O Cloud Service Mesh com APIs Istio oferece APIs avançadas e flexíveis
que podem ser usadas para configurar a malha. No entanto, sem o gerenciamento adequado
desses recursos, a malha pode expor vulnerabilidades de segurança.
A integração do
Policy Controller
com as restrições da política de segurança do Cloud Service Mesh pode ajudar a aplicar a malha
a práticas recomendadas de segurança e evitar vulnerabilidades.
Ao instalar o Policy Controller,
selecione Instalar biblioteca de modelos padrão. Essa opção implanta
todos os modelos de restrição de política de segurança do Cloud Service Mesh necessários para a
malha. Para conferir uma lista completa dos modelos de restrição de segurança do Cloud Service Mesh, consulte
a biblioteca de modelos de restrição
e procure modelos com o prefixo Asm.
Alguns modelos de restrição são instalados com a biblioteca de modelos padrão,
mas não estão incluídos no pacote de políticas de segurança. Esses modelos
de restrição atendem a casos de uso específicos, e é possível configurar as próprias restrições.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-04 UTC."],[],[],null,["# Cloud Service Mesh security policy constraints\n==============================================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/docs/overview).\n\nThis guide does not support `TRAFFIC_DIRECTOR`\n[control plane implementation](/service-mesh/v1.23/docs/check-control-plane-implementation).\n\nCloud Service Mesh with Istio APIs provides you with powerful and flexible\nAPIs that you can use to configure your mesh. However, without proper management\nover these resources, your mesh might expose security vulnerabilities.\nIntegrating\n[Policy Controller](/anthos-config-management/docs/concepts/policy-controller)\nwith Cloud Service Mesh security policy constraints can help enforce your mesh\nwith security best practices and prevent vulnerabilities.\n\nThis page assumes you are already familiar with\n[policy constraints](/anthos-config-management/docs/how-to/creating-policy-controller-constraints).\n\nConstraints templates\n---------------------\n\nWhen you [install Policy Controller](/anthos-config-management/docs/how-to/installing-policy-controller),\nselect **Install default template library** . This option deploys\nall of the Cloud Service Mesh security policy constraint templates needed for your\nmesh. For a full list of the Cloud Service Mesh security constraint templates, see\nthe [Constraint template library](/anthos-config-management/docs/latest/reference/constraint-template-library)\nand look for templates that are prefixed with `Asm`.\n\nConstraints bundle\n------------------\n\nWe offer an out-of-box constraints bundle for Cloud Service Mesh security policy.\nFor the bundle details and instructions, see\n[Using Cloud Service Mesh security policies](/anthos-config-management/docs/how-to/using-asm-security-policy).\n\nTo follow a tutorial that shows you how to apply this bundle, see\n[Strengthen your app's security with Cloud Service Mesh, Config Sync, and Policy Controller](/service-mesh/v1.23/docs/strengthen-app-security).\n\nAdd-on constraints\n------------------\n\nSome constraint templates are installed with the default template library,\nbut not included in the security policy bundle. These constraint\ntemplates serve specific use cases, and you can configure your own constraints:\n\n- [AsmAuthzPolicyDisallowedPrefix](/anthos-config-management/docs/latest/reference/constraint-template-library#asmauthzpolicydisallowedprefix)\n- [AsmAuthzPolicyEnforceSourcePrincipals](/anthos-config-management/docs/latest/reference/constraint-template-library#asmauthzpolicyenforcesourceprincipals)"]]
