Policy Controller comes with a default library of constraint templates that can be used with the NIST SP 800-53 Rev. 5 bundle which implements controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5. The bundle may help organizations protect their systems and data from a variety of threats by implementing out-of-the-box security and privacy policies.
This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly.
This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
NIST SP 800-53 Rev. 5 policy bundle constraints
Constraint Name | Constraint Description | Control ID |
---|---|---|
nist-sp-800-53-r5-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | AC-16 Security and Privacy Attributes |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | AC-2 Account Management |
nist-sp-800-53-r5-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | AC-3 Access Enforcement |
nist-sp-800-53-r5-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | AC-4 Information Flow Enforcement |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | |
nist-sp-800-53-r5-require-namespace-network-policies | Requires that every namespace defined in the cluster has a NetworkPolicy. | |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | AC-6 Least Privilege |
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings | Restricts the use of the `cluster-admin` role. | |
nist-sp-800-53-r5-restrict-repos | Restricts container images to an allowed `repos` list. | |
nist-sp-800-53-r5-restrict-role-wildcards | Restricts the use of wildcards in `Roles` and `ClusterRoles`. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | AU-10 Non-Repudiation |
nist-sp-800-53-r5-nodes-have-consistent-time | Ensures consistent and correct time on Nodes by allowing only Container-Optimized OS (COS) or Ubuntu as the OS image. | AU-8 Time Stamps |
nist-sp-800-53-r5-require-namespace-network-policies | Requires that every namespace defined in the cluster has a NetworkPolicy. | CA-9 Internal System Connections |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | CM-14 Signed Components |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | CM-2 Baseline Configuration |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-apparmor | Restricts AppArmor profiles allowed for Pods. | CM-3 Configuration Change Control |
nist-sp-800-53-r5-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | |
nist-sp-800-53-r5-capabilities | Restricts additional Capabilities allowed for Pods. | |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | |
nist-sp-800-53-r5-host-namespaces | Restricts containers with `hostPID` or `hostIPC` set to `true`. | |
nist-sp-800-53-r5-host-network | Restricts containers from running with the `hostNetwork` flag set to `true`. | |
nist-sp-800-53-r5-privileged-containers | Restricts containers with `securityContext.privileged` set to `true`. | |
nist-sp-800-53-r5-proc-mount-type | Requires the default `/proc` masks for Pods | |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-restrict-volume-types | Restricts the mountable volumes types to the allowed list. | |
nist-sp-800-53-r5-seccomp | Seccomp profile must not be explicitly set to `Unconfined`. | |
nist-sp-800-53-r5-selinux | Restricts the SELinux configuration for Pods. | |
nist-sp-800-53-r5-sysctls | Restricts the allowed Sysctls for Pods. | |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | CM-4 Security Impact Analysis |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings | Restricts the use of the `cluster-admin` role. | |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | CM-5 Access Restrictions for Change |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings | Restricts the use of the `cluster-admin` role. | |
nist-sp-800-53-r5-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | CM-6 Configuration Settings |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-restrict-volume-types | Restricts the mountable volumes types to the allowed list. | |
nist-sp-800-53-r5-apparmor | Restricts AppArmor profiles allowed for Pods. | CM-7 Least Functionality |
nist-sp-800-53-r5-capabilities | Restricts additional Capabilities allowed for Pods. | |
nist-sp-800-53-r5-host-namespaces | Restricts containers with `hostPID` or `hostIPC` set to `true`. | |
nist-sp-800-53-r5-host-network | Restricts containers from running with the `hostNetwork` flag set to `true`. | |
nist-sp-800-53-r5-privileged-containers | Restricts containers with `securityContext.privileged` set to `true`. | |
nist-sp-800-53-r5-proc-mount-type | Requires the default `/proc` masks for Pods | |
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings | Restricts the use of the `cluster-admin` role. | |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-restrict-volume-types | Restricts the mountable volumes types to the allowed list. | |
nist-sp-800-53-r5-seccomp | Seccomp profile must not be explicitly set to `Unconfined`. | |
nist-sp-800-53-r5-selinux | Restricts the SELinux configuration for Pods. | |
nist-sp-800-53-r5-sysctls | Restricts the allowed Sysctls for Pods. | |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | CP-10 Information System Recovery and Reconstitution |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | CP-9 System Backup |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | IA-2 Identification and Authentication (Organizational Users) |
nist-sp-800-53-r5-block-creation-with-default-serviceaccount | Restrict resource creation using a default service account. | IA-4 Identifier Management |
nist-sp-800-53-r5-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | IA-5 Authenticator Management |
nist-sp-800-53-r5-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | |
nist-sp-800-53-r5-restrict-rbac-subjects | Restricts the use of names in RBAC subjects to permitted values. | MA-4 Nonlocal Maintenance |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | PL-1 Policy and Procedures |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | RA-5 Vulnerability Scanning |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | SA-10 Developer Configuration Management |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | SA-11 Trusted Path |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | SA-3 System Development Life Cycle |
nist-sp-800-53-r5-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | SA-8 Security and Privacy Engineering Principles |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-restrict-volume-types | Restricts the mountable volumes types to the allowed list. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | SC-12 Cryptographic Key Establishment and Management |
nist-sp-800-53-r5-restrict-storageclass | Restricts `StorageClass` to a list of `StorageClass` which encrypt by default. | SC-28 Protection of Information at Rest |
