This page explains what Policy Controller is and how you can use it to help ensureyour Kubernetes clusters and workloads are running in a secure and compliantmanner.

This page is for IT administrators, Operators, andSecurity specialists who define IT solutions and system architecturein accordance with company strategy, and ensure that all resources runningwithin the cloud platform meet organizational compliance requirements byproviding and maintaining automation to audit or enforce. To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.

Policy Controller enables the application and enforcement of programmable policiesfor your Kubernetes clusters. These policies act asguardrails and can helpwith best practices, security, and compliance management of your clusters andfleet. Based on the open sourceOpen Policy Agent Gatekeeperproject, Policy Controller is fully integrated with Google Cloud,includes a built-in dashboard,for observability, and comes with a full library of prebuilt policies forcommon security and compliance controls.

Policy Controller benefits

• Integrated with Google Cloud: Platform admins caninstallPolicy Controller by usingthe Google Cloud console, by using Terraform, or by using Google Cloud CLI on anycluster connected to your fleet. Policy Controller works with otherGoogle Cloud services likeConfig Sync,metrics, and Cloud Monitoring.
• Supports multiple enforcement points: In addition to both audit andadmission control for your cluster, Policy Controller can optionally enable ashift-leftapproach toanalyse and catch non-compliant changes prior toapplication.
• Prebuilt policy bundles: Policy Controller comes with a full library ofprebuilt policies for common security and compliance controls. Theseinclude bothPolicybundles and theconstraint template library.
• Supports custom policies: If policy customization is required beyondwhat is available using theconstraint template library, Policy Controlleradditionally supports the development of customconstraint templates.
• Built-in observability: Policy Controller includes a Google Cloud consoledashboard, providing anoverview for the state of all the policies applied to your fleet (includingunregistered clusters). From the dashboard, view compliance and enforcementstatus to help you troubleshoot, and get opinionatedrecommendations to resolve policy violations.

Policy bundles

You can use policy bundles to apply a number of constraints that are groupedunder a specific Kubernetes standard, security, or compliance theme.For example, you can use the following policy bundles:

• Enforce many of the same requirements asPodSecurityPolicies,but with the added ability to audit your configuration before enforcing it,ensuring any policy changes aren't disruptive to running workloads.
• Use constraints compatible withCloud Service Mesh toaudit the compliance of your mesh security vulnerabilities and bestpractices.
• Apply general best practices to your cluster resourcesto help strengthen your security posture.

Policy Controller bundles overviewprovides more details and a list of currently available policy bundles.

Constraints

Policy Controller enforces your clusters' compliance using objects calledconstraints. You can think of constraints as the "building blocks" of policy.Each constraint defines a specific change to the Kubernetes API that is allowedor disallowed on the cluster it's applied to. You can set policies to eitheractively block non-compliant API requests oraudit the configuration of yourclusters and report violations. In either case, you can view warning messageswith details on what violation occurred on a cluster. With that information, youcan remediate problems. For example, you can use the following individualconstraints:

• Require each namespace to have at least onelabel.This constraint can be used to ensure accurate tracking of resourceconsumption when using GKE Usage Metering, for example.
• Restrict the repositories a given container image can be pulled from.This constraint ensures any attempt to pull containers from unknown sourcesis denied, protecting your clusters from running potentially malicioussoftware.
• Control whether or not a container can run in privileged mode.This constraint controls the ability of any container to enable privilegedmode, which gives you control over which containers (if any) can run withunrestricted policy.

These are just a few of the constraints provided in theconstraint templatelibrary includedwith Policy Controller. This library contains numerous policies that you can useto help enforce best practices and limit risk. If you require more customizationbeyond what is available in the constraint template library, you can also createcustomconstrainttemplates.

Constraints can be applied directly to your clusters using the Kubernetes API,or distributed to a set of clusters from a centralized source, like a Git repository, by usingConfig Sync.

What's next

• Install Policy Controller.
• Learn about policy bundles.
• Apply policy bundles