Use Pod Security Standards Restricted policy constraints

Policy Controller comes with a default library of constraint templates that you can use with the Pod Security Standards Restricted bundle. This bundle lets you achieve many of the same protections as the Kubernetes Pod Security Standards (PSS) Restricted policy, with the ability to test your policies before enforcing them and exclude coverage of specific resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly.

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.

The bundle includes these constraints which map to the following Kubernetes Pod Security Standards (PSS) Restricted policy controls:

Constraint Name	Constraint Description	Control Name
pss-restricted-v2022-psp-volume-types	Usage of volume types	Volume Types
pss-restricted-v2022-privilege-escalation	Restricting escalation to root privileges	Privilege Escalation
pss-restricted-v2022-running-as-non-root	The `runAsNonRoot` value of the container	Running as Non-root
pss-restricted-v2022-running-as-non-root-user	The user ID of the container	Running as Non-root user
pss-restricted-v2022-seccomp	The seccomp profile used by containers	Seccomp
pss-restricted-v2022-capabilities	Linux capabilities	Capabilities

Before you begin

Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
Install Policy Controller v1.11.1 or higher on your cluster with the default library of constraint templates.

Audit Pod Security Standards Restricted policy bundle

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt, or Config Sync.

kubectl

(Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

The output is the following:

k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/pss-restricted-v2022-privilege-escalation created
k8spspallowedusers.constraints.gatekeeper.sh/pss-restricted-v2022-running-as-non-root created
k8spspcapabilities.constraints.gatekeeper.sh/pss-restricted-v2022-capabilities created
k8spspseccomp.constraints.gatekeeper.sh/pss-restricted-v2022-seccomp created
k8spspvolumetypes.constraints.gatekeeper.sh/pss-restricted-v2022-psp-volume-types created

Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

The output is similar to the following:

NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/pss-restricted-v2022-privilege-escalation   dryrun               0

NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowedusers.constraints.gatekeeper.sh/pss-restricted-v2022-running-as-non-root   dryrun               0

NAME                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/pss-restricted-v2022-capabilities   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/pss-restricted-v2022-seccomp   dryrun               0

NAME                                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspvolumetypes.constraints.gatekeeper.sh/pss-restricted-v2022-psp-volume-types   dryrun               0

kpt

Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

Download the Pod Security Standards (PSS) Restricted v2022 policy bundle from GitHub using kpt:

kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

kpt fn eval pss-restricted-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
  -- enforcementAction=dryrun

Initialize the working directory with kpt, which creates a resource to track changes:
```
cd pss-restricted-v2022
kpt live init
```
Apply the policy constraints with kpt:
```
kpt live apply
```
Verify that policy constraints have been installed and check if violations exist across the cluster:
```
kpt live status --output table --poll-until current
```
A status of CURRENT confirms successful installation of the constraints.

Config Sync

Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Change into the sync directory for Config Sync:
```
cd SYNC_ROOT_DIR
```
Note: Kpt v1.0.0-beta.17 and later automatically create a resourcegroup.yaml file during live init which shouldn't be checked into your Config Sync repo. If not already present, add resourcegroup.yaml to your repo's .gitignore file.

To create or append .gitignore with resourcegroup.yaml:
```
echo resourcegroup.yaml >> .gitignore
```
Create a dedicated policies directory:
```
mkdir -p policies
```

Download the Pod Security Standards (PSS) Restricted v2022 policy bundle from GitHub using kpt:

kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022 policies/pss-restricted-v2022

Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

kpt fn eval policies/pss-restricted-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun

(Optional) Preview the policy constraints to be created:

kpt live init policies/pss-restricted-v2022
kpt live apply --dry-run policies/pss-restricted-v2022

If your sync directory for Config Sync uses Kustomize, add policies/pss-baseline-v2022 to your root kustomization.yaml. Otherwise remove the policies/pss-baseline-v2022/kustomization.yaml file:
```
rm SYNC_ROOT_DIR/policies/pss-baseline-v2022/kustomization.yaml
```

Push changes to the Config Sync repo:

git add SYNC_ROOT_DIR/policies/pss-restricted-v2022
git commit -m 'Adding Pod Security Standards Restricted audit enforcement'
git push

Verify the status of the installation:
```
watch gcloud beta container fleet config-management status --project PROJECT_ID
```
A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-restricted-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-restricted-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Pod Security Standards Restricted policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-restricted-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-restricted-v2022

kpt

Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:
```
kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
```
Apply the policy constraints:
```
kpt live apply
```

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Change into the sync directory for Config Sync:
```
cd SYNC_ROOT_DIR
```

Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

kpt fn eval policies/pss-restricted-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn

Push changes to the Config Sync repo:

git add SYNC_ROOT_DIR/pss-restricted-v2022
git commit -m 'Adding Pod Security Standards Restricted policy bundle warn enforcement'
git push

Verify the status of the installation:
```
gcloud alpha anthos config sync repo list --project PROJECT_ID
```
Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        hostPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [pss-baseline-v2022-host-ports] The specified hostNetwork and hostPort are not allowed, pod: wp-non-compliant. Allowed values: {"max": 0, "min": 0}
pod/wp-non-compliant created

Remove Pod Security Standards Restricted policy bundle

If needed, the Pod Security Standards Restricted policy bundle can be removed from the cluster.

kubectl

Use kubectl to remove the policies:

kubectl delete constraint -l policycontroller.gke.io/bundleName=pss-restricted-v2022

kpt

Remove the policies:
```
kpt live destroy
```

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Push changes to the Config Sync repo:

git rm -r SYNC_ROOT_DIR/policies/pss-restricted-v2022
git commit -m 'Removing Pod Security Standards Restricted policies'
git push

Verify the status:
```
gcloud alpha anthos config sync repo list --project PROJECT_ID
```
Your repo showing up in the SYNCED column confirms the removal of the policies.