Stay organized with collections
Save and categorize content based on your preferences.
This page explains what Policy Controller is and how you can use it to help ensure
your Kubernetes clusters and workloads are running in a secure and compliant
manner.
This page is for IT administrators, Operators, and
Security specialists who define IT solutions and system architecture
in accordance with company strategy, and ensure that all resources running
within the cloud platform meet organizational compliance requirements by
providing and maintaining automation to audit or enforce. To learn more about
common roles and example tasks that we reference in Google Cloud content, see
Common GKE user roles and tasks.
Policy Controller enables the application and enforcement of programmable policies
for your Kubernetes clusters. These policies act as guardrails and can help
with best practices, security, and compliance management of your clusters and
fleet. Based on the open source
Open Policy Agent Gatekeeper
project, Policy Controller is fully integrated with Google Cloud,
includes a built-in dashboard,
for observability, and comes with a full library of prebuilt policies for
common security and compliance controls.
Policy Controller benefits
Integrated with Google Cloud: Platform admins can install
Policy Controller by using
the Google Cloud console, by using Terraform, or by using Google Cloud CLI on any
cluster connected to your fleet. Policy Controller works with other
Google Cloud services like
Config Sync, metrics, and Cloud Monitoring.
Prebuilt policy bundles: Policy Controller comes with a full library of
prebuilt policies for common security and compliance controls. These
include both Policy
bundles and the constraint template library.
Supports custom policies: If policy customization is required beyond
what is available using the constraint template library, Policy Controller
additionally supports the development of custom constraint templates.
Built-in observability: Policy Controller includes a Google Cloud console
dashboard, providing an
overview for the state of all the policies applied to your fleet (including
unregistered clusters). From the dashboard, view compliance and enforcement
status to help you troubleshoot, and get opinionated
recommendations to resolve policy violations.
Policy bundles
You can use policy bundles to apply a number of constraints that are grouped
under a specific Kubernetes standard, security, or compliance theme.
For example, you can use the following policy bundles:
Policy Controller enforces your clusters' compliance using objects called
constraints. You can think of constraints as the "building blocks" of policy.
Each constraint defines a specific change to the Kubernetes API that is allowed
or disallowed on the cluster it's applied to. You can set policies to either
actively block non-compliant API requests or
audit the configuration of your
clusters and report violations. In either case, you can view warning messages
with details on what violation occurred on a cluster. With that information, you
can remediate problems. For example, you can use the following individual
constraints:
These are just a few of the constraints provided in the constraint template
library included
with Policy Controller. This library contains numerous policies that you can use
to help enforce best practices and limit risk. If you require more customization
beyond what is available in the constraint template library, you can also create
custom constraint
templates.
Constraints can be applied directly to your clusters using the Kubernetes API,
or distributed to a set of clusters from a centralized source, like a Git repository, by using
Config Sync.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["This page explains what Policy Controller is and how you can use it to help ensure\nyour Kubernetes clusters and workloads are running in a secure and compliant\nmanner.\n\nThis page is for IT administrators, Operators, and\nSecurity specialists who define IT solutions and system architecture\nin accordance with company strategy, and ensure that all resources running\nwithin the cloud platform meet organizational compliance requirements by\nproviding and maintaining automation to audit or enforce. To learn more about\ncommon roles and example tasks that we reference in Google Cloud content, see\n[Common GKE user roles and tasks](/kubernetes-engine/enterprise/docs/concepts/roles-tasks).\n\nPolicy Controller enables the application and enforcement of programmable policies\nfor your Kubernetes clusters. These policies act as **guardrails** and can help\nwith best practices, security, and compliance management of your clusters and\nfleet. Based on the open source\n[Open Policy Agent Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/docs/)\nproject, Policy Controller is fully integrated with Google Cloud,\nincludes a built-in dashboard,\nfor observability, and comes with a full library of prebuilt policies for\ncommon security and compliance controls.\n\nPolicy Controller benefits\n\n- **Integrated with Google Cloud** : Platform admins can [install\n Policy Controller](/kubernetes-engine/enterprise/policy-controller/docs/how-to/installing-policy-controller) by using the Google Cloud console, by using Terraform, or by using Google Cloud CLI on any cluster connected to your fleet. Policy Controller works with other Google Cloud services like [Config Sync](/kubernetes-engine/enterprise/config-sync/docs/overview), [metrics](/kubernetes-engine/enterprise/policy-controller/docs/how-to/policy-controller-metrics), and Cloud Monitoring.