Best Practices

Apply multiple Policy Controller bundles #

This section explains how to enable Policy Controller bundles.

For more detailed information about applying and using policy bundles, read the instructions for the bundle that you want to apply using the left navigation menu. For more information about policy bundles, see the Policy Controller bundles overview.

If you installed Policy Controller using the KOSMOS console, the Samsung Security Checklist bundle is installed by default, but you can enable more bundles.

Before you begin #

• Install Policy Controller

Apply policy bundles #

To apply one or more policy bundles on a cluster using the KOSMOS console, complete the following steps:

1. In the KOSMOS console, go to the Policy page under the Fleet section.

2. Under the Settings tab, in the cluster table, select Edit edit in the Edit configuration column.

3. In the Add/Edit policy bundles menu, ensure the template library is toggled on.

4. To enable all policy bundles, toggle Add all policy bundles on.

5. To enable individual policy bundles, toggle on each policy bundle that you want to enable.

6. Optional: To exempt a namespace from enforcement, expand the Show advanced settings menu. In the Exempt namespaces field, provide a list of valid namespaces.

[!TIP] Best practice: Exempt system namespaces to avoid errors in your environment. You can find the instructions to exempt namespaces and a list of common namespaces created by KOSMOS on the Exclude namespaces page .

7. Select Save changes.

You can view additional information about your policy coverage and violations using the Policy Controller dashboard.

Troubleshooting #

You can’t modify policy bundles that are installed directly by using the instructions on this page. If you’re having issues with a policy bundle and need to make edits, install the bundle by using one of the methods on the individual policy bundle’s page. These methods pull the policy bundle from a Git repository, which lets you make changes. For example, if you want to edit the CIS Kubernetes Benchmark 1.5, follow the instructions on Use CIS Kubernetes Benchmark v1.5.1 policy constraints instead of this page.

What’s next #

• Learn more about applying individual constraints .

Use CIS Kubernetes benchmark v1.5.1 policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the CIS bundle to audit the compliance of your cluster against the CIS Kubernetes Benchmark v1.5.1. This benchmark is a set of recommendations for configuring Kubernetes to support a strong security posture.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

This bundle of constraints addresses and enforces policies in the following domains:

• RBAC and service accounts
• Pod Security Policies
• Network policies and CNI
• Secrets management
• General policies

Note: This bundle has not been certified by CIS.

CIS Kubernetes v1.5.1 policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Audit CIS Kubernetes v1.5.1 policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the CIS policies outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1

k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-k8s-v1.5.1-no-secrets-as-env-vars created
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-allow-privilege-escalation created
k8spspallowedusers.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot created
k8spspcapabilities.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-capabilities created
k8spsphostnamespace.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-namespace created
k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-network-ports created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-privileged-container created
k8spspseccomp.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-seccomp-default created
k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-k8s-v1.5.1-pods-require-security-context created
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-k8s-v1.5.1-prohibit-role-wildcard-access created
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-k8s-v1.5.1-require-namespace-network-policies created
k8srestrictrolebindings.constraints.gatekeeper.sh/cis-k8s-v1.5.1-restrict-clusteradmin-rolebindings created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/cis-k8s-v1.5.1

NAME                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8snoenvvarsecrets.constraints.gatekeeper.sh/cis-k8s-v1.5.1-no-secrets-as-env-vars   dryrun               0

NAME                                                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-allow-privilege-escalation   dryrun               0

NAME                                                                                       ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowedusers.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-capabilities   dryrun               0

NAME                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-namespace   dryrun               0

NAME                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-host-network-ports   dryrun               0

NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-privileged-container   dryrun               0

NAME                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/cis-k8s-v1.5.1-psp-seccomp-default   dryrun               0

NAME                                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/cis-k8s-v1.5.1-pods-require-security-context   dryrun               0

NAME                                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/cis-k8s-v1.5.1-prohibit-role-wildcard-access   dryrun               0

NAME                                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/cis-k8s-v1.5.1-require-namespace-network-policies   dryrun               0

NAME                                                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolebindings.constraints.gatekeeper.sh/cis-k8s-v1.5.1-restrict-clusteradmin-rolebindings   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l bundleName=cis-k8s-v1.5.1 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l bundleName=cis-k8s-v1.5.1 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change CIS Kubernetes v1.5.1 policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l bundleName=cis-k8s-v1.5.1 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l bundleName=cis-k8s-v1.5.1

