Without a policy enforcement layer, any workload can be deployed to your cluster regardless of its security posture. Container Service for Kubernetes (ACK) integrates Open Policy Agent (OPA) as a Gatekeeper admission controller to intercept pod deployments and updates before they are applied, so only workloads that comply with your security policies can run in the cluster. The policy governance feature extends OPA with status monitoring, log collection, and log retrieval, and provides a library of predefined security policies that you configure directly in the ACK console.
PodSecurityPolicy (PSP) is deprecated as of Kubernetes 1.21. The ACK policy governance feature replaces PSP-based policy management.
Prerequisites
Before you begin, ensure that you have:
-
An ACK managed cluster or ACK dedicated cluster running Kubernetes 1.16 or later. See Create an ACK dedicated cluster or Create an ACK managed cluster. To upgrade an existing cluster, see Update an ACK cluster.
-
If managing security policies as a Resource Access Management (RAM) user, the following RAM permissions: To create a custom RAM policy, see Create a custom RAM policy.
Permission Description cs:DescribePoliciesQuery policies cs:DescribePoliceDetailsQuery information about a policy cs:DescribePolicyGovernanceInClusterQuery policy information in a cluster cs:DescribePolicyInstancesQuery a policy instance deployed in a cluster cs:DescribePolicyInstancesStatusQuery policy instance information in a cluster cs:DeployPolicyInstanceDeploy a policy instance in a cluster cs:DeletePolicyInstanceDelete policy instances in a cluster cs:ModifyPolicyInstanceModify a policy instance in a cluster
Limitations
-
Policy governance applies only to Linux nodes.
-
Only predefined ACK policies are supported. Custom policies are not available.
Step 1: Install or update policy governance components
The policy governance feature requires three components:
| Component | Description |
|---|---|
| gatekeeper | An OPA-based Kubernetes admission controller that manages and enforces security policies in ACK clusters, including namespace label management. Use only the gatekeeper component provided by ACK. If you have a third-party gatekeeper installed, uninstall it first. For release notes, see gatekeeper. |
| logtail-ds | A log component that collects and retrieves blocking and alerting events generated by security policy violations. |
| policy-template-controller | A Kubernetes controller based on Alibaba Cloud security policy templates that manages the status of ACK clusters and policy instances across different policy templates. |
To install or update these components:
-
Log on to the ACK console. In the left-side navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left-side pane, choose Security > Policy Governance.
-
On the Policy Governance page, follow the on-screen instructions to install or update the components.
Step 2: Work with policy governance
View security policy overview
On the Policy Governance page, click the Overview tab to see:
-
A summary of security policies in the cluster: the number of high-risk and medium-risk policies, how many of each are enabled, and policies suggested for enablement.
-
The number of blocking events and alerting events from the previous seven days.
-
Policy enforcement records from the previous seven days. The table shows the most recent 100 blocking or alerting events by default.
To view all events beyond the default 100, hover over the icon next to Actions within Last 7 Days, then click the Simple Log Service link in the pop-up to log on to the Simple Log Service console and view all logs in the corresponding Logstore.
Create a policy instance
Click the My Policies tab, then click Create Policy Instance and configure the following parameters.
| Parameter | Description |
|---|---|
| Policy Type | The category of security control. See Policy types for details. |
| Action | Block: prevents resource deployments that match the policy. Alert: generates alerts for matching deployments without blocking them. Start with Alert to observe impact before switching to Block. |
| Policy Name | Select a policy from the drop-down list. |
| Applicable Scope | The namespaces to which the policy instance applies. |
| Parameters | If the editor is blank, no parameters are required. If parameters are shown, configure them based on the descriptions. |
Tip: When rolling out a new policy in production, start with the Alert action to identify which workloads would be affected. After you confirm no critical workloads are flagged, switch to Block to enforce the policy. This prevents unexpected disruptions to running services.
Policy types
| Type | What it controls |
|---|---|
| Infra | Infrastructure resources — enforces security control on infrastructure resources. |
| Compliance | Kubernetes security baselines — ensures security compliance with baselines defined by Alibaba Cloud Kubernetes Security Hardening. |
| PSP | Pod-level security settings — substitutes the PSP resource. |
| K8s-general | Kubernetes resources — enforces security control on Kubernetes resources based on Alibaba Cloud security best practices. |
View and manage existing policies
On the My Policies tab, all policies in the current cluster are listed. Use the filters in the upper-right corner to narrow the list. Enabled policies appear at the top. The Instances column shows how many policy instances are deployed for each policy.
If the Instances count is zero, the policy is not deployed. Click Enable in the Actions column to configure and deploy it.
To modify a policy instance, click Modify in the Actions column. If more than one instance is deployed for a policy, click View Instances first, then click Modify for the target instance.
To remove all instances for a policy, click Delete in the Actions column.
For a full list of predefined policies and their templates, see Predefined security policies of ACK.
What's next
-
Review all predefined policies available for policy governance (Compliance, Infra, K8s-general, and PSP): Predefined security policies of ACK.
-
Run cluster inspections to identify security risks in workload configurations: Use the inspection feature to detect security risks in the workloads of an ACK cluster.