Use NIST SP 800-53 Rev. 5 policy constraints

Policy Controller comes with a default library of constraint templates that can be used with the NIST SP 800-53 Rev. 5 bundle which implements controls listed in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5. The bundle may help organizations protect their systems and data from a variety of threats by implementing out-of-the-box security and privacy policies.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly.

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.

NIST SP 800-53 Rev. 5 policy bundle constraints

Constraint Name Constraint Description Control ID
nist-sp-800-53-r5-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. AC-16 Security and Privacy Attributes
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. AC-2 Account Management
nist-sp-800-53-r5-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. AC-3 Access Enforcement
nist-sp-800-53-r5-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. AC-4 Information Flow Enforcement
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-53-r5-require-namespace-network-policies Requires that every namespace defined in the cluster has a NetworkPolicy.
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. AC-6 Least Privilege
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-restrict-repos Restricts container images to an allowed `repos` list.
nist-sp-800-53-r5-restrict-role-wildcards Restricts the use of wildcards in `Roles` and `ClusterRoles`.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. AU-10 Non-Repudiation
nist-sp-800-53-r5-nodes-have-consistent-time Ensures consistent and correct time on Nodes by allowing only Container-Optimized OS (COS) or Ubuntu as the OS image. AU-8 Time Stamps
nist-sp-800-53-r5-require-namespace-network-policies Requires that every namespace defined in the cluster has a NetworkPolicy. CA-9 Internal System Connections
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. CM-14 Signed Components
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CM-2 Baseline Configuration
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-apparmor Restricts AppArmor profiles allowed for Pods. CM-3 Configuration Change Control
nist-sp-800-53-r5-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets.
nist-sp-800-53-r5-capabilities Restricts additional Capabilities allowed for Pods.
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-host-namespaces Restricts containers with `hostPID` or `hostIPC` set to `true`.
nist-sp-800-53-r5-host-network Restricts containers from running with the `hostNetwork` flag set to `true`.
nist-sp-800-53-r5-privileged-containers Restricts containers with `securityContext.privileged` set to `true`.
nist-sp-800-53-r5-proc-mount-type Requires the default `/proc` masks for Pods
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-seccomp Seccomp profile must not be explicitly set to `Unconfined`.
nist-sp-800-53-r5-selinux Restricts the SELinux configuration for Pods.
nist-sp-800-53-r5-sysctls Restricts the allowed Sysctls for Pods.
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CM-4 Security Impact Analysis
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CM-5 Access Restrictions for Change
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. CM-6 Configuration Settings
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-apparmor Restricts AppArmor profiles allowed for Pods. CM-7 Least Functionality
nist-sp-800-53-r5-capabilities Restricts additional Capabilities allowed for Pods.
nist-sp-800-53-r5-host-namespaces Restricts containers with `hostPID` or `hostIPC` set to `true`.
nist-sp-800-53-r5-host-network Restricts containers from running with the `hostNetwork` flag set to `true`.
nist-sp-800-53-r5-privileged-containers Restricts containers with `securityContext.privileged` set to `true`.
nist-sp-800-53-r5-proc-mount-type Requires the default `/proc` masks for Pods
nist-sp-800-53-r5-restrict-clusteradmin-rolebindings Restricts the use of the `cluster-admin` role.
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-seccomp Seccomp profile must not be explicitly set to `Unconfined`.
nist-sp-800-53-r5-selinux Restricts the SELinux configuration for Pods.
nist-sp-800-53-r5-sysctls Restricts the allowed Sysctls for Pods.
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CP-10 Information System Recovery and Reconstitution
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. CP-9 System Backup
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. IA-2 Identification and Authentication (Organizational Users)
nist-sp-800-53-r5-block-creation-with-default-serviceaccount Restrict resource creation using a default service account. IA-4 Identifier Management
nist-sp-800-53-r5-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. IA-5 Authenticator Management
nist-sp-800-53-r5-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values.
nist-sp-800-53-r5-restrict-rbac-subjects Restricts the use of names in RBAC subjects to permitted values. MA-4 Nonlocal Maintenance
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. PL-1 Policy and Procedures
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. RA-5 Vulnerability Scanning
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster. SA-10 Developer Configuration Management
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. SA-11 Trusted Path
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. SA-3 System Development Life Cycle
nist-sp-800-53-r5-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. SA-8 Security and Privacy Engineering Principles
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. SC-12 Cryptographic Key Establishment and Management
nist-sp-800-53-r5-restrict-storageclass Restricts `StorageClass` to a list of `StorageClass` which encrypt by default. SC-28 Protection of Information at Rest
nist-sp-800-53-r5-require-namespace-network-policies Requires that every namespace defined in the cluster has a NetworkPolicy. SC-4 Information in Shared Resources
nist-sp-800-53-r5-cpu-and-memory-limits-required Requires Pods specify cpu and memory limits. SC-6 Resource Availability
nist-sp-800-53-r5-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. SC-7 Boundary Protection
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-require-namespace-network-policies Requires that every namespace defined in the cluster has a NetworkPolicy.
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-restrict-volume-types Restricts the mountable volumes types to the allowed list.
nist-sp-800-53-r5-asm-peer-authn-strict-mtls Ensures PeerAuthentications cannot overwrite strict mTLS. SC-8 Transmission Confidentiality and Integrity
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. SI-12 Information Management and Retention
nist-sp-800-53-r5-restrict-storageclass Restricts `StorageClass` to a list of `StorageClass` which encrypt by default.
nist-sp-800-53-r5-require-av-daemonset Requires the presence of an Anti-Virus daemonset. SI-3 Malicious Code Protection
nist-sp-800-53-r5-block-secrets-of-type-basic-auth Restricts the use of basic-auth type secrets. SI-7 Software, Firmware, and Information Integrity
nist-sp-800-53-r5-enforce-config-management Requires Config Sync is running and Drift Prevention enabled with at least one `RootSync` object on the cluster.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook.
nist-sp-800-53-r5-require-managed-by-label Requires all apps have a valid `app.kubernetes.io/managed-by` label.
nist-sp-800-53-r5-restrict-hostpath-volumes Restricts the use of HostPath volumes.
nist-sp-800-53-r5-require-binauthz Requires the Binary Authorization Validating Admission Webhook. SR-4 Provenance

