aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Engineering

Anthos Config Management: Enforcing The CIS Benchmark With Policy Controller

  • aster.cloud
  • January 12, 2022
  • 3 minute read

Many companies were forced to accelerate their digital transformation by rolling out new apps and services to help them adapt to the disruption caused by COVID-19. Kubernetes played a vital role to address this challenge as organizations around the globe focused on containerizing their applications in production. Although 84% of global security decision makers report that they have security policies in place for the use of containers, only 45% report that they have the right tooling in place to support those policies. While there are signs of progress, there is more we can and should do.1

Anthos Config Management (ACM) aims at solving this problem by providing administrators creating and enforcing consistent configurations and security policies across an organization’s fleet of clusters.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

The focus of this article is Policy Controller, a feature of ACM based on the Open Policy Agent Gatekeeper project, that comes with a full library of pre-built policies for common security and compliance controls.

CIS Benchmark for Kubernetes

To help customers enhance the security posture of their workloads, the CIS organization has developed a guideline based on security objectives and community consensus which is called the Kubernetes CIS benchmark. Although the scope of the benchmark is fairly broad, this article focuses on the CIS policy bundle that is provided with the sample repository when configuring ACM.

The CIS policy bundle addresses and enforces policies in the following areas:

  1. RBAC and Service Accounts – restricting the use of cluster-admin role except for the system:masters group. Additionally, restricting the use of wildcard in Roles and ClusterRoles
  2. Pod Security Policies – restricting the use of privileged containers, restricting admission containers wishing to share the host process ID, host IPC or host network namespace , restricting containers asking for allowPrivilegeEscalation, restricting containers from running as root users and finally requiring containers to drop the NET_RAW capability that can allow containers to exchange raw packets over ICMP.
  3. Network Policies and CNI – requiring all namespaces to have a network policy defined.
  4. Secrets Management – prohibiting the use of secrets as environment variables and instead encouraging the use of mounted secret files in data volumes.
  5. General Policies – restricting deployment of resources in  default namespace, requiring all pods to have securityContext defined and seccomp profile set to docker/default.

Conusuming the CIS Bundle via ACM UI

In addition to launching the CIS bundle, we have built a new UI for ACM which allows you to get started with minimal configurations. In particular, setting up ACM will now include installing Policy Controller by default and setting up Config Sync to pull from an essential baseline repository.

Read More  Google Cloud, Nokia Partner To Accelerate Cloud-Native 5G Readiness For Communications Providers

 

This essentials repository is in unstructured mode, which gives you the freedom to fork it and organize resources as you see fit. Out of the box, it applies the CIS benchmark to all clusters and namespaces.

Monitoring your cluster(s) for violations

The CIS policy bundle by default has its enforcement action set to dryrun which is the configuration for Policy Controller to show you violations without blocking or aborting any resources. This gives you the ability to audit your clusters, share any violations with workload owners and collaborate on fixing critical security issues.

All policy violations are automatically recorded in Cloud Logging and can be found by applying these filters in the Logs Explorer:

 

resource.type="k8s_container"
resource.labels.location=CLUSTER_LOCATION
resource.labels.namespace_name="gatekeeper-system"
resource.labels.pod_name:"gatekeeper-audit-"
jsonPayload.process: "audit"
jsonPayload.event_type: "violation_audited"
jsonPayload.constraint_name:*
jsonPayload.constraint_namespace:*

 

You can also use Cloud Monitoring to set up alerts for whenever policy violations occur.

Once you’ve had the chance to review all violations and are ready to turn on the enforcement of policies by blocking any non-compliant resources, you should change the enforcement action on each constraint to deny. This can be done in bulk by using the set-enforcement-action kpt function.

Conclusion

The need for monitoring and neutralizing security threats is growing and will continue to grow as we innovate with modern and distributed application development platforms such as Kubernetes. Without proper governance and tools in place, this growth can easily become an overhead for IT organizations. Anthos Config Management can help bring structure to this by providing central control over policies and traceability using Git. Explore Anthos Config Management best practices, quickstarts, and tutorials here. We also encourage you to try out the CIS policy bundle that is provided with the sample repository when you are configuring using Anthos Config Management.

Read More  Snooze Your Alert Policies In Cloud Monitoring

1. Best Practices For Container Security, Forrester, July 2020

 

 

By: Awais Malik (Solutions Architect, Anthos)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Anthos
  • Google Cloud
  • Kubernetes
You May Also Like
View Post
  • Engineering

Just make it scale: An Aurora DSQL story

  • May 29, 2025
View Post
  • Engineering
  • Technology

Guide: Our top four AI Hypercomputer use cases, reference architectures and tutorials

  • March 9, 2025
View Post
  • Computing
  • Engineering

Why a decades old architecture decision is impeding the power of AI computing

  • February 19, 2025
View Post
  • Engineering
  • Software Engineering

This Month in Julia World

  • January 17, 2025
View Post
  • Engineering
  • Software Engineering

Google Summer of Code 2025 is here!

  • January 17, 2025
View Post
  • Data
  • Engineering

Hiding in Plain Site: Attackers Sneaking Malware into Images on Websites

  • January 16, 2025
View Post
  • Computing
  • Design
  • Engineering
  • Technology

Here’s why it’s important to build long-term cryptographic resilience

  • December 24, 2024
IBM and Ferrari Premium Partner
View Post
  • Data
  • Engineering

IBM Selected as Official Fan Engagement and Data Analytics Partner for Scuderia Ferrari HP

  • November 7, 2024

Stay Connected!
LATEST
  • 1
    The Summer Adventures : Hiking and Nature Walks Essentials
    • June 2, 2025
  • 2
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 3
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 6
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 8
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 9
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 10
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.