Use Pod Security Standards Baseline policy constraints

Policy Controller comes with a default library of constraint templates that you can use with the Pod Security Standards Baseline bundle. This bundle lets you achieve many of the same protections as the Kubernetes Pod Security Standards (PSS) Baseline policy, with the ability to test your policies before enforcing them and exclude coverage of specific resources.

This page contains instructions for manually applying a policy bundle. Alternatively, you can apply policy bundles directly.

This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.

Pod Security Standards Baseline policy bundle constraints

Constraint Name Constraint Description Control Name
pss-baseline-v2022-hostprocess Usage of Windows HostProcess HostProcess
pss-baseline-v2022-host-namespaces-hostnetwork Use of host networking Host Namespaces
pss-baseline-v2022-host-namespaces-host-pid-ipc Usage of host namespaces
pss-baseline-v2022-privileged-containers Running of privileged containers Privileged Containers
pss-baseline-v2022-capabilities Linux capabilities Capabilities
pss-baseline-v2022-hostpath-volumes Usage of the host filesystem HostPath Volumes
pss-baseline-v2022-host-ports Usage of host ports Host Ports (configurable)
pss-baseline-v2022-apparmor The AppArmor profile used by containers AppArmor
pss-baseline-v2022-selinux The SELinux context of the container SELinux
pss-baseline-v2022-proc-mount-type The Allowed Proc Mount types for the container /proc Mount Type
pss-baseline-v2022-seccomp The seccomp profile used by containers Seccomp
pss-baseline-v2022-sysctls The sysctl profile used by containers Sysctls

Before you begin

  1. Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.
  2. Install Policy Controller v.1.14.1 or higher on your cluster with the default library of constraint templates.

Audit Pod Security Standards Baseline policy bundle

Policy Controller lets you enforce policies for your Kubernetes cluster. To help test your workloads and their compliance with regard to the Google recommended best practices outlined in the preceding table, you can deploy these constraints in "audit" mode to reveal violations and more importantly give yourself a chance to fix them before enforcing on your Kubernetes cluster.

You can apply these policies with spec.enforcementAction set to dryrun using kubectl, kpt, or Config Sync.

kubectl

  1. (Optional) Preview the policy constraints with kubectl:

    kubectl kustomize https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

  2. Apply the policy constraints with kubectl:

    kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

    The output is the following:

    k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor created
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities created
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes created
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc created
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork created
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports created
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers created
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type created
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux created
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp created
k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls created

  3. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kubectl get -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

    The output is similar to the following:

    NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor                        0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities   dryrun               0

NAME                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes                        0

NAME                                                                                            ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc   dryrun               0

NAME                                                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork   dryrun               0
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports                    dryrun               0

NAME                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers   dryrun               0

NAME                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type                        0

NAME                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux                        0

NAME                                                                 ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp   dryrun               0

NAME                                                                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8spspforbiddensysctls.constraints.gatekeeper.sh/pss-baseline-v2022-sysctls   dryrun               0

  4. (Optional) Adjust the pss-baseline-v2022-host-ports constraint to include a minimum restricted known list of ports for your cluster environment:

    parameters:
  # A minimum restricted known list can be implemented here.
  min: 0
  max: 0

kpt

  1. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

  2. Download the Pod Security Standards (PSS) Baseline v2022 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022

  3. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 \
  -- enforcementAction=dryrun

  4. Initialize the working directory with kpt, which creates a resource to track changes:

    cd pss-baseline-v2022
kpt live init

  5. (Optional) Adjust the pss-baseline-v2022-host-ports constraint file to include a minimum restricted known list of ports for your cluster environment:

    parameters:
  # A minimum restricted known list can be implemented here.
  min: 0
  max: 0

  6. Apply the policy constraints with kpt:

    kpt live apply

  7. Verify that policy constraints have been installed and check if violations exist across the cluster:

    kpt live status --output table --poll-until current

    A status of CURRENT confirms successful installation of the constraints.

Config Sync

  1. Install and setup kpt. kpt is used in these instructions to customize and deploy Kubernetes resources.

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR

    To create or append .gitignore with resourcegroup.yaml: 

    echo resourcegroup.yaml >> .gitignore

  2. Create a dedicated policies directory:

    mkdir -p policies

  3. Download the Pod Security Standards (PSS) Baseline v2022 policy bundle from GitHub using kpt:

    kpt pkg get https://github.com/GoogleCloudPlatform/gke-policy-library.git/bundles/pss-baseline-v2022 policies/pss-baseline-v2022

  4. Run the set-enforcement-action kpt function to set the policies' enforcement action to dryrun:

    kpt fn eval policies/pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=dryrun

  5. (Optional) Adjust the pss-baseline-v2022-host-ports constraint file to include a minimum restricted known list of ports for your cluster environment:

    parameters:
  # A minimum restricted known list can be implemented here.
  min: 0
  max: 0

  6. (Optional) Preview the policy constraints to be created:

    kpt live init policies/pss-baseline-v2022
kpt live apply --dry-run policies/pss-baseline-v2022

