Use Pod Security Standards Baseline policy constraints

Policy Controller comes with a default library of constraint templates that you can use with the Pod Security Standards Baseline bundle. This bundle lets you achieve many of the same protections as the Kubernetes Pod Security Standards (PSS) Baseline policy, with the ability to test your policies before enforcing them and exclude coverage of specific resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly.

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.

Pod Security Standards Baseline policy bundle constraints

Constraint Name	Constraint Description	Control Name
pss-baseline-v2022-hostprocess	Usage of Windows HostProcess	HostProcess
pss-baseline-v2022-host-namespaces-hostnetwork	Use of host networking	Host Namespaces
pss-baseline-v2022-host-namespaces-host-pid-ipc	Usage of host namespaces	Host Namespaces
pss-baseline-v2022-privileged-containers	Running of privileged containers	Privileged Containers
pss-baseline-v2022-capabilities	Linux capabilities	Capabilities
pss-baseline-v2022-hostpath-volumes	Usage of the host filesystem	HostPath Volumes
pss-baseline-v2022-host-ports	Usage of host ports	Host Ports (configurable)
pss-baseline-v2022-apparmor	The AppArmor profile used by containers	AppArmor
pss-baseline-v2022-selinux	The SELinux context of the container	SELinux
pss-baseline-v2022-proc-mount-type	The Allowed Proc Mount types for the container	/proc Mount Type
pss-baseline-v2022-seccomp	The seccomp profile used by containers	Seccomp
pss-baseline-v2022-sysctls	The sysctl profile used by containers	Sysctls

Before you begin

Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
Install Policy Controller v.1.14.1 or higher on your cluster with the default library of constraint templates.

Audit Pod Security Standards Baseline policy bundle

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt, or Config Sync.

kubectl

(Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

The output is the following:

k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor created
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities created
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes created
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc created
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork created
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers created
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type created
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux created
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp created
k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls created

Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

The output is similar to the following:

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor                        0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities   dryrun               0

NAME                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes                        0

NAME                                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc   dryrun               0

NAME                                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork   dryrun               0
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports                    dryrun               0

NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type                        0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux                        0

NAME                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp   dryrun               0

NAME                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls   dryrun               0

(Optional) Adjust the pss-baseline-v2022-host-ports constraint to include a minimum restricted known list of ports for your cluster environment:
```
parameters:
  # A minimum restricted known list can be implemented here.
  min: 0
  max: 0
```

kpt

Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

Download the Pod Security Standards (PSS) Baseline v2022 policy bundle from GitHub using kpt:

kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

kpt fn eval pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
  -- enforcementAction=dryrun

Initialize the working directory with kpt, which creates a resource to track changes:
```
cd pss-baseline-v2022
kpt live init
```
(Optional) Adjust the pss-baseline-v2022-host-ports constraint file to include a minimum restricted known list of ports for your cluster environment:
```
parameters:
  # A minimum restricted known list can be implemented here.
  min: 0
  max: 0
```
Apply the policy constraints with kpt:
```
kpt live apply
```
Verify that policy constraints have been installed and check if violations exist across the cluster:
```
kpt live status --output table --poll-until current
```
A status of CURRENT confirms successful installation of the constraints.

Config Sync

Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Change into the sync directory for Config Sync:
```
cd SYNC_ROOT_DIR
```
Note: Kpt v1.0.0-beta.17 and later automatically create a resourcegroup.yaml file during live init which shouldn't be checked into your Config Sync repo. If not already present, add resourcegroup.yaml to your repo's .gitignore file.

To create or append .gitignore with resourcegroup.yaml:
```
echo resourcegroup.yaml >> .gitignore
```
Create a dedicated policies directory:
```
mkdir -p policies
```

Download the Pod Security Standards (PSS) Baseline v2022 policy bundle from GitHub using kpt:

kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022 policies/pss-baseline-v2022

Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

kpt fn eval policies/pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun

(Optional) Adjust the pss-baseline-v2022-host-ports constraint file to include a minimum restricted known list of ports for your cluster environment:
```
parameters:
  # A minimum restricted known list can be implemented here.
  min: 0
  max: 0
```

(Optional) Preview the policy constraints to be created:

kpt live init policies/pss-baseline-v2022
kpt live apply --dry-run policies/pss-baseline-v2022

The output is the following:

Dry-run strategy: client
inventory update started
inventory update finished
apply phase started
k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor apply successful
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities apply successful
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes apply successful
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc apply successful
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork apply successful
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports apply successful
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers apply successful
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type apply successful
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux apply successful
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp apply successful
apply phase finished
inventory update started
inventory update finished
apply result: 10 attempted, 10 successful, 0 skipped, 0 failed

If your sync directory for Config Sync uses Kustomize, add policies/pss-baseline-v2022 to your root kustomization.yaml. Otherwise remove the policies/pss-baseline-v2022/kustomization.yaml file:
```
rm SYNC_ROOT_DIR/policies/pss-baseline-v2022/kustomization.yaml
```

Push changes to the Config Sync repo:

git add SYNC_ROOT_DIR/pss-baseline-v2022
git commit -m 'Adding Pod Security Standards Baseline audit enforcement'
git push

Verify the status of the installation:
```
watch gcloud beta container fleet config-management status --project PROJECT_ID
```
A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Pod Security Standards Baseline policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022

kpt

Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:
```
kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
```
Apply the policy constraints:
```
kpt live apply
```

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Change into the sync directory for Config Sync:
```
cd SYNC_ROOT_DIR
```

Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

kpt fn eval policies/pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn

Push changes to the Config Sync repo:

git add SYNC_ROOT_DIR/policies/pss-baseline-v2022
git commit -m 'Adding Pod Security Standards Baseline policy bundle warn enforcement'
git push

Verify the status of the installation:
```
nomos status
```
The cluster should display a status of SYNCED with the installed policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        hostPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning:  [pss-baseline-v2022-host-ports] The specified hostNetwork and hostPort are not allowed, pod: wp-non-compliant. Allowed values: {"max": 0, "min": 0}
pod/wp-non-compliant created

Remove Pod Security Standards Baseline policy bundle

If needed, the Pod Security Standards Baseline policy bundle can be removed from the cluster.

kubectl

Use kubectl to remove the policies:

kubectl delete constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022

kpt

Remove the policies:
```
kpt live destroy
```

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

Push changes to the Config Sync repo:

git rm -r SYNC_ROOT_DIR/policies/pss-baseline-v2022
git commit -m 'Removing Pod Security Standards Baseline policies'
git push

Verify the status:
```
nomos status
```
The cluster should display a status of SYNCED with the resources removed.