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [cis-k8s-v1.5.1-psp-pods-must-run-as-nonroot] Container wordpress is attempting to run without a required securityContext/runAsNonRoot or securityContext/runAsUser != 0
Warning: [cis-k8s-v1.5.1-psp-allow-privilege-escalation] Privilege escalation container is not allowed: wordpress
Warning: [cis-k8s-v1.5.1-psp-seccomp-default] Seccomp profile 'not configured' is not allowed for container 'wordpress'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "docker/default", "runtime/default"}
Warning: [cis-k8s-v1.5.1-psp-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["NET_RAW"] or "ALL"
Warning: [cis-k8s-v1.5.1-pods-require-security-context] securityContext must be defined for all Pod containers
pod/wp-non-compliant created

Remove CIS Kubernetes v1.5.1 policy bundle #

If needed, the CIS K8s policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=cis-k8s-v1.5.1

Use NIST SP 800-190 policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the NIST SP 800-190 which implements controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-190 , Application Container Security Guide. The bundle is intended to help organizations with application container security including image security, container runtime security, network security and host system security to name a few.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

[!Note] This bundle has not been certified by NIST.

NIST SP 800-190 policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Configure your cluster and workload #

1. Container images are limited to an allowed repos list, which can be customized if required in nist-sp-800-190-restrict-repos.
2. Nodes must use Ubuntu for their image in nist-sp-800-190-nodes-have-consistent-time.

Audit NIST SP 800-190 policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the NIST policies outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-190

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-190

The output is the following:

asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-190-asm-peer-authn-strict-mtls created
k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-190-restrict-repos created
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-190-block-creation-with-default-serviceaccount created
k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-190-block-secrets-of-type-basic-auth created
k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-190-apparmor created
k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-190-capabilities created
k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-190-sysctls created
k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-190-restrict-hostpath-volumes created
k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-190-host-namespaces created
k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-190-host-network created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-190-privileged-containers created
k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-190-proc-mount-type created
k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-190-selinux created
k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-190-seccomp created
k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-190-restrict-volume-types created
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-190-restrict-role-wildcards created
k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-190-nodes-have-consistent-time created
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-190-require-namespace-network-policies created
k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-190-require-managed-by-label created
k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-190-cpu-and-memory-limits-required created
k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-190-restrict-rbac-subjects created
k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-190-restrict-clusteradmin-rolebindings created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get constraints -l bundleName=nist-sp-800-190

The output is similar to the following:

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-190-apparmor   dryrun               0

NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-190-restrict-rbac-subjects   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-190-sysctls   dryrun               0

NAME                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-190-restrict-volume-types   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-190-host-network   dryrun               0

NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-190-host-namespaces   dryrun               0

NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-190-restrict-role-wildcards   dryrun               0

NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-190-block-creation-with-default-serviceaccount   dryrun               0

NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-190-restrict-hostpath-volumes   dryrun               0

NAME                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-190-seccomp   dryrun               0

NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-190-asm-peer-authn-strict-mtls   dryrun               0

NAME                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-190-cpu-and-memory-limits-required   dryrun               0

NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-190-proc-mount-type   dryrun               0

NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-190-block-secrets-of-type-basic-auth   dryrun               0

NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-190-require-namespace-network-policies   dryrun               0

NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-190-capabilities   dryrun               0

NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-190-require-managed-by-label   dryrun               0

NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-190-privileged-containers   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-190-restrict-repos   dryrun               0

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-190-selinux   dryrun               0

NAME                                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-190-restrict-clusteradmin-rolebindings   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l bundleName=nist-sp-800-190 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l bundleName=nist-sp-800-190 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]''

Change NIST SP 800-190 policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraints -l bundleName=nist-sp-800-190 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraints -l bundleName=nist-sp-800-190

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: wp-non-compliant
spec:
  containers:
    ‐ image: wordpress
      name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [nist-sp-800-190-cpu-and-memory-limits-required] container <wordpress> does not have <{"cpu", "memory"}> limits defined
Warning: [nist-sp-800-190-restrict-repos] container <wordpress> has an invalid image repo <wordpress>, allowed repos are ["gcr.io/gke-release/", "gcr.io/anthos-baremetal-release/", "gcr.io/config-management-release/", "gcr.io/kubebuilder/", "gcr.io/gkeconnect/", "gke.gcr.io/"]
pod/wp-non-compliant created

Remove NIST SP 800-190 policy bundle #

If needed, the NIST SP 800-190 policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=nist-sp-800-190

Use NIST SP 800-53 Rev. 5 policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the NIST SP 800-53 Rev. 5 bundle which implements controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5 . The bundle may help organizations protect their systems and data from a variety of threats by implementing out-of-the-box security and privacy policies.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

Important: This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

Note: This bundle has not been certified by NIST.