    The output is the following:

    Dry-run strategy: client
inventory update started
inventory update finished
apply phase started
k8spspapparmor.constraints.gatekeeper.sh/pss-baseline-v2022-apparmor apply successful
k8spspcapabilities.constraints.gatekeeper.sh/pss-baseline-v2022-capabilities apply successful
k8spsphostfilesystem.constraints.gatekeeper.sh/pss-baseline-v2022-hostpath-volumes apply successful
k8spsphostnamespace.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-host-pid-ipc apply successful
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-namespaces-hostnetwork apply successful
k8spsphostnetworkingports.constraints.gatekeeper.sh/pss-baseline-v2022-host-ports apply successful
k8spspprivilegedcontainer.constraints.gatekeeper.sh/pss-baseline-v2022-privileged-containers apply successful
k8spspprocmount.constraints.gatekeeper.sh/pss-baseline-v2022-proc-mount-type apply successful
k8spspselinuxv2.constraints.gatekeeper.sh/pss-baseline-v2022-selinux apply successful
k8spspseccomp.constraints.gatekeeper.sh/pss-baseline-v2022-seccomp apply successful
apply phase finished
inventory update started
inventory update finished
apply result: 10 attempted, 10 successful, 0 skipped, 0 failed

  7. If your sync directory for Config Sync uses Kustomize, add policies/pss-baseline-v2022 to your root kustomization.yaml. Otherwise remove the policies/pss-baseline-v2022/kustomization.yaml file:

    rm SYNC_ROOT_DIR/policies/pss-baseline-v2022/kustomization.yaml

  8. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/pss-baseline-v2022
git commit -m 'Adding Pod Security Standards Baseline audit enforcement'
git push

  9. Verify the status of the installation:

    watch gcloud beta container fleet config-management status --project PROJECT_ID

    A status of SYNCED confirms the installation of the policies.

View policy violations

Once the policy constraints are installed in audit mode, violations on the cluster can be viewed in the UI using the Policy Controller Dashboard.

You can also use kubectl to view violations on the cluster using the following command:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'

If violations are present, a listing of the violation messages per constraint can be viewed with:

kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o json | jq -C '.items[]| select(.status.totalViolations>0)| [.metadata.name,.status.violations[]?]'

Change Pod Security Standards Baseline policy bundle enforcement action

Once you've reviewed policy violations on your cluster, you can consider changing the enforcement mode so the Admission Controller will either warn on or even deny block non-compliant resource from getting applied to the cluster.

kubectl

  1. Use kubectl to set the policies' enforcement action to warn:

    kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022 -o name | xargs -I {} kubectl patch {} --type='json' -p='[{"op":"replace","path":"/spec/enforcementAction","value":"warn"}]'

  2. Verify that policy constraints enforcement action have been updated:

    kubectl get constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022

kpt

  1. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn

  2. Apply the policy constraints:

    kpt live apply

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Change into the sync directory for Config Sync:

    cd SYNC_ROOT_DIR

  2. Run the set-enforcement-action kpt function to set the policies' enforcement action to warn:

    kpt fn eval policies/pss-baseline-v2022 -i gcr.io/kpt-fn/set-enforcement-action:v0.1 -- enforcementAction=warn

  3. Push changes to the Config Sync repo:

    git add SYNC_ROOT_DIR/policies/pss-baseline-v2022
git commit -m 'Adding Pod Security Standards Baseline policy bundle warn enforcement'
git push

  4. Verify the status of the installation:

    gcloud alpha anthos config sync repo list --project PROJECT_ID

    Your repo showing up in the SYNCED column confirms the installation of the policies.

Test policy enforcement

Create a non-compliant resource on the cluster using the following command:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  namespace: default
  name: wp-non-compliant
  labels:
    app: wordpress
spec:
  containers:
    - image: wordpress
      name: wordpress
      ports:
      - containerPort: 80
        hostPort: 80
        name: wordpress
EOF

The admission controller should produce a warning listing out the policy violations that this resource violates, as shown in the following example:

Warning:  [pss-baseline-v2022-host-ports] The specified hostNetwork and hostPort are not allowed, pod: wp-non-compliant. Allowed values: {"max": 0, "min": 0}
pod/wp-non-compliant created

Remove Pod Security Standards Baseline policy bundle

If needed, the Pod Security Standards Baseline policy bundle can be removed from the cluster.

kubectl

  • Use kubectl to remove the policies:

    kubectl delete constraint -l policycontroller.gke.io/bundleName=pss-baseline-v2022

kpt

  • Remove the policies:

    kpt live destroy

Config Sync

Operators using Config Sync to deploy policies to their clusters can use the following instructions:

  1. Push changes to the Config Sync repo:

    git rm -r SYNC_ROOT_DIR/policies/pss-baseline-v2022
git commit -m 'Removing Pod Security Standards Baseline policies'
git push

  2. Verify the status:

    gcloud alpha anthos config sync repo list --project PROJECT_ID

    Your repo showing up in the SYNCED column confirms the removal of the policies.