Policy Controller bundles
This page describes what Policy Controller bundles are and provides an overview of the available policy bundles.
You can use Policy Controller to apply individual constraints to your cluster or write your own custom policies. You can also use policy bundles, which let you audit your clusters without writing any constraints. Policy bundles are a group of constraints that can help apply best practices, meet industry standards, or solve regulatory problems across your cluster resources.
You can apply policy bundles to your existing clusters to check if your workloads
are compliant. When you apply a policy bundle, it audits your cluster by applying
constraints with the dryrun enforcement type. The dryrun enforcement type
lets you see violations without blocking your workloads. It's also recommended
that only the warn or dryrun enforcement actions are used on clusters with
production workloads, when testing new constraints, or performing migrations
such as upgrading platforms. For more information about enforcement actions, see
Auditing using constraints.
For example, one type of policy bundle is the CIS Kubernetes Benchmark bundle, which can help audit your cluster resources against the CIS Kubernetes Benchmark. This benchmark is a set of recommendations for configuring Kubernetes resources to support a strong security posture.
Policy bundles are created and maintained by Google. You can view more details about your policy coverage, including coverage per bundle, in the Policy Controller dashboard.
Policy bundles are included with a Google Kubernetes Engine (GKE) Enterprise edition license.
Available Policy Controller bundles
The following table lists the available policy bundles. Select the name of the policy bundle to read documentation on how to apply the bundle, audit resources, and enforce policies.
The bundle alias column lists the single-token name of the bundle. This value is needed to apply a bundle with Google Cloud CLI commands.
The earliest included version column lists the earliest version that the bundle is available with Policy Controller. This means you can install those bundles directly. In any version of Policy Controller, you can still install any available bundle by following the instructions linked in the table.
| Name and description | Bundle alias | Earliest included version | Type | Includes referential constraints |
|---|---|---|---|---|
| CIS GKE Benchmark: Audit compliance of your clusters against the CIS GKE Benchmark v1.5, a set of recommended security controls for configuring Google Kubernetes Engine (GKE). | cis-gke-v1.5.0 |
not available | Kubernetes standard | Yes |
| CIS Kubernetes Benchmark: Audit compliance of your clusters against the CIS Kubernetes Benchmark v1.5, a set of recommendations for configuring Kubernetes to support a strong security posture. | cis-k8s-v1.5.1 |
1.15.2 | Kubernetes standard | Yes |
| CIS Kubernetes Benchmark (Preview): Audit compliance of your clusters against the CIS Kubernetes Benchmark v1.7, a set of recommendations for configuring Kubernetes to support a strong security posture. | cis-k8s-v1.7.1 |
not available | Kubernetes standard | Yes |
| Cost and Reliability: The Cost and Reliability bundle helps adopt best practices for running cost-efficient GKE clusters without compromising the performance or reliability of workloads. | cost-reliability-v2023 |
1.16.1 | Best practices | Yes |
| MITRE (Preview): The MITRE policy bundle helps evaluate the compliance of your cluster resources against some aspects of the MITRE knowledge base of adversary tactics and techniques based on real-world observations. | mitre-v2024 |
not available | Industry standard | Yes |
| Pod Security Policy: Apply protections based on the Kubernetes Pod Security Policy (PSP). | psp-v2022 |
1.15.2 | Kubernetes standard | No |
| Pod Security Standards Baseline: Apply protections based on the Kubernetes Pod Security Standards (PSS) Baseline policy. | pss-baseline-v2022 |
1.15.2 | Kubernetes standard | No |
| Pod Security Standards Restricted: Apply protections based on the Kubernetes Pod Security Standards (PSS) Restricted policy. | pss-restricted-v2022 |
1.15.2 | Kubernetes standard | No |
| Anthos Service Mesh security: Audit the compliance of your Anthos Service Mesh security vulnerabilities and best practices. | asm-policy-v0.0.1 |
1.15.2 | Best practices | Yes |
| Policy Essentials: Apply best practices to your cluster resources. | policy-essentials-v2022 |
1.14.1 | Best practices | No |
| NIST SP 800-53 Rev. 5: The NIST SP 800-53 Rev. 5 bundle implements controls listed in NIST Special Publication (SP) 800-53, Revision 5. The bundle may help organizations protect their systems and data from a variety of threats by implementing out-of-the-box security and privacy policies. | nist-sp-800-53-r5 |
1.16.0 | Industry standard | Yes |
| NIST SP 800-190: The NIST SP 800-190 bundle implements controls listed in NIST Special Publication (SP) 800-190, Application Container Security Guide. The bundle is intended to help organizations with application container security including image security, container runtime security, network security and host system security to name a few. | nist-sp-800-190 |
1.16.0 | Industry standard | Yes |
| NSA CISA Kubernetes Hardening Guide v1.2: Apply protections based on the NSA CISA Kubernetes Hardening Guide v1.2. | nsa-cisa-k8s-v1.2 |
1.16.0 | Industry standard | Yes |
| PCI-DSS v3.2.1: Apply protections based on the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1. | pci-dss-v3.2.1 or pci-dss-v3.2.1-extended |
1.15.2 | Industry standard | Yes |
| PCI-DSS v4.0 (Preview): Apply protections based on the Payment Card Industry Data Security Standard (PCI-DSS) v4.0. | pci-dss-v4.0 |
not available | Industry standard | Yes |
What's next
- Try Policy Controller at no charge.
- Learn more about applying individual constraints.
- Apply best practices to your clusters.
- Take a tutorial on using policy bundles in your CI/CD pipeline to shift left.