Before you begin

  1. Install and initialize the Google Cloud CLI , which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
  2. Install Policy Controller on your cluster with the default library of constraint templates. You must also enable support for referential constraints as this bundle contains referential constraints.

Configure Policy Controller for referential constraints

  1. Save the following YAML manifest to a file as policycontroller-config.yaml. The manifest configures Policy Controller to watch specific kinds of objects.

    apiVersion: config.gatekeeper.sh/v1alpha1
    kind: Config
    metadata:
      name: config
      namespace: "gatekeeper-system"
    spec:
      sync:
        syncOnly:
          - group: "apps"
            version: "v1"
            kind: "DaemonSet"
          - group: "networking.k8s.io"
            version: "v1"
            kind: "NetworkPolicy"
          - group: "configsync.gke.io"
            version: "v1beta1"
            kind: "RootSync"
          - group: "storage.k8s.io"
            version: "v1"
            kind: "StorageClass"
          - group: "admissionregistration.k8s.io"
            version: "v1"
            kind: "ValidatingWebhookConfiguration"
    
  2. Apply the policycontroller-config.yaml manifest:

    kubectl apply -f policycontroller-config.yaml
    

Configure your cluster and workload

  1. Enablement and configuration of Config Sync including Drift Prevention admission webhook is required in nist-sp-800-53-r5-enforce-config-management.
  2. An antivirus solution is required. The default is the presence of a daemonset named clamav in the clamav namespace, however the daemonset's name and namespace can be customized to your implementation in the nist-sp-800-53-r5-require-av-daemonset constraint.
  3. Container images are limited to an allowed repos list, which can be customized if required in nist-sp-800-53-r5-restrict-repos.
  4. Nodes must use Container-Optimized OS or Ubuntu for their image in nist-sp-800-53-r5-nodes-have-consistent-time.
  5. Use of storage classes is limited to an allowed list, which can be customized to add additional classes with default encryption in nist-sp-800-53-r5-restrict-storageclass.
  6. Enablement and configuration of Binary Authorization is required in nist-sp-800-53-r5-require-binauthz.

