Cloud Service Mesh security policy constraints

Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.

This guide does not supportTRAFFIC_DIRECTORcontrol plane implementation.

Cloud Service Mesh with Istio APIs provides you with powerful and flexibleAPIs that you can use to configure your mesh. However, without proper managementover these resources, your mesh might expose security vulnerabilities.IntegratingPolicy Controllerwith Cloud Service Mesh security policy constraints can help enforce your meshwith security best practices and prevent vulnerabilities.

This page assumes you are already familiar withpolicy constraints.

Constraints templates

When youinstall Policy Controller,selectInstall default template library. This option deploysall of the Cloud Service Mesh security policy constraint templates needed for yourmesh. For a full list of the Cloud Service Mesh security constraint templates, seetheConstraint template libraryand look for templates that are prefixed withAsm.

Constraints bundle

We offer an out-of-box constraints bundle for Cloud Service Mesh security policy.For the bundle details and instructions, seeUsing Cloud Service Mesh security policies.

To follow a tutorial that shows you how to apply this bundle, seeStrengthen your app's security with Cloud Service Mesh, Config Sync, and Policy Controller.

Add-on constraints

Some constraint templates are installed with the default template library,but not included in the security policy bundle. These constrainttemplates serve specific use cases, and you can configure your own constraints:

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.