NIST SP 800-53 Rev. 5 policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Configure your cluster and workload #

1. An antivirus solution is required. The default is the presence of a daemonset named clamav in the clamav namespace, however the daemonset’s name and namespace can be customized to your implementation in the nist-sp-800-53-r5-require-av-daemonset constraint.
2. Container images are limited to an allowed repos list, which can be customized if required in nist-sp-800-53-r5-restrict-repos.
3. Nodes must use Ubuntu for their image in nist-sp-800-53-r5-nodes-have-consistent-time.
4. Use of storage classes is limited to an allowed list, which can be customized to add additional classes with default encryption in nist-sp-800-53-r5-restrict-storageclass.

Audit NIST SP 800-53 Rev. 5 policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the NIST policies outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5

asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls created
k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos created
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount created
k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth created
k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor created
k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities created
k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls created
k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes created
k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces created
k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers created
k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type created
k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux created
k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp created
k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types created
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards created
k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time created
k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset created
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies created
k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label created
k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required created
k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects created
k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings created
k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get constraints -l bundleName=nist-sp-800-53-r5

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor   dryrun               0

NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls   dryrun               0

NAME                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network   dryrun               0

NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces   dryrun               0

NAME                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset   dryrun               0

NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards   dryrun               0

NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount   dryrun               0

NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes   dryrun               0

NAME                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp   dryrun               0

NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls   dryrun               0

NAME                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required   dryrun               0

NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type   dryrun               0

NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth   dryrun               0

NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies   dryrun               0

NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities   dryrun               0

NAME                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass   dryrun               0

NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label   dryrun               0

NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos   dryrun               0

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux   dryrun               0

NAME                                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings   dryrun               0

NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l bundleName=nist-sp-800-53-r5 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l bundleName=nist-sp-800-53-r5 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change NIST SP 800-53 Rev. 5 policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraints -l bundleName=nist-sp-800-53-r5 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraints -l bundleName=nist-sp-800-53-r5

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: wp-non-compliant
spec:
  containers:
    ‐ image: wordpress
      name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [nist-sp-800-53-r5-cpu-and-memory-limits-required] container <wordpress> does not have <{"cpu", "memory"}> limits defined
Warning: [nist-sp-800-53-r5-restrict-repos] container <wordpress> has an invalid image repo <wordpress>, allowed repos are ["gcr.io/gke-release/", "gcr.io/anthos-baremetal-release/", "gcr.io/config-management-release/", "gcr.io/kubebuilder/", "gcr.io/gkeconnect/", "gke.gcr.io/"]
pod/wp-non-compliant created

Remove NIST SP 800-53 Rev. 5 policy bundle #

If needed, the NIST SP 800-53 Rev. 5 policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=nist-sp-800-53-r5

Use NSA CISA Kubernetes Hardening policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the National Security Agency (NSA) Cybersecurity and Infrastructure Security Agency (CISA) Kubernetes Hardening Guide v1.2 Policy bundle to evaluate the compliance of your cluster resources against some aspects of the NSA CISA Kubernetes Hardening Guide v1.2 .

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

[!Note] This bundle has not been certified by NSA and CISA.

NSA CISA Kubernetes Hardening policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Audit NSA CISA Kubernetes Hardening v1.2 policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the NSA CISA Kubernetes Hardening Guide v1.2 policies outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before optionally enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nsa-cisa-k8s-v1.2

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nsa-cisa-k8s-v1.2

The output is the following:

k8sblockallingress.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-block-all-ingress created
k8sblockobjectsoftype.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-block-secrets-of-type-basic-auth created
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-privilege-escalation created
k8spspallowedusers.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-running-as-non-root created
k8spspapparmor.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-apparmor created
k8spspautomountserviceaccounttokenpod.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-automount-serviceaccount-token-pod created
k8spspcapabilities.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-capabilities created
k8spsphostfilesystem.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-hostpath-volumes created
k8spsphostnamespace.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-host-namespaces created
k8spsphostnetworkingports.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-host-network created
k8spsphostnetworkingports.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-hostport created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-privileged-containers created
k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-readonlyrootfilesystem created
k8spspselinuxv2.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-selinux created
k8spspseccomp.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-seccomp created
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-require-namespace-network-policies created
k8srequiredresources.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-cpu-and-memory-limits-required created
k8srestrictrolebindings.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-clusteradmin-rolebindings created
k8srestrictrolebindings.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-edit-rolebindings created
k8srestrictrolerules.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-pods-exec created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get constraints -l bundleName=nsa-cisa-k8s-v1.2