nist-sp-800-53-r5-require-namespace-network-policies | Requires that every namespace defined in the cluster has a NetworkPolicy. | SC-4 Information in Shared Resources |
nist-sp-800-53-r5-cpu-and-memory-limits-required | Requires Pods specify cpu and memory limits. | SC-6 Resource Availability |
nist-sp-800-53-r5-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | SC-7 Boundary Protection |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-require-namespace-network-policies | Requires that every namespace defined in the cluster has a NetworkPolicy. | |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-restrict-volume-types | Restricts the mountable volumes types to the allowed list. | |
nist-sp-800-53-r5-asm-peer-authn-strict-mtls | Ensures PeerAuthentications cannot overwrite strict mTLS. | SC-8 Transmission Confidentiality and Integrity |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | SI-12 Information Management and Retention |
nist-sp-800-53-r5-restrict-storageclass | Restricts `StorageClass` to a list of `StorageClass` which encrypt by default. | |
nist-sp-800-53-r5-require-av-daemonset | Requires the presence of an Anti-Virus daemonset. | SI-3 Malicious Code Protection |
nist-sp-800-53-r5-block-secrets-of-type-basic-auth | Restricts the use of basic-auth type secrets. | SI-7 Software, Firmware, and Information Integrity |
nist-sp-800-53-r5-enforce-config-management | Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | |
nist-sp-800-53-r5-require-managed-by-label | Requires all apps have a valid `app.kubernetes.io/managed-by` label. | |
nist-sp-800-53-r5-restrict-hostpath-volumes | Restricts the use of HostPath volumes. | |
nist-sp-800-53-r5-require-binauthz | Requires the Binary Authorization Validating Admission Webhook. | SR-4 Provenance |
Before you begin
- Install and initialize the Google Cloud CLI
, which provides the
gcloud
andkubectl
commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed. - Install Policy Controller on your cluster with the default library of constraint templates. You must also enable support for referential constraints as this bundle contains referential constraints.
Configure Policy Controller for referential constraints
Save the following YAML manifest to a file as
policycontroller-config.yaml
. The manifest configures Policy Controller to watch specific kinds of objects.apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config namespace: "gatekeeper-system" spec: sync: syncOnly: - group: "apps" version: "v1" kind: "DaemonSet" - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" - group: "configsync.gke.io" version: "v1beta1" kind: "RootSync" - group: "storage.k8s.io" version: "v1" kind: "StorageClass" - group: "admissionregistration.k8s.io" version: "v1" kind: "ValidatingWebhookConfiguration"
Apply the
policycontroller-config.yaml
manifest:kubectl apply -f policycontroller-config.yaml
Configure your cluster and workload
- Enablement and configuration of Config Sync
including Drift Prevention admission
webhook is required in
nist-sp-800-53-r5-enforce-config-management
. - An antivirus solution is required. The default is the presence of a
daemonset
namedclamav
in theclamav
namespace
, however thedaemonset
's name and namespace can be customized to your implementation in thenist-sp-800-53-r5-require-av-daemonset
constraint. - Container images are limited to an allowed repos list, which can be
customized if required in
nist-sp-800-53-r5-restrict-repos
. - Nodes must use Container-Optimized OS or Ubuntu
for their image in
nist-sp-800-53-r5-nodes-have-consistent-time
. - Use of storage classes is limited to an allowed list, which can be
customized to add additional classes with default encryption in
nist-sp-800-53-r5-restrict-storageclass
. Enablement and configuration of Binary Authorization is required in
nist-sp-800-53-r5-require-binauthz
.
Audit NIST SP 800-53 Rev. 5 policy bundle
Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the NIST SP 800-53 policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.
You can apply these policies with spec.enforcementAction
set to dryrun
using
kubectl,
kpt
, or
Config Sync
.
kubectl
(Optional) Preview the policy constraints with kubectl:
kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5
Apply the policy constraints with kubectl:
kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5
The output is the following:
asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls created k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos created k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount created k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth created k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-53-r5-enforce-config-management created k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor created k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities created k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls created k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes created k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces created k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network created k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers created k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type created k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux created k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp created k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types created k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards created k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-binauthz created k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time created k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset created k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies created k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label created k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required created k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects created k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings created k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass created
Verify that policy constraints have been installed and check if violations exist across the cluster:
kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5
The output is similar to the following:
NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-binauthz dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-53-r5-enforce-config-management dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings dryrun 0 NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONS k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time dryrun 0
kpt
Install and setup kpt.
kpt is used in these instructions to customize and deploy Kubernetes resources.
