Google Cloud provides various centralized resource governance controls to assist customers in implementing defense in depth strategies, enabling organizations to securely expand their Google Cloud usage across numerous projects, APIs, and developers. These controls empower administrators to enhance security and ensure compliance throughout the organization while minimizing any additional burden on the development process.

 Google Cloud provides two powerful and complementary controls for Google Kubernetes Engine (GKE): custom Org Policy and Policy Controller. These tools work in tandem to enhance governance and compliance on a large scale while securing GKE clusters. Implementing these guardrails can also facilitate quicker time-to-market and improved operational efficiency.

Custom Organization Policies serve as adaptable safeguards within Google Cloud, designed to regulate resource configurations and promote security and compliance on a large scale. By utilizing these policies, organizations can centralize their control mechanisms, enforce them in a hierarchical manner, and ensure that only compliant resources are allowed within their infrastructure. The establishment of these policy guardrails creates clear boundaries for development teams, facilitating the implementation of proactive strategies that reduce the risk of incidents while enhancing overall efficiency.

Custom Organization Policies serve as adaptable safeguards within Google Cloud, designed to regulate resource configurations and promote security and compliance on a large scale. By utilizing these policies, organizations can centralize their control mechanisms, enforce them in a hierarchical manner, and ensure that only compliant resources are allowed within their infrastructure. The establishment of these policy guardrails creates clear boundaries for development teams, facilitating the implementation of proactive strategies that reduce the risk of incidents while enhancing overall efficiency.

To reduce disruption during the implementation of policy changes, custom Org Policies offer safe rollout tools such as the policy simulator, which allows for the preview of resource violations, and dry run, which helps identify runtime violations. You can effectively design, test, and deploy hierarchical resource configuration guardrails at scale utilizing gCloud, Console, and Terraform.

Here are four custom Org Policy constraints for GKE to help you get started: 

• Enforce Binary Authorization, ensuring that only trusted and attested images can be used to spin up new GKE clusters.

• Disallow disabling of node auto-upgrade for new node pools.

• Enable Workload Identity for new clusters.

• Disallow disabling of Cloud Logging on existing clusters.

You can also find an expanded library of ready to use constraints here.

The Policy Controller implements entirely programmable policies for your GKE clusters, serving as protective measures that ensure compliance with security, governance, and regulatory standards. It allows for the application of policies during the admission process, facilitates runtime auditing, and integrates with CI/CD pipelines to provide early feedback on code compliance with established policies. The Policy Controller is built on the open-source Open Policy Agent Gatekeeper framework.

Policy Controller comes with an integrated dashboard so you can get an at-a-glance view for the policies applied to your clusters. This includes enforcement status (dryrun, warn, or enforced), violations, and an advanced remediation flow to help you address the violations for all of your Kubernetes environments including GKE on Google Cloud, Anthos on-prem, Anthos on AWS and Azure, and attached clusters.

Policy Controller also provides policy bundles, out-of-the-box sets of constraints which are created and maintained by Google. Policy bundles can be used as-is, without writing a single line of code. Policy Controller also has a library of more than 80 templates for Kubernetes resources with examples to help you get started with custom policies for your organization.

Some of the common use cases for Policy Controller (full policy library, policy bundles) include:

• Restricting RBAC access, such as not allowing unauthenticated principles to be cluster admins.

• Limiting the repositories that a given container image can be pulled from.

• Ensuring workloads on a fleet of clusters are compliant with Center for Internet Security (CIS) GKE benchmark, and Pod Security Standards. 

• Verifying required labels are present for all workloads for security or governance purposes.

Custom Org Policy and Policy Controller are better together

By using custom Org Policies and Policy Controller together, organizations can implement defense in depth for their GKE resources: 

• Custom Org Policies allow org admins to centrally enforce cluster and nodepool configurations during resource provisioning or mutation. This forms the outer layer of control inherited by GKE resources through the resource hierarchy.

• Policy Controller offers platform admins dynamic guardrails within individual GKE clusters. This forms the inner granular layer allowing on-cluster Kubernetes administration to meet security, operational and governance requirements.

Layered guardrails using Org Policy and Policy Controller

Together, Org Policy and Policy Controller provide the guardrails needed to run GKE at scale.  

Built-in integrations for Org Policy and Policy Controller

Additionally, for Security Command Center customers, data related to Org Policies and Policy Controller are automatically sent to your console, supporting a comprehensive view of your organization’s risk posture.

Org Policy and Policy Controller also integrate with Cloud Operations logs and metrics. 

Get started today

The easiest way to get started with Policy Controller is to install Policy Controller and apply a policy bundle to audit your fleet of clusters against a standard, such as PCI DSS 3.2.1, CIS Kubernetes Benchmark 1.5.1, PSS Baseline, PSS Restricted, PSP, Policy Essentials, or Anthos Service Mesh Security.

To implement custom Org Policies, check out our guide to learn how to define, test, deploy, and manage your custom policies. You can watch a demo of custom org policy that we showcased recently. 

Whether you're a security architect, a compliance practitioner, or a developer, custom org policies can empower you to take control of your cloud resources. Get started in Cloud Console today.

Author Nerdcore PC

08/27/2024