The output is similar to the following:

NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockallingress.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-block-all-ingress   dryrun               0

NAME                                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockobjectsoftype.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-block-secrets-of-type-basic-auth   dryrun               0

NAME                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowedusers.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-running-as-non-root   dryrun               0

NAME                                                                                                       ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-privilege-escalation   dryrun               0

NAME                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-apparmor   dryrun               0

NAME                                                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspautomountserviceaccounttokenpod.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-automount-serviceaccount-token-pod   dryrun               0

NAME                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-capabilities   dryrun               0

NAME                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-hostpath-volumes   dryrun               0

NAME                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-host-namespaces   dryrun               0

NAME                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-host-network   dryrun               0
k8spsphostnetworkingports.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-hostport       dryrun               0

NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-privileged-containers   dryrun               0

NAME                                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-readonlyrootfilesystem   dryrun               0

NAME                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-seccomp   dryrun               0

NAME                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-selinux   dryrun               0

NAME                                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredresources.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-cpu-and-memory-limits-required   dryrun               0

NAME                                                                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-require-namespace-network-policies   dryrun               0

NAME                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolebindings.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-clusteradmin-rolebindings   dryrun               0
k8srestrictrolebindings.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-edit-rolebindings           dryrun               0

NAME                                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolerules.constraints.gatekeeper.sh/nsa-cisa-k8s-v1.2-restrict-pods-exec   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

  kubectl get constraint -l bundleName=nsa-cisa-k8s-v1.2 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

  kubectl get constraint -l bundleName=nsa-cisa-k8s-v1.2 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change NSA CISA Kubernetes Hardening v1.2 policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraints -l bundleName=nsa-cisa-k8s-v1.2 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraints -l bundleName=nsa-cisa-k8s-v1.2

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [nsa-cisa-k8s-v1.2-automount-serviceaccount-token-pod] Automounting service account token is disallowed, pod: wp-non-compliant
Warning: [nsa-cisa-k8s-v1.2-running-as-non-root] Container wordpress is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {"ranges": [{"max": 65536, "min": 1000}], "rule": "MustRunAs"}
Warning: [nsa-cisa-k8s-v1.2-running-as-non-root] Container wordpress is attempting to run without a required securityContext/runAsUser
Warning: [nsa-cisa-k8s-v1.2-privilege-escalation] Privilege escalation container is not allowed: wordpress
Warning: [nsa-cisa-k8s-v1.2-cpu-and-memory-limits-required] container <wordpress> does not have <{"cpu", "memory"}> limits defined
Warning: [nsa-cisa-k8s-v1.2-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["ALL"] or "ALL"
Warning: [nsa-cisa-k8s-v1.2-readonlyrootfilesystem] only read-only root filesystem container is allowed: wordpress
pod/wp-non-compliant created

Remove NSA CISA Kubernetes Hardening v1.2 policy bundle #

If needed, the NSA CISA Kubernetes Hardening v1.2 policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=nsa-cisa-k8s-v1.2

Use PCI-DSS v4.0 policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the PCI-DSS v4.0 bundle to evaluate the compliance of your cluster resources against some aspects of the Payment Card Industry Data Security Standard (PCI-DSS) v4.0 .

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

Note: This bundle has not been certified by PCI.

PCI-DSS v4.0 policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Configure your cluster’s workload for PCI-DSS v4.0 #

1. All apps (ReplicaSet, Deployment, StatefulSet, DaemonSet) must include a network-controls/date annotation with the schema of YYYY-MM-DD.
2. An antivirus solution is required. The default is the presence of a daemonset named clamav in the clamav Namespace, however the daemonset’s name and namespace can be customized to your implementation in the pci-dss-v4.0-require-av-daemonset constraint.
3. Every Namespace defined in the cluster have a default deny NetworkPolicy for egress, permitted exceptions can be specific in pci-dss-v4.0-require-namespace-network-policies.
4. Every Namespace defined in the cluster must have a NetworkPolicy.
5. If using Cloud Service Mesh, ASM PeerAuthentication must use strict mTLS spec.mtls.mode: STRICT.
6. Only permitted IP ranges can be used for Ingress and Express, these can be specified in pci-dss-v4.0-require-valid-network-ranges.
7. All apps (ReplicaSet, Deployment, StatefulSet, and DaemonSet) must include a pci-dss-firewall-audit label with the schema of pci-dss-[0-9]{4}q[1-4].
8. The use of the cluster-admin ClusterRole is not permitted.
9. Resources cannot be created using the default service account.
10. The default Namespace cannot be used for pods.
11. Only permitted Ingress objects (Ingress, Gateway, and Service types of NodePort and LoadBalancer) can be created, these can be specified in pci-dss-v4.0-restrict-ingress.
12. All nodes must use Ubuntu for their image for consistent time.
13. The use of the wildcard character or the pods/exec permission in Roles and ClusterRoles is not permitted.
14. Only permitted subjects can be used in RBAC bindings, your domain name(s) can be specified in pci-dss-v4.0-restrict-rbac-subjects.
15. The use of encrypt by default StorageClass is required in pci-dss-v4.0-restrict-storageclass.