Audit NIST SP 800-53 Rev. 5 policy bundle

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the NIST SP 800-53 policies outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt , or Config Sync .

kubectl

  1. (Optional) Preview the policy constraints with kubectl:

    kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5
    
  2. Apply the policy constraints with kubectl:

    kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5
    

    The output is the following:

    asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls created
    k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos created
    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount created
    k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth created
    k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-53-r5-enforce-config-management created
    k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor created
    k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities created
    k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls created
    k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes created
    k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces created
    k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network created
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers created
    k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type created
    k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux created
    k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp created
    k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types created
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards created
    k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-binauthz created
    k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time created
    k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset created
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies created
    k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label created
    k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required created
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects created
    k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings created
    k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass created
    
  3. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5
    

    The output is similar to the following:

    NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspapparmor.constraints.gatekeeper.sh/nist-sp-800-53-r5-apparmor   dryrun               0
    
    NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirebinauthz.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-binauthz   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictrbacsubjects.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-rbac-subjects   dryrun               0
    
    NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspforbiddensysctls.constraints.gatekeeper.sh/nist-sp-800-53-r5-sysctls   dryrun               0
    
    NAME                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspvolumetypes.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-volume-types   dryrun               0
    
    NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnetworkingports.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-network   dryrun               0
    
    NAME                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostnamespace.constraints.gatekeeper.sh/nist-sp-800-53-r5-host-namespaces   dryrun               0
    
    NAME                                                                              ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequiredaemonsets.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-av-daemonset   dryrun               0
    
    NAME                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sprohibitrolewildcardaccess.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-role-wildcards   dryrun               0
    
    NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-creation-with-default-serviceaccount   dryrun               0
    
    NAME                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spsphostfilesystem.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-hostpath-volumes   dryrun               0
    
    NAME                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspseccomp.constraints.gatekeeper.sh/nist-sp-800-53-r5-seccomp   dryrun               0
    
    NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    asmpeerauthnstrictmtls.constraints.gatekeeper.sh/nist-sp-800-53-r5-asm-peer-authn-strict-mtls   dryrun               0
    
    NAME                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequiredresources.constraints.gatekeeper.sh/nist-sp-800-53-r5-cpu-and-memory-limits-required   dryrun               0
    
    NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspprocmount.constraints.gatekeeper.sh/nist-sp-800-53-r5-proc-mount-type   dryrun               0
    
    NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sblockobjectsoftype.constraints.gatekeeper.sh/nist-sp-800-53-r5-block-secrets-of-type-basic-auth   dryrun               0
    
    NAME                                                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirenamespacenetworkpolicies.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-namespace-network-policies   dryrun               0
    
    NAME                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspcapabilities.constraints.gatekeeper.sh/nist-sp-800-53-r5-capabilities   dryrun               0
    
    NAME                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sstorageclass.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-storageclass   dryrun               0
    
    NAME                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequiredlabels.constraints.gatekeeper.sh/nist-sp-800-53-r5-require-managed-by-label   dryrun               0
    
    NAME                                                                                    ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspprivilegedcontainer.constraints.gatekeeper.sh/nist-sp-800-53-r5-privileged-containers   dryrun               0
    
    NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8sallowedrepos.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-repos   dryrun               0
    
    NAME                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8spspselinuxv2.constraints.gatekeeper.sh/nist-sp-800-53-r5-selinux   dryrun               0
    
    NAME                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8senforceconfigmanagement.constraints.gatekeeper.sh/nist-sp-800-53-r5-enforce-config-management   dryrun               0
    
    NAME                                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srestrictrolebindings.constraints.gatekeeper.sh/nist-sp-800-53-r5-restrict-clusteradmin-rolebindings   dryrun               0
    
    NAME                                                                                      ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
    k8srequirecosnodeimage.constraints.gatekeeper.sh/nist-sp-800-53-r5-nodes-have-consistent-time   dryrun               0
    

kpt

  1. Install and setup kpt.

    kpt is used in these instructions to customize and deploy Kubernetes resources.

