Policy Controller, part of Anthos Config Management, is a Kubernetes dynamic admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or arbitrary business rules.
Policy Controller is based on the open source Open Policy Agent Gatekeeper project. Gatekeeper policies are defined using two separate resource types: Constraints and ConstraintTemplates. Having two distinct resource types allows for separation of policy definition (ConstraintTemplate) from policy enforcement (Constraint).
Policy Controller comes with a library of ConstraintTemplates for common security and compliance controls.
This repository contains sample Constraints which make use of Policy Controller's ConstraintTemplates to demonstrate how you might configure policy enforcement on your own cluster.
| Policy Bundle | Anthos [1] | Current Version |
|---|---|---|
| ASM Policy v0.0.1 | No | 202301.0 |
| CIS Kubernetes v1.5.1 | No | 202307.0 |
| National Institute of Standards and Technology SP 800-53 Rev. 5 | Yes | 202307.0 |
| National Institute of Standards and Technology SP 800-190 | Yes | 202307.0 |
| NSA CISA Kubernetes Hardening Guide v1.2 | Yes | 202307.0 |
| Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 and PCI DSS v3.2.1 Extended | Yes | 202306.0 |
| Pod Security Policy v2022 | No | 202305.0 |
| Pod Security Standards Baseline v2022 | No | 202305.0 |
| Pod Security Standards Restricted v2022 | Yes | 202305.0 |
| Policy Essentials v2022 | No | 202307.0 |
[1] Anthos Policy Bundles may only be used on an Anthos cluster, including any associated ci/cd use. “Anthos cluster” is defined as “A Cluster (of any kind) registered to a fleet project where the Anthos API is enabled”.