Skip to content

Latest commit

 

History

History
41 lines (31 loc) · 3.46 KB

Policy_Bundles.md

File metadata and controls

41 lines (31 loc) · 3.46 KB

Policy Controller Policy Bundles

Contents

Background

Policy Controller is a Kubernetes dynamic admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or arbitrary business rules.

Policy Controller is based on the open source Open Policy Agent Gatekeeper project. Gatekeeper policies are defined using two separate resource types: Constraints and ConstraintTemplates. Having two distinct resource types allows for separation of policy definition (ConstraintTemplate) from policy enforcement (Constraint).

Policy Controller comes with a library of ConstraintTemplates for common security and compliance controls.

This repository contains sample Constraints which make use of Policy Controller's ConstraintTemplates to demonstrate how you might configure policy enforcement on your own cluster.

Policy Bundles

Policy Bundle Anthos [1] Current Version
ASM Policy v0.0.1 No 202311.0
Cost and Reliability v2023 No 202312.0
CIS Kubernetes v1.5.1 No 202312.1
CIS Kubernetes v1.7.1 (Preview) No 202403.0-preview
CIS Google Kubernetes Engine (GKE) v1.5.0 Yes 202403.0
MITRE (Preview) Yes 202402.0-preview
National Institute of Standards and Technology SP 800-53 Rev. 5 Yes 202403.0
National Institute of Standards and Technology SP 800-190 Yes 202403.0
NSA CISA Kubernetes Hardening Guide v1.2 Yes 202312.1
Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 and PCI DSS v3.2.1 Extended (Deprecated) Yes 202403.0
Payment Card Industry Data Security Standard (PCI DSS) v4.0 Yes 202403.0
Pod Security Policy v2022 No 202312.0
Pod Security Standards Baseline v2022 No 202403.1
Pod Security Standards Restricted v2022 Yes 202403.1
Policy Essentials v2022 No 202403.0

[1] Anthos Policy Bundles may only be used on an Anthos cluster, including any associated ci/cd use. “Anthos cluster” is defined as “A Cluster (of any kind) registered to a fleet project where the Anthos API is enabled”.

Usage

See Creating constraints