  2. Download the NIST SP 800-53 Rev. 5 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5
    
  3. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
    -- enforcementAction=dryrun
    
  4. Initialize the working directory with kpt, which creates a resource to track changes:

    cd nist-sp-800-53-r5 kpt live init
    
  5. Apply the policy constraints with kpt:

    kpt live apply
    
  6. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kpt live status --output table --poll-until current
    

    A status of CURRENT confirms successful installation of the constraints.

Config Sync

  1. Install and setup kpt.

    kpt is used in these instructions to customize and deploy Kubernetes resources.

    Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  2. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    

    To create or append .gitignore with resourcegroup.yaml:

    echo resourcegroup.yaml >> .gitignore
    
  3. Create a dedicated policies directory:

    mkdir -p policies
    
  4. Download the NIST SP 800-53 Rev. 5 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/nist-sp-800-53-r5 policies/nist-sp-800-53-r5
    
  5. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policies/nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun
    
  6. (Optional) Preview the policy constraints to be created:

    kpt live init policies/nist-sp-800-53-r5 kpt live apply --dry-run policies/nist-sp-800-53-r5
    
  7. If your sync directory for Config Sync uses Kustomize, add policies/nist-sp-800-53-r5 to your root kustomization.yaml. Otherwise remove the policies/nist-sp-800-53-r5/kustomization.yaml file:

    rm SYNC_ROOT_DIR/policies/nist-sp-800-53-r5/kustomization.yaml
    
  8. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/nist-sp-800-53-r5 git commit -m 'Adding NIST SP 800-53 Rev. 5 policy audit enforcement'
    git push
    
  9. Verify the status of the installation:

    watch gcloud beta container fleet config-management status --project PROJECT_ID
    

    A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

  1. You can also use kubectl to view violations on the cluster using the following command:

    kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
    
  2. If violations are present, a listing of the violation messages per constraint can be viewed with:

    kubectl get constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'
    

Change NIST SP 800-53 Rev. 5 policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

  1. Use kubectl to set the policies' enforcement action to warn:

    kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'
    
  2. Verify that policy constraints enforcement action have been updated:

    kubectl get constraints -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5
    

kpt

  1. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
    
  2. Apply the policy constraints:

    kpt live apply
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR
    
  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval policies/nist-sp-800-53-r5 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn
    
  3. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/nist-sp-800-53-r5
    git commit -m 'Adding NIST SP 800-53 Rev. 5 policy warn enforcement'
    git push
    
  4. Verify the status of the installation:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: wp-non-compliant
spec:
  containers:
    ‐ image: wordpress
      name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning: [nist-sp-800-53-r5-cpu-and-memory-limits-required] container <wordpress> does not have <{"cpu", "memory"}> limits defined
Warning: [nist-sp-800-53-r5-restrict-repos] container <wordpress> has an invalid image repo <wordpress>, allowed repos are ["gcr.io/gke-release/", "gcr.io/anthos-baremetal-release/", "gcr.io/config-management-release/", "gcr.io/kubebuilder/", "gcr.io/gkeconnect/", "gke.gcr.io/"]
pod/wp-non-compliant created

Remove NIST SP 800-53 Rev. 5 policy bundle

If needed, the NIST SP 800-53 Rev. 5 policy bundle can be removed from the cluster.

kubectl

  • Use kubectl to remove the policies:

    kubectl delete constraint -l policycontroller.gke.io/bundleName=nist-sp-800-53-r5
    

kpt

  • Remove the policies:

    kpt live destroy
    

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Push changes to the Config Sync repo:

    git rm -r SYNC_ROOT_DIR/policies/nist-sp-800-53-r5
    git commit -m 'Removing NIST SP 800-53 Rev. 5 policies'
    git push
    
  2. Verify the status:

    gcloud alpha anthos config sync repo list --project PROJECT_ID
    

    Your repo showing up in the SYNCED column confirms the removal of the policies.