Audit PCI-DSS v4.0 policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the PCI-DSS v4.0 policies outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v4.0

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pci-dss-v4.0

asmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v4.0-require-peer-authentication-strict-mtls created
k8sblockallingress.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-ingress created
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-creation-with-default-serviceaccount created
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-role-wildcards created
k8srequirecosnodeimage.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-node-image created
k8srequiredaemonsets.constraints.gatekeeper.sh/pci-dss-v4.0-require-av-daemonset created
k8srequiredefaultdenyegresspolicy.constraints.gatekeeper.sh/pci-dss-v4.0-require-default-deny-network-policies created
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/pci-dss-v4.0-require-namespace-network-policies created
k8srequirevalidrangesfornetworks.constraints.gatekeeper.sh/pci-dss-v4.0-require-valid-network-ranges created
k8srequiredannotations.constraints.gatekeeper.sh/pci-dss-v4.0-require-apps-annotations created
k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-require-managed-by-label created
k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-resources-have-required-labels created
k8srestrictnamespaces.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-default-namespace created
k8srestrictrbacsubjects.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-rbac-subjects created
k8srestrictrolebindings.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-cluster-admin-role created
k8srestrictrolerules.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-pods-exec created
k8sstorageclass.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-storageclass created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get constraints -l bundleName=pci-dss-v4.0

NAME                                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v4.0-require-peer-authentication-strict-mtls   dryrun               0

NAME                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockallingress.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-ingress   dryrun               0

NAME                                                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-creation-with-default-serviceaccount   dryrun               0

NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-role-wildcards   dryrun               0

NAME                                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirecosnodeimage.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-node-image   dryrun               0

NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredaemonsets.constraints.gatekeeper.sh/pci-dss-v4.0-require-av-daemonset   dryrun               0

NAME                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredannotations.constraints.gatekeeper.sh/pci-dss-v4.0-require-apps-annotations   dryrun               0

NAME                                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredefaultdenyegresspolicy.constraints.gatekeeper.sh/pci-dss-v4.0-require-default-deny-network-policies   dryrun               0

NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-require-managed-by-label         dryrun               0
k8srequiredlabels.constraints.gatekeeper.sh/pci-dss-v4.0-resources-have-required-labels   dryrun               0

NAME                                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/pci-dss-v4.0-require-namespace-network-policies   dryrun               0

NAME                                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srequirevalidrangesfornetworks.constraints.gatekeeper.sh/pci-dss-v4.0-require-valid-network-ranges   dryrun               0

NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictnamespaces.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-default-namespace   dryrun               0

NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrbacsubjects.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-rbac-subjects   dryrun               0

NAME                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolebindings.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-cluster-admin-role   dryrun               0

NAME                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolerules.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-pods-exec   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sstorageclass.constraints.gatekeeper.sh/pci-dss-v4.0-restrict-storageclass   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

  kubectl get constraint -l bundleName=pci-dss-v4.0 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

  kubectl get constraint -l bundleName=pci-dss-v4.0 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change PCI-DSS v4.0 policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l bundleName=pci-dss-v4.0 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l bundleName=pci-dss-v4.0

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [pci-dss-v4.0-restrict-default-namespace] <default> namespace is restricted
pod/wp-non-compliant created

Remove PCI-DSS v4.0 policy bundle #

If needed, the PCI-DSS v4.0 policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=pci-dss-v4.0

Use Pod Security Policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the Pod Security Policy bundle to achieve many of the same protections as Kubernetes Pod Security Policy (PSP) , with the added ability to test your policies before enforcing them and exclude coverage of specific resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

The bundle includes these constraints which provide parameters which map to the following Kubernetes Pod Security Policy (PSP) Field Names (Control IDs):

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Audit Pod Security Policy policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the KOSMOS recommended best practices outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022

k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation created
k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges created
k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor created
k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities created
k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup created
k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers created
k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls created
k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem created
k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace created
k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container created
k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount created
k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem created
k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2 created
k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp created
k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/psp-v2022

