Wednesday, March 29, 2023
No menu items!
HomeCloud ComputingHarden your Kubernetes clusters and monitor workload compliance at scale with new...

Harden your Kubernetes clusters and monitor workload compliance at scale with new PCI DSS policy bundle

PCI DSS is a set of network security and business best practices guidelines adopted by the PCI Security Standards Council to establish a “minimum security standard” to protect customers’ payment card information. Google Cloud undergoes a third-party audit to certify individual products against the PCI DSS at least annually, and customers can build off of these attestations to measure their applications’ compliance. This blog can help you evaluate your new and existing applications for PCI DSS compliance. 

Policy Controller enables the enforcement of fully programmable policies for your clusters. A Policy bundle is an out-of-the-box set of constraints that are created and maintained by Google Cloud. Policy bundles help audit your cluster resources against Kubernetes standards, industry standards, or Google Cloud-recommended best practices. Many policy bundles are available now, and they can be easily used by a new or existing user as-is without writing a single line of code. You can also view the status of Policy bundle coverage and compliance for your fleet of clusters using Policy Controller dashboard

The PCI DSS v3.2.1 Policy bundle

Security administrators from your organization can view the alignment for your applications with the PCI DSS requirements by viewing the violations for the PCI DSS Policy bundle. Each constraint in the PCI DSS bundle also has the PCI DSS control number listed which can be mapped back to PCI requirements, these mappings may be used during the compliance reporting, as needed. More information on how to view the list of violations is covered in the next section in this blog.

The PCI DSS v3.2.1 Policy bundle includes policies focusing on the following areas: 

Secure networks and systems 

Ensures requirements for a firewall by requiring all apps to contain a specified audit label.

Ensures requirements for network-controls by requiring all apps to contain a specified annotation.

Requires that every namespace defined in the cluster has a NetworkPolicy.

Requires a valid app.kubernetes.io/managed-by= label on RoleBinding resources.

Restricts the creation of resources using a default service account.

Restricts pods from using the default namespace.

Secure systems and applications

Enforce all PeerAuthentications cannot overwrite strict mTLS.

Requires the presence of an anti-virus daemonset.

Enforce the presence and enablement of Anthos Config Management.

Enforce Cloud Armor configuration on BackendConfig resources.

Strong access control and monitoring

Restricts the use of basic-auth type secrets.

Ensures consistent and correct time on Nodes by ensuring the usage of Container-Optimized OS as the OS image.

Using the PCI DSS v3.2.1 Policy bundle

The PCI DSS v.3.2.1 Policy bundle can be installed on Anthos Cluster(s) with Policy Controller v1.14.0 or higher. The policies included are configured in “audit” mode by default, so they do not impact any of your existing or new workloads. You can apply Policy bundles using kubectl (demonstrated just below), kpt, or Config Sync.

1. Install and initialize the Google Cloud CLI, which provides the gcloud and kubectl commands used in these instructions. If you use Cloud Shell, Google Cloud CLI comes pre-installed.

2. Install Policy Controller on your Anthos cluster with the referential constraints and the Policy Controller Constraint Template Library enabled. 

3. Save the following YAML manifest to a file as policycontroller-config.yaml. The manifest configures Policy Controller to watch specific kinds of objects.

Note: If you already have an existing Config in the gatekeeper-system namespace, you must include all previous customization settings to preserve your changes.

code_block[StructValue([(u’code’, u’apiVersion: config.gatekeeper.sh/v1alpha1rnkind: Configrnmetadata:rn name: configrn namespace: “gatekeeper-system”rnspec:rn sync:rn syncOnly:rn – group: “apps”rn version: “v1″rn kind: “DaemonSet”rn – group: “networking.k8s.io”rn version: “v1″rn kind: “NetworkPolicy”‘), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec20ae7ae50>)])]

4. Apply the policycontroller-config.yaml manifest:

code_block[StructValue([(u’code’, u’kubectl apply -f policycontroller-config.yaml’), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec1eb469250>)])]

4. Preview the policy constraints with kubectl

code_block[StructValue([(u’code’, u’kubectl kustomize https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/anthos-bundles/pci-dss-v3.2.1′), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec2080f8e50>)])]

