This page explains what Policy Controller is and how you can use it to help ensure your Kubernetes clusters and workloads are running in a secure and compliant manner.
This page is for IT administrators, Operators, and Security specialists who define IT solutions and system architecture in accordance with company strategy, and ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.
Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters. These policies act as guardrails and can help with best practices, security, and compliance management of your clusters and fleet. Based on the open source Open Policy Agent Gatekeeper project, Policy Controller is fully integrated with Google Cloud, includes a built-in dashboard, for observability, and comes with a full library of prebuilt policies for common security and compliance controls.
Policy Controller benefits
- Integrated with Google Cloud: Platform admins can install Policy Controller by using the Google Cloud console, by using Terraform, or by using Google Cloud CLI on any cluster connected to your fleet. Policy Controller works with other Google Cloud services like Config Sync, metrics, and Cloud Monitoring.
- Supports multiple enforcement points: In addition to both audit and admission control for your cluster, Policy Controller can optionally enable a shift-left approach to analyse and catch non-compliant changes prior to application.
- Prebuilt policy bundles: Policy Controller comes with a full library of prebuilt policies for common security and compliance controls. These include both Policy bundles and the constraint template library.
- Supports custom policies: If policy customization is required beyond what is available using the constraint template library, Policy Controller additionally supports the development of custom constraint templates.
- Built-in observability: Policy Controller includes a Google Cloud console dashboard, providing an overview for the state of all the policies applied to your fleet (including unregistered clusters). From the dashboard, view compliance and enforcement status to help you troubleshoot, and get opinionated recommendations to resolve policy violations.
Policy bundles
You can use policy bundles to apply a number of constraints that are grouped under a specific Kubernetes standard, security, or compliance theme. For example, you can use the following policy bundles:
- Enforce many of the same requirements as PodSecurityPolicies, but with the added ability to audit your configuration before enforcing it, ensuring any policy changes aren't disruptive to running workloads.
- Use constraints compatible with Cloud Service Mesh to audit the compliance of your mesh security vulnerabilities and best practices.
- Apply general best practices to your cluster resources to help strengthen your security posture.
Policy Controller bundles overview provides more details and a list of currently available policy bundles.
Constraints
Policy Controller enforces your clusters' compliance using objects called constraints. You can think of constraints as the "building blocks" of policy. Each constraint defines a specific change to the Kubernetes API that is allowed or disallowed on the cluster it's applied to. You can set policies to either actively block non-compliant API requests or audit the configuration of your clusters and report violations. In either case, you can view warning messages with details on what violation occurred on a cluster. With that information, you can remediate problems. For example, you can use the following individual constraints:
- Require each namespace to have at least one label. This constraint can be used to ensure accurate tracking of resource consumption when using GKE Usage Metering, for example.
- Restrict the repositories a given container image can be pulled from. This constraint ensures any attempt to pull containers from unknown sources is denied, protecting your clusters from running potentially malicious software.
- Control whether or not a container can run in privileged mode. This constraint controls the ability of any container to enable privileged mode, which gives you control over which containers (if any) can run with unrestricted policy.
These are just a few of the constraints provided in the constraint template library included with Policy Controller. This library contains numerous policies that you can use to help enforce best practices and limit risk. If you require more customization beyond what is available in the constraint template library, you can also create custom constraint templates.
Constraints can be applied directly to your clusters using the Kubernetes API, or distributed to a set of clusters from a centralized source, like a Git repository, by using Config Sync.