NAME                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/psp-v2022-psp-allow-privilege-escalation   dryrun               0

NAME                                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowedusers.constraints.gatekeeper.sh/psp-v2022-psp-pods-allowed-user-ranges   dryrun               0

NAME                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/psp-v2022-psp-apparmor                        0

NAME                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/psp-v2022-psp-capabilities   dryrun               0

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspfsgroup.constraints.gatekeeper.sh/psp-v2022-psp-fsgroup                        0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspflexvolumes.constraints.gatekeeper.sh/psp-v2022-psp-flexvolume-drivers                        0

NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspforbiddensysctls.constraints.gatekeeper.sh/psp-v2022-psp-forbidden-sysctls                        0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-host-filesystem                        0

NAME                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/psp-v2022-psp-host-namespace   dryrun               0

NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/psp-v2022-psp-host-network-ports   dryrun               0

NAME                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/psp-v2022-psp-privileged-container   dryrun               0

NAME                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprocmount.constraints.gatekeeper.sh/psp-v2022-psp-proc-mount                        0

NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspreadonlyrootfilesystem.constraints.gatekeeper.sh/psp-v2022-psp-readonlyrootfilesystem                        0

NAME                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/psp-v2022-psp-selinux-v2                        0

NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/psp-v2022-psp-seccomp   dryrun               0

NAME                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspvolumetypes.constraints.gatekeeper.sh/psp-v2022-psp-volume-types                        0

4. (Optional) Adjust the PSP Field Name parameters in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example in psp-host-network-ports:

parameters:
  hostNetwork: true
  min: 80
  max: 9000

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l policycontroller.gke.io/bundleName=psp-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Pod Security Policy policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l bundleName=psp-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l bundleName=psp-v2022

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/fsGroup. Allowed fsGroup: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"}
Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/runAsGroup. Allowed runAsGroup: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"}
Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/runAsUser
Warning: [psp-v2022-psp-pods-allowed-user-ranges] Container wordpress is attempting to run without a required securityContext/supplementalGroups. Allowed supplementalGroups: {"ranges": [{"max": 200, "min": 100}], "rule": "MustRunAs"}
Warning: [psp-v2022-psp-allow-privilege-escalation] Privilege escalation container is not allowed: wordpress
Warning: [psp-v2022-psp-seccomp] Seccomp profile 'not configured' is not allowed for container 'wordpress'. Found at: no explicit profile found. Allowed profiles: {"RuntimeDefault", "docker/default", "runtime/default"}
Warning: [psp-v2022-psp-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["must_drop"] or "ALL"
Warning: [psp-v2022-psp-readonlyrootfilesystem] only read-only root filesystem container is allowed: wordpress
pod/wp-non-compliant created

Remove Pod Security Policy policy bundle #

If needed, the Pod Security Policy policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=psp-v2022

Use Pod Security Standards Baseline policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the Pod Security Standards Baseline bundle to achieve many of the same protections as Kubernetes Pod Security Standards (PSS) Baseline policy , with the added ability to test your policies before enforcing them and exclude coverage of specific resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

Pod Security Standards Baseline policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Audit Pod Security Standards Baseline policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the KOSMOS recommended best practices outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor created
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities created
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes created
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc created
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork created
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers created
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type created
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux created
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp created
k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor                        0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities   dryrun               0

NAME                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes                        0

NAME                                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc   dryrun               0

NAME                                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork   dryrun               0
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports                    dryrun               0

NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type                        0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux                        0

NAME                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp   dryrun               0

NAME                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls   dryrun               0

4. (Optional) Adjust the PSP Field Name parameters in the constraint files as required for your cluster environment. For more details check the link for the specific PSP Field Name in the table above. For example in psp-host-network-ports:

parameters:
  # A minimum restricted known list can be implemented here.
  min: 0
  max: 0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l bundleName=pss-baseline-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l bundleName=pss-baseline-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Pod Security Standards Baseline policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l bundleName=pss-baseline-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l bundleName=pss-baseline-v2022

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        hostPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning:  [pss-baseline-v2022-host-ports] The specified hostNetwork and hostPort are not allowed, pod: wp-non-compliant. Allowed values: {"max": 0, "min": 0}
pod/wp-non-compliant created

Remove Pod Security Standards Baseline policy bundle #

If needed, the Pod Security Standards Baseline policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=pss-baseline-v2022

Use Pod Security Standards Restricted policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the Pod Security Standards Restricted bundle to achieve many of the same protections as Kubernetes Pod Security Standards (PSS) Restricted policy , with the added ability to test your policies before enforcing them and exclude coverage of specific resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