5. Apply the policy constraints with kubectl:

code_block[StructValue([(u’code’, u’kubectl apply -k https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/anthos-bundles/pci-dss-v3.2.1′), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec2080f8050>)])]

The output will be similar to the following:

code_block[StructValue([(u’code’, u’asmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v3.2.1-asm-peer-authn-strict-mtls createdrnk8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-creation-with-default-serviceaccount createdrnk8sblockobjectsoftype.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-secrets-of-type-basic-auth createdrnk8senforcecloudarmorbackendconfig.constraints.gatekeeper.sh/pci-dss-v3.2.1-enforce-cloudarmor-backendconfig createdrn…’), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec2080f8950>)])]

6. Verify that policy constraints have been installed and check if violations exist across the cluster:

code_block[StructValue([(u’code’, u’kubectl get constraint -l policycontroller.gke.io/bundleName=pci-dss-v3.2.1′), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec2080f8850>)])]

The output is similar to the following:

code_block[StructValue([(u’code’, u’NAME ENFORCEMENT-ACTION TOTAL-VIOLATIONSrnasmpeerauthnstrictmtls.constraints.gatekeeper.sh/pci-dss-v3.2.1-asm-peer-authn-strict-mtls dryrun 0rnrnNAME ENFORCEMENT-ACTION TOTAL-VIOLATIONSrnk8sblockcreationwithdefaultserviceaccount.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-creation-with-default-serviceaccount dryrun 0rnrnNAME ENFORCEMENT-ACTION TOTAL-VIOLATIONSrnk8sblockobjectsoftype.constraints.gatekeeper.sh/pci-dss-v3.2.1-block-secrets-of-type-basic-auth dryrun 0rnu2026′), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec1eb800e50>)])]

In order to remediate the violations, we recommend that you update your resource(s) yaml — some guidelines are included here. Each violation will also include steps to fix the violation, which can be viewed both from CLI and the Policy Controller dashboard. 

Viewing the PCI DSS Policy bundle violations on Policy Dashboard

Violations on the cluster can also be viewed in the UI using the Policy Controller Dashboard.

The Policy Controller dashboard

Monitoring the cluster(s) for PCI DSS Policy Bundle violations 

The PCI DSS policy bundle by default has its enforcement action set to dryrun, which is the configuration for Policy Controller to show you violations without blocking or aborting any resources. This gives you the ability to audit your clusters, share any violations with workload owners and collaborate on fixing critical security issues.

All policy violations are automatically recorded in Cloud Logging and can be found by applying these filters in the Logs Explorer:

code_block[StructValue([(u’code’, u’resource.type=”k8s_container”rnresource.labels.namespace_name=”gatekeeper-system”rnresource.labels.pod_name:”gatekeeper-audit-“rnjsonPayload.process: “audit”rnjsonPayload.event_type: “violation_audited”rnjsonPayload.constraint_name:*rnjsonPayload.constraint_namespace:*’), (u’language’, u”), (u’caption’, <wagtail.wagtailcore.rich_text.RichText object at 0x3ec1f8270a90>)])]

You can also set up log based alerts using Cloud Monitoring for whenever policy violations occur to get notified. 

Policy Controller includes the metrics related to policy usage such as number of constraints, constraint templates, audit violations detected just to name a few (see list of metrics exposed). These metrics can be exported to cloud monitoring and/or prometheus at install time (blog, docs). You can also set up alerts based on metrics.

Conclusion

Policy Controller enables the enforcement of both Google created and maintained Policy bundles and custom policies for your cluster which prevent changes to the Kubernetes API from violating security, operational, or compliance controls. Optionally, Policy Controller can also be used to analyze configuration for compliance before deployment to your Kubernetes cluster.

Get started today

The easiest way to get started with Anthos Policy Controller is to install Policy Controller and try out some of the other Google created and maintained Policy bundles:

Anthos Service Mesh security

CIS Kubernetes Benchmark v1.5.1

Pod Security Policy

Pod Security Standards Baseline

Pod Security Standards Restricted

Policy Essentials

Cloud BlogRead More

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments