set to `true`.
nist-sp-800-190-proc-mount-type Requires the default `/proc` masks for Pods
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-190-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-190-seccomp Seccomp profile must not be explicitly set to `Unconfined`.
nist-sp-800-190-selinux Restricts the SELinux configuration for Pods.
nist-sp-800-190-sysctls Restricts the allowed Sysctls for Pods.
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CM-4 Security Impact Analysis
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CM-5 Access Restrictions for Change
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-190-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. CM-6 Configuration Settings
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-190-require-binauthz Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-190-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-190-apparmor Restricts AppArmor profiles allowed for Pods. CM-7 Least Functionality
nist-sp-800-190-capabilities Restricts additional Capabilities allowed for Pods.
nist-sp-800-190-host-namespaces Restricts containers with `hostPID` or `hostIPC` set to `true`.
nist-sp-800-190-host-network Restricts containers from running with the `hostNetwork` flag set to `true`.
nist-sp-800-190-privileged-containers Restricts containers with `securityContext.privileged` set to `true`.
nist-sp-800-190-proc-mount-type Requires the default `/proc` masks for Pods
nist-sp-800-190-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-190-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-190-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-190-seccomp Seccomp profile must not be explicitly set to `Unconfined`.
nist-sp-800-190-selinux Restricts the SELinux configuration for Pods.
nist-sp-800-190-sysctls Restricts the allowed Sysctls for Pods.
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CP-9 System Backup
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CP-10 Information System Recovery and Reconstitution
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. IA-2 Identification and Authentication (Organizational Users)
nist-sp-800-190-block-creation-with-default-serviceaccount Restrict resource creation using a default service account. IA-4 Identifier Management
nist-sp-800-190-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values.
nist-sp-800-190-require-binauthz Requires the Binary Authorization Validating Admission Webhook. IA-5 Authenticator Management
nist-sp-800-190-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values.
nist-sp-800-190-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. MA-4 Nonlocal Maintenance
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. SA-10 Developer Configuration Management
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-require-namespace-network-policies Requires that every namespace defined in the cluster has a NetworkPolicy. SC-4 Information in Shared Resources
nist-sp-800-190-cpu-and-memory-limits-required Requires Pods specify cpu and memory limits. SC-6 Resource Availability
nist-sp-800-190-asm-peer-authn-strict-mtls Ensures PeerAuthentications cannot overwrite strict mTLS. SC-8 Transmission Confidentiality and Integrity
nist-sp-800-190-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. SI-7 Software, Firmware, and Information Integrity
nist-sp-800-190-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-190-require-binauthz Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-190-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-190-restrict-hostpath-volumes Restricts the use of HostPath volumes.

Before you begin

  1. Install and initialize the Google Cloud CLI , which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
  2. Install Policy Controller on your cluster with the default library of constraint templates. You must also enable support for referential constraints as this bundle contains referential constraints.

Configure Policy Controller for referential constraints

  1. Save the following YAML manifest to a file as policycontroller-config.yaml. The manifest configures Policy Controller to watch specific kinds of objects.

    apiVersion: config.gatekeeper.sh/v1alpha1
    kind: Config
    metadata:
      name: config
      namespace: "gatekeeper-system"
    spec:
      sync:
        syncOnly:
          - group: "networking.k8s.io"
            version: "v1"
            kind: "NetworkPolicy"
          - group: "configsync.gke.io"
            version: "v1beta1"
            kind: "RootSync"
          - group: "admissionregistration.k8s.io"
            version: "v1"
            kind: "ValidatingWebhookConfiguration"
    
  2. Apply the policycontroller-config.yaml manifest:

    kubectl apply -f policycontroller-config.yaml
    

Configure your cluster and workload

  1. Enablement and configuration of Config Sync including Drift Prevention admission webhook is required in nist-sp-800-190-enforce-config-management.
  2. Container images are limited to an allowed repos list, which can be customized if required in nist-sp-800-190-restrict-repos.
  3. Nodes must use Container-Optimized OS or Ubuntu for their image in nist-sp-800-190-nodes-have-consistent-time.
  4. Enablement and configuration of Binary Authorization is required in nist-sp-800-190-require-binauthz.

Audit NIST SP 800-190 policy bundle

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the NIST policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt , or Config Sync .

kubectl

  1. (Optional) Preview the policy constraints with kubectl:

    kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-190
    
  2. Apply the policy constraints with kubectl:

    kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-190
    

    The output is the following:

    asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-190-asm-peer-authn-strict-mtls created
    k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-190-restrict-repos created
    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-190-block-creation-with-default-serviceaccount created
    k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-190-block-secrets-of-type-basic-auth created
    k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-190-enforce-config-management created
    k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-190-apparmor created
    k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-190-capabilities created
    k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-190-sysctls created
    k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-190-restrict-hostpath-volumes created
    k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-190-host-namespaces created
    k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-190-host-network created
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-190-privileged-containers created
    k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-190-proc-mount-type created
    k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-190-selinux created
    k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-190-seccomp created
    k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-190-restrict-volume-types created
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-190-restrict-role-wildcards created
    k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-190-require-binauthz created
    k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-190-nodes-have-consistent-time created
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-190-require-namespace-network-policies created
    k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-190-require-managed-by-label created
    k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-190-cpu-and-memory-limits-required created
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-190-restrict-rbac-subjects created
    k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-190-restrict-clusteradmin-rolebindings created
    
  3. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-190
    

    The output is similar to the following:

    NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-190-apparmor   dryrun               0
    
    NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-190-require-binauthz   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-190-restrict-rbac-subjects   dryrun               0
    
    NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-190-sysctls   dryrun               0
    
    NAME                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-190-restrict-volume-types   dryrun               0
    
    NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-190-host-network   dryrun               0
    
    NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-190-host-namespaces   dryrun               0
    
    NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-190-restrict-role-wildcards   dryrun               0
    
    NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-190-block-creation-with-default-serviceaccount   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-190-restrict-hostpath-volumes   dryrun               0
    
    NAME                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-190-seccomp   dryrun               0
    
    NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-190-asm-peer-authn-strict-mtls   dryrun               0
    
    NAME                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-190-cpu-and-memory-limits-required   dryrun               0
    
    NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-190-proc-mount-type   dryrun               0
    
    NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-190-block-secrets-of-type-basic-auth   dryrun               0
    
    NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-190-require-namespace-network-policies   dryrun               0
    
    NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-190-capabilities   dryrun               0
    
    NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-190-require-managed-by-label   dryrun               0
    
    NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-190-privileged-containers   dryrun               0
    
    NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-190-restrict-repos   dryrun               0
    
    NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-190-selinux   dryrun               0
    
    NAME                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-190-enforce-config-management   dryrun               0
    
    NAME                                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-190-restrict-clusteradmin-rolebindings   dryrun               0
    

kpt

  1. Install and setup kpt.

    kpt is used in these instructions to customize and deploy Kubernetes resources.

  2. Download the NIST SP 800-190 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-190
    
  3. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval nist-sp-800-190 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
    -- enforcementAction=dryrun
    
  4. Initialize the working directory with kpt, which creates a resource to track changes:

    cd nist-sp-800-190 kpt live init
    
  5. Apply the policy constraints with kpt:

    kpt live apply
    
  6. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kpt live status --output table --poll-until current
    

    A status of CURRENT confirms successful installation of the constraints.

Config Sync

  1. Install and setup kpt.

    kpt is used in these instructions to customize and deploy Kubernetes resources.

    Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  2. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    

    To create or append .gitignore with resourcegroup.yaml:

    echo resourcegroup.yaml >> .gitignore
    
  3. Create a dedicated policies directory:

    mkdir -p policies
    
  4. Download the NIST SP 800-190 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-190 policies/nist-sp-800-190
    
  5. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policies/nist-sp-800-190 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
    
  6. (Optional) Preview the policy constraints to be created:

    kpt live init policies/nist-sp-800-190 kpt live apply --dry-run policies/nist-sp-800-190
    
  7. If your sync directory for Config Sync uses Kustomize, add policies/nist-sp-800-190 to your root kustomization.yaml. Otherwise remove the policies/nist-sp-800-190/kustomization.yaml file:

    rm SYNC_ROOT_DIR/policies/nist-sp-800-190/kustomization.yaml
    
  8. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/nist-sp-800-190 git commit -m 'Adding NIST SP 800-190 policy audit enforcement'
    git push
    
  9. Verify the status of the installation:

    watch gcloud beta container fleet config-management status --project PROJECT_ID
    

    A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

  1. You can also use kubectl to view violations on the cluster using the following command:

    kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-190 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
    
  2. If violations are present, a listing of the violation messages per constraint can be viewed with:

    kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-190 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
    

Change NIST SP 800-190 policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

  1. Use kubectl to set the policies' enforcement action to deny:

    kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-190 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'
    
  2. Verify that policy constraints enforcement action have been updated:

    kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-190
    

kpt

  1. Run the set-enforcement-action kpt function to set the policies' enforcement action to deny:

    kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
    
  2. Apply the policy constraints:

    kpt live apply
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    
  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to deny:

    kpt fn eval policies/nist-sp-800-190 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=deny
    
  3. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/nist-sp-800-190
    git commit -m 'Adding NIST SP 800-190 policy warn enforcement'
    git push
    
  4. Verify the status of the installation:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: wp-non-compliant
spec:
  containers:
    ‐ image: wordpress
      name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [nist-sp-800-190-cpu-and-memory-limits-required] container <wordpress> does not have <{"cpu", "memory"}> limits defined
Warning: [nist-sp-800-190-restrict-repos] container <wordpress> has an invalid image repo <wordpress>, allowed repos are ["gcr.io/gke-release/", "gcr.io/anthos-baremetal-release/", "gcr.io/config-management-release/", "gcr.io/kubebuilder/", "gcr.io/gkeconnect/", "gke.gcr.io/"]
pod/wp-non-compliant created

Remove NIST SP 800-190 policy bundle

If needed, the NIST SP 800-190 policy bundle can be removed from the cluster.

kubectl

  • Use kubectl to remove the policies:

    kubectl delete constraint -l policycontroller.gke.io/bundleName=nist-sp-800-190
    

kpt

  • Remove the policies:

    kpt live destroy
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Push changes to the Config Sync repo:

    git rm -r SYNC_ROOT_DIR/policies/nist-sp-800-190
    git commit -m 'Removing NIST SP 800-190 policies'
    git push
    
  2. Verify the status:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repo showing up in the SYNCED column confirms the removal of the policies.