The bundle includes these constraints which map to the following Kubernetes Pod Security Standards (PSS) Restricted policy controls:

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Audit Pod Security Standards Restricted policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the KOSMOS recommended best practices outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/pss-restricted-v2022-privilege-escalation created
k8spspallowedusers.constraints.gatekeeper.sh/pss-restricted-v2022-running-as-non-root created
k8spspcapabilities.constraints.gatekeeper.sh/pss-restricted-v2022-capabilities created
k8spspseccomp.constraints.gatekeeper.sh/pss-restricted-v2022-seccomp created
k8spspvolumetypes.constraints.gatekeeper.sh/pss-restricted-v2022-psp-volume-types created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/pss-restricted-v2022-privilege-escalation   dryrun               0

NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowedusers.constraints.gatekeeper.sh/pss-restricted-v2022-running-as-non-root   dryrun               0

NAME                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/pss-restricted-v2022-capabilities   dryrun               0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/pss-restricted-v2022-seccomp   dryrun               0

NAME                                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspvolumetypes.constraints.gatekeeper.sh/pss-restricted-v2022-psp-volume-types   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l bundleName=pss-restricted-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l bundleName=pss-restricted-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Pod Security Standards Restricted policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l bundleName=pss-restricted-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l bundleName=pss-restricted-v2022

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        hostPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [pss-baseline-v2022-host-ports] The specified hostNetwork and hostPort are not allowed, pod: wp-non-compliant. Allowed values: {"max": 0, "min": 0}
pod/wp-non-compliant created

Remove Pod Security Standards Restricted policy bundle #

If needed, the Pod Security Standards Restricted policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=pss-restricted-v2022

Policy Controller bundles #

This page describes what Policy Controller bundles are and provides an overview of the available policy bundles.

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

About Policy Controller bundles #

You can use Policy Controller to apply individual constraints to your cluster or write your own custom policies. You can also use policy bundles, which let you audit your clusters without writing any constraints. Policy bundles are a group of constraints that can help apply best practices, meet industry standards, or solve regulatory problems across your cluster resources.

You can apply policy bundles to your existing clusters to check if your workloads are compliant. When you apply a policy bundle, it audits your cluster by applying constraints with the dryrun enforcement type. The dryrun enforcement type lets you see violations without blocking your workloads. It’s also recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

For example, one type of policy bundle is the CIS Kubernetes Benchmark bundle, which can help audit your cluster resources against the CIS Kubernetes Benchmark . This benchmark is a set of recommendations for configuring Kubernetes resources to support a strong security posture.

Available Policy Controller bundles #

The following table lists the available policy bundles. Select the name of the policy bundle to read documentation on how to apply the bundle, audit resources, and enforce policies.

What’s next #

• Learn more about applying individual constraints .
• Apply best practices to your clusters .

Use Policy Essentials policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the Policy Essentials bundle to apply KOSMOS recommended best practices to your cluster resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

This bundle of constraints addresses and enforces policies in the following domains:

• RBAC and service accounts
• Pod Security Policies
• Container Network Interface (CNI)
• Secrets management
• General policies

Policy Essentials policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Audit Policy Essentials policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/policy-essentials

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/policy-essentials

k8snoenvvarsecrets.constraints.gatekeeper.sh/policy-essentials-no-secrets-as-env-vars created
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/policy-essentials-psp-allow-privilege-escalation created
k8spspallowedusers.constraints.gatekeeper.sh/policy-essentials-psp-pods-must-run-as-nonroot created
k8spspcapabilities.constraints.gatekeeper.sh/policy-essentials-psp-capabilities created
k8spsphostnamespace.constraints.gatekeeper.sh/policy-essentials-psp-host-namespace created
k8spsphostnetworkingports.constraints.gatekeeper.sh/policy-essentials-psp-host-network-ports created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/policy-essentials-psp-privileged-container created
k8spspseccomp.constraints.gatekeeper.sh/policy-essentials-psp-seccomp-default created
k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/policy-essentials-pods-require-security-context created
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/policy-essentials-prohibit-role-wildcard-access created
k8srestrictrolebindings.constraints.gatekeeper.sh/policy-essentials-restrict-clusteradmin-rolebindings created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/policy-essentials

NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8snoenvvarsecrets.constraints.gatekeeper.sh/policy-essentials-no-secrets-as-env-vars   dryrun               0

NAME                                                                                                                       ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowprivilegeescalationcontainer.constraints.gatekeeper.sh/policy-essentials-psp-allow-privilege-escalation   dryrun               0