Download the NIST SP 800-53 Rev. 5 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \ -- enforcementAction=dryrun
Initialize the working directory with kpt, which creates a resource to track changes:
cd nist-sp-800-53-r5 kpt live init
Apply the policy constraints with kpt:
kpt live apply
Verify that policy constraints have been installed and check if violations exist across the cluster:
kpt live status --output table --poll-until current
A status of
CURRENT
confirms successful installation of the constraints.
Config Sync
Install and setup kpt.
kpt is used in these instructions to customize and deploy Kubernetes resources.
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
To create or append
.gitignore
withresourcegroup.yaml
:echo resourcegroup.yaml >> .gitignore
Create a dedicated
policies
directory:mkdir -p policies
Download the NIST SP 800-53 Rev. 5 policy bundle from GitHub using kpt:
kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5 policies/nist-sp-800-53-r5
Run the
set-enforcement-action
kpt function to set the policies' enforcement action todryrun
:kpt fn eval policies/nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
(Optional) Preview the policy constraints to be created:
kpt live init policies/nist-sp-800-53-r5 kpt live apply --dry-run policies/nist-sp-800-53-r5
If your sync directory for Config Sync uses Kustomize, add
policies/nist-sp-800-53-r5
to your rootkustomization.yaml
. Otherwise remove thepolicies/nist-sp-800-53-r5/kustomization.yaml
file:rm SYNC_ROOT_DIR/policies/nist-sp-800-53-r5/kustomization.yaml
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/nist-sp-800-53-r5 git commit -m 'Adding NIST SP 800-53 Rev. 5 policy audit enforcement' git push
Verify the status of the installation:
watch gcloud beta container fleet config-management status --project PROJECT_ID
A status of
SYNCED
confirms the installation of the policies.
View policy violations
Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.
You can also use
kubectl
to view violations on the cluster using the following command:kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
If violations are present, a listing of the violation messages per constraint can be viewed with:
kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
Change NIST SP 800-53 Rev. 5 policy bundle enforcement action
Once you've reviewed policy violations on your cluster, you can consider
changing the enforcement mode so the Admission Controller will either warn
on
or even deny
block non-compliant resource from getting applied to the cluster.
kubectl
Use kubectl to set the policies' enforcement action to
warn
:kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'
Verify that policy constraints enforcement action have been updated:
kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5
kpt
Run the
set-enforcement-action
kpt function to set the policies' enforcement action towarn
:kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Apply the policy constraints:
kpt live apply
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Change into the sync directory for Config Sync:
cd SYNC_ROOT_DIR
Run the
set-enforcement-action
kpt function to set the policies' enforcement action towarn
:kpt fn eval policies/nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
Push changes to the Config Sync repo:
git add SYNC_ROOT_DIR/policies/nist-sp-800-53-r5 git commit -m 'Adding NIST SP 800-53 Rev. 5 policy warn enforcement' git push
Verify the status of the installation:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the installation of the policies.
Test policy enforcement
Create a non-compliant resource on the cluster using the following command:
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: wp-non-compliant spec: containers: ‐ image: wordpress name: wordpress EOF
The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:
Warning: [nist-sp-800-53-r5-cpu-and-memory-limits-required] container <wordpress> does not have <{"cpu", "memory"}> limits defined Warning: [nist-sp-800-53-r5-restrict-repos] container <wordpress> has an invalid image repo <wordpress>, allowed repos are ["gcr.io/gke-release/", "gcr.io/anthos-baremetal-release/", "gcr.io/config-management-release/", "gcr.io/kubebuilder/", "gcr.io/gkeconnect/", "gke.gcr.io/"] pod/wp-non-compliant created
Remove NIST SP 800-53 Rev. 5 policy bundle
If needed, the NIST SP 800-53 Rev. 5 policy bundle can be removed from the cluster.
kubectl
Use kubectl to remove the policies:
kubectl delete constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5
kpt
Remove the policies:
kpt live destroy
Config Sync
Operators using Config Sync to deploy policies to their clusters can use the following instructions:
Push changes to the Config Sync repo:
git rm -r SYNC_ROOT_DIR/policies/nist-sp-800-53-r5 git commit -m 'Removing NIST SP 800-53 Rev. 5 policies' git push
Verify the status:
gcloud alpha anthos config sync repo list --project PROJECT_ID
Your repo showing up in the
SYNCED
column confirms the removal of the policies.