\n- **Supports multiple enforcement points** : In addition to both audit and admission control for your cluster, Policy Controller can optionally enable a [shift-left\n approach](/architecture/devops/devops-tech-shifting-left-on-security) to [analyse and catch non-compliant changes](/kubernetes-engine/enterprise/policy-controller/docs/tutorials/app-policy-validation-ci-pipeline) prior to application.\n- **Prebuilt policy bundles** : Policy Controller comes with a full library of prebuilt policies for common security and compliance controls. These include both [Policy\n bundles](/kubernetes-engine/enterprise/policy-controller/docs/concepts/policy-controller-bundles) and the [constraint template library](/kubernetes-engine/enterprise/policy-controller/docs/latest/reference/constraint-template-library).\n- **Supports custom policies** : If policy customization is required beyond what is available using the [constraint template library](/kubernetes-engine/enterprise/policy-controller/docs/latest/reference/constraint-template-library), Policy Controller additionally supports the development of custom [*constraint templates*](/kubernetes-engine/enterprise/policy-controller/docs/how-to/write-custom-constraint-templates).\n- **Built-in observability** : Policy Controller includes a Google Cloud console [dashboard](/kubernetes-engine/enterprise/policy-controller/docs/how-to/policy-controller-status), providing an overview for the state of all the policies applied to your fleet (including unregistered clusters). From the dashboard, view compliance and enforcement status to help you troubleshoot, and get opinionated recommendations to resolve policy violations.\n\nPolicy bundles\n\nYou can use policy bundles to apply a number of constraints that are grouped\nunder a specific Kubernetes standard, security, or compliance theme.\nFor example, you can use the following policy bundles:\n\n- [Enforce many of the same requirements as\n PodSecurityPolicies](/kubernetes-engine/enterprise/policy-controller/docs/how-to/using-constraints-to-enforce-pod-security), but with the added ability to audit your configuration before enforcing it, ensuring any policy changes aren't disruptive to running workloads.\n- [Use constraints compatible with\n Cloud Service Mesh](/kubernetes-engine/enterprise/policy-controller/docs/how-to/using-asm-security-policy) to audit the compliance of your mesh security vulnerabilities and best practices.\n- [Apply general best practices to your cluster resources](/kubernetes-engine/enterprise/policy-controller/docs/how-to/using-policy-essentials-v2022) to help strengthen your security posture.\n\n[Policy Controller bundles overview](/kubernetes-engine/enterprise/policy-controller/docs/concepts/policy-controller-bundles)\nprovides more details and a list of currently available policy bundles.\n\nConstraints\n\nPolicy Controller enforces your clusters' compliance using objects called\n*constraints* . You can think of constraints as the \"building blocks\" of policy.\nEach constraint defines a specific change to the Kubernetes API that is allowed\nor disallowed on the cluster it's applied to. You can set policies to either\nactively block non-compliant API requests or\n[audit](/kubernetes-engine/enterprise/policy-controller/docs/how-to/auditing-constraints) the configuration of your\nclusters and report violations. In either case, you can view warning messages\nwith details on what violation occurred on a cluster. With that information, you\ncan remediate problems. For example, you can use the following individual\nconstraints:\n\n- [Require each namespace to have at least one\n label](/kubernetes-engine/enterprise/policy-controller/docs/latest/reference/constraint-template-library#k8srequiredlabels). This constraint can be used to ensure accurate tracking of resource consumption when using GKE Usage Metering, for example.\n- [Restrict the repositories a given container image can be pulled from](/kubernetes-engine/enterprise/policy-controller/docs/latest/reference/constraint-template-library#k8sallowedrepos). This constraint ensures any attempt to pull containers from unknown sources is denied, protecting your clusters from running potentially malicious software.\n- [Control whether or not a container can run in privileged mode](/kubernetes-engine/enterprise/policy-controller/docs/latest/reference/constraint-template-library#k8spspprivilegedcontainer). This constraint controls the ability of any container to enable privileged mode, which gives you control over which containers (if any) can run with unrestricted policy.\n\nThese are just a few of the constraints provided in the [constraint template\nlibrary](/kubernetes-engine/enterprise/policy-controller/docs/latest/reference/constraint-template-library) included\nwith Policy Controller. This library contains numerous policies that you can use\nto help enforce best practices and limit risk. If you require more customization\nbeyond what is available in the constraint template library, you can also create\ncustom [constraint\ntemplates](/kubernetes-engine/enterprise/policy-controller/docs/how-to/write-custom-constraint-templates).\n\nConstraints can be applied directly to your clusters using the Kubernetes API,\nor distributed to a set of clusters from a centralized source, like a Git repository, by using [Config Sync](/kubernetes-engine/enterprise/config-sync/docs/config-sync-overview).\n\nWhat's next\n\n- [Install Policy Controller](/kubernetes-engine/enterprise/policy-controller/docs/how-to/installing-policy-controller).\n- [Learn about policy bundles](/kubernetes-engine/enterprise/policy-controller/docs/concepts/policy-controller-bundles).\n- [Apply policy bundles](/kubernetes-engine/enterprise/policy-controller/docs/how-to/apply-policy-bundles)"]]