GCP – Create a powerful Kubernetes security duo with Custom Org Policy and Policy Controller
To help customers implement defense in depth strategies, Google Cloud offers multiple layers of centralized resource governance controls that can help organizations securely scale their Google Cloud adoption across thousands of projects, APIs, and developers. These controls can help administrators strengthen security and support compliance across their entire org, without introducing additional overhead in the development process.
Google Cloud custom Org Policy and Policy Controller are two effective and complementary controls we offer specifically for Google Kubernetes Engine (GKE). Together, these controls can help you achieve comprehensive governance and compliance at scale and secure your GKE clusters. Adding guardrails can even help achieve faster time-to-market and better operational efficiency.
Custom Org Policy
Custom Org Policies are flexible Google Cloud guardrails for resource configurations to help ensure security and compliance at scale. Using custom Org Policy, you can centralize controls, enforce them hierarchically and ensure only compliant resources are permitted in your organization. Implementing policy guardrails sets effective boundaries for development teams without adding overhead, making it easier to introduce proactive measures that minimize risk of incidents and improve efficiency.
Custom Org Policies support a rapidly-growing list of Google Cloud resources including GKE cluster and nodepool resource types. Administrators can quickly craft custom constraints for GKE resources tailored to their use cases using Common Expression Language (CEL) and enforce them at any level of their resource hierarchy: organization, folder or project.
To minimize disruption when rolling out policy changes, custom Org Policies also support safe roll-out tooling like policy simulator (to preview resource violations) and dryrun (to identify runtime violations).
You can safely craft, test and deploy hierarchical resource configuration guardrails at scale using gCloud, Console, and Terraform.
Here are four custom Org Policy constraints for GKE to help you get started:
Enforce Binary Authorization, ensuring that only trusted and attested images can be used to spin up new GKE clusters.
Disallow disabling of node auto-upgrade for new node pools.
Enable Workload Identity for new clusters.
Disallow disabling of Cloud Logging on existing clusters.
You can also find an expanded library of ready to use constraints here.
Policy Controller
Policy Controller enforces fully programmable policies for your GKE clusters. These policies also act as guardrails and prevent any changes from violating security, compliance, or governance controls. You can use Policy Controller to apply policies at admission time, to audit at runtime or from CI/CD pipelines to get early feedback for your code against policies. Policy Controller is based on the open-source Open Policy Agent Gatekeeper.
Policy Controller comes with an integrated dashboard so you can get an at-a-glance view for the policies applied to your clusters. This includes enforcement status (dryrun, warn, or enforced), violations, and an advanced remediation flow to help you address the violations for all of your Kubernetes environments including GKE on Google Cloud, Anthos on-prem, Anthos on AWS and Azure, and attached clusters.
Policy Controller also provides policy bundles, out-of-the-box sets of constraints which are created and maintained by Google. Policy bundles can be used as-is, without writing a single line of code. Policy Controller also has a library of more than 80 templates for Kubernetes resources with examples to help you get started with custom policies for your organization.
Some of the common use cases for Policy Controller (full policy library, policy bundles) include:
Restricting RBAC access, such as not allowing unauthenticated principles to be cluster admins.
Limiting the repositories that a given container image can be pulled from.
Ensuring workloads on a fleet of clusters are compliant with Center for Internet Security (CIS) GKE benchmark, and Pod Security Standards.
Verifying required labels are present for all workloads for security or governance purposes.
Custom Org Policy and Policy Controller are better together
By using custom Org Policies and Policy Controller together, organizations can implement defense in depth for their GKE resources:
Custom Org Policies allow org admins to centrally enforce cluster and nodepool configurations during resource provisioning or mutation. This forms the outer layer of control inherited by GKE resources through the resource hierarchy.
Policy Controller offers platform admins dynamic guardrails within individual GKE clusters. This forms the inner granular layer allowing on-cluster Kubernetes administration to meet security, operational and governance requirements.
Layered guardrails using Org Policy and Policy Controller
Together, Org Policy and Policy Controller provide the guardrails needed to run GKE at scale.
Built-in integrations for Org Policy and Policy Controller
Additionally, for Security Command Center customers, data related to Org Policies and Policy Controller are automatically sent to your console, supporting a comprehensive view of your organization’s risk posture.
Org Policy and Policy Controller also integrate with Cloud Operations logs and metrics.
Get started today
The easiest way to get started with Policy Controller is to install Policy Controller and apply a policy bundle to audit your fleet of clusters against a standard, such as PCI DSS 3.2.1, CIS Kubernetes Benchmark 1.5.1, PSS Baseline, PSS Restricted, PSP, Policy Essentials, or Anthos Service Mesh Security.
To implement custom Org Policies, check out our guide to learn how to define, test, deploy, and manage your custom policies. You can watch a demo of custom org policy that we showcased recently.
Whether you’re a security architect, a compliance practitioner, or a developer, custom org policies can empower you to take control of your cloud resources. Get started in Cloud Console today.
Read More for the details.