Tuesday, December 3, 2024

Custom Org Policy & Policy Controller To Secure Kubernetes

- Advertisement -

Google Cloud provides many tiers of centralised resource governance controls to assist clients in implementing defence in depth tactics. These controls can help organisations safely expand their Google Cloud adoption across thousands of projects, APIs, and developers. Without adding to the development process’ overhead, these controls can assist administrators in bolstering security and promoting compliance throughout their entire organisation.

Google provide two efficient and complimentary controls Google Cloud custom Org Policy and Policy Controller especially for Google Kubernetes Engine (GKE). When combined, these measures can safeguard your GKE clusters and help you achieve full governance and compliance at scale. Better operational efficiency and a quicker time to market can even be attained with the addition of guardrails.

- Advertisement -

Custom Org Policy 

Custom Org Policies are adaptable resource configuration restrictions offered by Google Cloud that aid in ensuring security and compliance at scale. You may ensure that only compliant resources are allowed in your organisation by centralising controls and enforcing them hierarchically using a custom organisation policy. By establishing policy guardrails, development teams may effectively set boundaries without incurring additional costs. This facilitates the introduction of proactive measures that reduce incident risk and enhance productivity.

A constantly expanding range of Google Cloud resources, such as GKE cluster and nodepool resource types, are supported by Custom Org Policies. Using Common Expression Language (CEL), administrators can quickly create custom restrictions for GKE resources that are suited to specific use cases. These constraints can then be enforced at any level of the resource hierarchy, such as the organisation, folder, or project level.

Custom Org Policies additionally offer safe roll-out technology such as policy simulator (to preview resource breaches) and dryrun (to identify runtime violations) to minimise disturbance when rolling out policy changes.

Using gCloud, Console, and Terraform, you can securely create, test, and implement guardrails for hierarchical resource configurations at scale.

- Advertisement -

To get you started, consider the following four custom Org Policy limitations for GKE:

  • Enforce Binary Authorisation to make sure that new GKE clusters can only be spun up using verified and trusted images.
  • Don’t let new node pools disable node auto-upgrade.
  • For newly formed clusters, enable Workload Identity.
  • Disallow turning off cloud logging on clusters that are already in use.

Policy Controller

Your GKE clusters’ fully programmable policies are enforced by Policy Controller. Additionally, these regulations serve as barriers that stop modifications from going against governance, compliance, or security controls. Applying policies at admission time, auditing during runtime, or obtaining early feedback on your code against policies from CI/CD pipelines are all possible with Policy Controller. The open-source Open Policy Agent Gatekeeper serves as the foundation for Policy Controller.

An integrated dashboard is included with Policy Controller so you can quickly view the policies that are implemented to your clusters. This helps you handle the violations for all of your Kubernetes environments, such as GKE on Google Cloud, Anthos on-premise, Anthos on AWS and Azure, and connected clusters. It also offers enforcement status (dryrun, warn, or enforced), violations, and an advanced remedial procedure.

Additionally, Google creates and maintains policy bundles, which are pre-built sets of constraints, which Policy Controller offers. Bundles of policies can be used without writing any code at all. To assist you in setting up bespoke policies for your company, Policy Controller also offers a collection of over 80 templates for Kubernetes resources with examples.

Typical use cases for Policy Controller (whole policy library, policy bundles) consist of the following:

  • Limiting RBAC access, by not letting unauthenticated principals hold cluster administrator positions, for example.
  • Restricting the repositories from which a specific container image can be retrieved.
  • Ensuring that workloads across a fleet of clusters adhere to the Pod Security Standards and the Centre for Internet Security’s (CIS) GKE standard.
  • Checking that all workloads have the necessary labels for governance or security.

Policy Controller and Custom Org Policy work better together

For their GKE resources, organisations can deploy defence in depth by combining bespoke Org Policies with Policy Controller:

  • During resource provisioning or mutation, org administrators can centrally enforce cluster and nodepool configurations using custom org policies. Through the resource hierarchy, GKE resources inherit this as the outer layer of control.
  • Platform administrators can create dynamic boundaries inside of specific GKE clusters with Policy Controller. This serves as the inner granular layer that enables Kubernetes administration on-cluster to satisfy operational, security, and governance needs.
Org Policy and Policy Controller
Image credit to Google Cloud

The boundaries required to manage GKE at scale are provided by Org Policy and Policy Controller working together.

Integrated support for Policy Controller and Organisation Policy

Furthermore, information about Organisation Policies and Policy Controller is automatically forwarded to your console as a Security Command Centre customer, providing a thorough understanding of your company’s risk profile.

Logs and data from Cloud Operations are also integrated with Org Policy and Policy Controller.

Start now

Installing Policy Controller and applying a policy bundle to audit your fleet of clusters against a standard like PCI DSS 3.2.1, CIS Kubernetes Benchmark 1.5.1, PSS Baseline, PSS Restricted, PSP, Policy Essentials, or Anthos Service Mesh Security is the simplest way to begin using Policy Controller.

Check out Google’s tutorial to learn how to develop, test, deploy, and manage your own policies before using custom Org Policies. You can view a demonstration of their most recent custom organisation policy.

Custom organisation policies can provide you, as a developer, compliance professional, or security architect, more authority over your cloud resources. Open Cloud Console and get going.

- Advertisement -
Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.
RELATED ARTICLES

Recent Posts

Popular Post

Govindhtech.com Would you like to receive notifications on latest updates? No Yes