Stay organized with collections
Save and categorize content based on your preferences.
Cloud Service Mesh security policy constraints
Cloud Service Mesh provides you with powerful and flexible APIs that you can use to configure
your mesh. However, without proper management over these resources, your mesh
might expose security vulnerabilities. Integrating
Policy Controller
with Cloud Service Mesh security policy constraints can help enforce your mesh
with security best practices and prevent vulnerabilities.
When you install Policy Controller,
select Install default template library. This option deploys
all of the Cloud Service Mesh security policy constraint templates needed for your
mesh. For a full list of the Cloud Service Mesh security constraint templates, see
the Constraint template library
and look for templates that are prefixed with Asm.
Constraints bundle
We offer an out-of-box constraints bundle for Cloud Service Mesh security policy.
For the bundle details and instructions, see
Using Cloud Service Mesh security policies.
Some constraint templates are installed with the default template library,
but not included in the security policy bundle. These constraint
templates serve specific use cases, and you can configure your own constraints:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Cloud Service Mesh security policy constraints\n==============================================\n\nCloud Service Mesh provides you with powerful and flexible APIs that you can use to configure\nyour mesh. However, without proper management over these resources, your mesh\nmight expose security vulnerabilities. Integrating\n[Policy Controller](/anthos-config-management/docs/concepts/policy-controller)\nwith Cloud Service Mesh security policy constraints can help enforce your mesh\nwith security best practices and prevent vulnerabilities.\n\nThis page assumes you are already familiar with\n[policy constraints](/anthos-config-management/docs/how-to/creating-policy-controller-constraints).\n\nConstraints templates\n---------------------\n\nWhen you [install Policy Controller](/anthos-config-management/docs/how-to/installing-policy-controller),\nselect **Install default template library** . This option deploys\nall of the Cloud Service Mesh security policy constraint templates needed for your\nmesh. For a full list of the Cloud Service Mesh security constraint templates, see\nthe [Constraint template library](/anthos-config-management/docs/latest/reference/constraint-template-library)\nand look for templates that are prefixed with `Asm`.\n\nConstraints bundle\n------------------\n\nWe offer an out-of-box constraints bundle for Cloud Service Mesh security policy.\nFor the bundle details and instructions, see\n[Using Cloud Service Mesh security policies](/anthos-config-management/docs/how-to/using-asm-security-policy).\n\nTo follow a tutorial that shows you how to apply this bundle, see\n[Strengthen your app's security with Cloud Service Mesh, Config Sync, and Policy Controller](/service-mesh/v1.19/docs/strengthen-app-security).\n\nAdd-on constraints\n------------------\n\nSome constraint templates are installed with the default template library,\nbut not included in the security policy bundle. These constraint\ntemplates serve specific use cases, and you can configure your own constraints:\n\n- [AsmAuthzPolicyDisallowedPrefix](/anthos-config-management/docs/latest/reference/constraint-template-library#asmauthzpolicydisallowedprefix)\n- [AsmAuthzPolicyEnforceSourcePrincipals](/anthos-config-management/docs/latest/reference/constraint-template-library#asmauthzpolicyenforcesourceprincipals)"]]