NAME                                                                                                ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspallowedusers.constraints.gatekeeper.sh/policy-essentials-psp-pods-must-run-as-nonroot   dryrun               0

NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/policy-essentials-psp-capabilities   dryrun               0

NAME                                                                                       ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/policy-essentials-psp-host-namespace   dryrun               0

NAME                                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/policy-essentials-psp-host-network-ports   dryrun               0

NAME                                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/policy-essentials-psp-privileged-container   dryrun               0

NAME                                                                                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/policy-essentials-psp-seccomp-default   dryrun               0

NAME                                                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spodsrequiresecuritycontext.constraints.gatekeeper.sh/policy-essentials-pods-require-security-context   dryrun               0

NAME                                                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/policy-essentials-prohibit-role-wildcard-access   dryrun               0

NAME                                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8srestrictrolebindings.constraints.gatekeeper.sh/policy-essentials-restrict-clusteradmin-rolebindings   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l bundleName=policy-essentials -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l bundleName=policy-essentials -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Policy Essentials policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l bundleName=policy-essentials -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l bundleName=policy-essentials

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [policy-essentials-psp-capabilities] container <wordpress> is not dropping all required capabilities. Container must drop all of ["NET_RAW"] or "ALL"
pod/wp-non-compliant created

Remove Policy Essentials policy bundle #

If needed, the Policy Essentials policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=policy-essentials

Use Samsung security checklist policy constraints #

Policy Controller comes with a default library of constraint templates that can be used with the Samsung Security Checklist bundle to conform Samsung Security Checklist items to your cluster resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly .

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce.

This bundle of constraints addresses and enforces policies in the following domains:

• RBAC and service accounts
• Pod Security Policies
• Container Network Interface (CNI)
• Secrets management
• General policies

Samsung security checklist policy bundle constraints #

Before you begin #

1. Install Policy Controller on your cluster with the default library of constraint templates.

Audit Samsung security checklist policy bundle #

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Samsung Security Checklist policies outlined in the preceding table, you can deploy these constraints in “audit” mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl.

1. (Optional) Preview the policy constraints with kubectl:

kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/samsung-security-checklist

2. Apply the policy constraints with kubectl:

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/samsung-security-checklist

mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-https-backend created
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-https-protocol created
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-https-redirect created
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-tls-version created
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-restrict-traffic-rules created
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-nlb-require-tls-protocol created
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-nlb-require-tls-version created
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-nlb-restrict-traffic-rules created

3. Verify that policy constraints have been installed and check if violations exist across the cluster:

kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/samsung-security-checklist

NAME                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-https-backend    dryrun               1
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-https-protocol   dryrun               1
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-https-redirect   dryrun               1
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-require-tls-version      dryrun               2
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-alb-restrict-traffic-rules   dryrun               2
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-nlb-require-tls-protocol     dryrun               0
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-nlb-require-tls-version      dryrun               0
mksrequiredannotations.constraints.gatekeeper.sh/samsung-security-checklist-nlb-restrict-traffic-rules   dryrun               0

View policy violations #

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l bundleName=samsung-security-checklist -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l bundleName=samsung-security-checklist -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Samsung security checklist policy bundle enforcement action #

Once you’ve reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

[!WARNING] The deny enforcement action should be used with care as it can potentially block required changes resulting in interruption to critical workloads or the cluster. It is strongly recommended that only the warn or dryrun enforcement actions are used on clusters with production workloads, when testing new constraints, or performing migrations such as upgrading platforms. For more information about enforcement actions, see Auditing using constraints .

1. Use kubectl to set the policies' enforcement action to warn:

kubectl get constraint -l bundleName=samsung-security-checklist -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

1. Verify that policy constraints enforcement action have been updated:

kubectl get constraint -l bundleName=samsung-security-checklist

Test policy enforcement #

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
  annotations:
    alb.ingress.kubernetes.io/load-balancer-name: nginx
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'
    alb.ingress.kubernetes.io/ssl-redirect: "443"
spec:
  ingressClassName: alb
  rules:
    - host: this.is.sample.host
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx
                port:
                  number: 443
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [samsung-security-checklist-samsung-security-checklist-alb-require-tls-version] container <wordpress> is not dropping all required capabilities. Application LoadBalancer (ALB) is not using TLSv1.2 or higher version.
ingress/nginx created

Remove Samsung security checklist policy bundle #

If needed, the Samsung Security Checklist policy bundle can be removed from the cluster.

• Use kubectl to remove the policies:

kubectl delete constraint -l bundleName=samsung-security-checklist

Edit this page on GitHub