We recommend that you enable the policy governance feature to meet compliance requirements and enhance cluster security. The policy governance feature provides security policies that are suitable for Kubernetes scenarios, including Infra (infrastructure resources), Compliance (Kubernetes security compliance), PSP (PodSecurityPolicy-based extension), and K8s-general (general-purpose policies). You can enable or customize security policies for containerized applications in the Container Service for Kubernetes (ACK) console to verify the security of pod deployment and updates.
Introduction to policy governance
PSP is marked as Deprecated in Kubernetes 1.21 and later. Therefore, ACK optimizes the PSP-based policy governance feature. ACK uses OPA as a Gatekeeper admission controller to extend features, such as policy governance status monitoring, log collection, and log retrieval. In addition, a variety of policy libraries are provided to allow you to use more security policies that target Kubernetes scenarios. You can directly configure security policies in the console, which greatly simplifies policy governance configuration.
Prerequisites
The cluster runs Kubernetes 1.16 or later. For more information about how to update an ACK cluster, see Manually update ACK clusters.
When you manage security policies as a Resource Access Management (RAM) user, make sure that the RAM user is granted the following permissions:
cs:DescribePolicies
: queries policies.cs:DescribePoliceDetails
: queries information about a policy.cs:DescribePolicyGovernanceInCluster
: queries information about policies in a cluster.cs:DescribePolicyInstances
: queries a policy instance that is deployed in a cluster.cs:DescribePolicyInstancesStatus
: queries information about policy instances in a cluster.cs:DeployPolicyInstance
: deploys a policy instance in a cluster.cs:DeletePolicyInstance
: deletes policy instances in a cluster.cs:ModifyPolicyInstance
: modifies a policy instance in a cluster.
For more information about how to create custom RAM policies, see Create a custom RAM policy.
Usage notes
The policy governance feature is applicable only to Linux nodes.
Custom policies are not supported. All policies are from the built-in policy libraries of ACK.
Step 1: Install or update the policy governance components
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Policy Governance page, follow the on-screen instructions to install or update the components.
To enable policy governance, you must install the following components: The following components are free of charge but consume your pod resources.
gatekeeper: an OPA-based Kubernetes admission controller. You can use this component to manage and use security policies executed by OPA in ACK clusters. This allows you to manage namespace labels.
NoteYou can use only the gatekeeper component provided by ACK. If you use a gatekeeper component that is not provided by ACK, uninstall it and then install the component provided by ACK. For more information about the release notes for the gatekeeper component, see gatekeeper.
logtail-ds: This component can be used to collect and retrieve blocking or alerting events that are generated due to security policy compliance issues.
policy-template-controller: a Kubernetes controller developed based on Alibaba Cloud security policy templates. You can use this component to manage the status of ACK clusters and policy instances deployed from different policy templates.
Step 2: Work with the policy governance feature
Platform
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Policy Governance page, follow the on-screen instructions to install or update the components, and then perform the following operations on demand.
View information about security policies in the current cluster
You can click the Overview tab to view information about security policies in the current cluster.
An overview of security policies in the cluster, including the numbers of high-risk policies, high-risk policies that are enabled, medium-risk policies, and medium-risk policies that are enabled. Security policies that the system suggests you to enable are also listed.
The numbers of blocking events and alerting events that are generated within the previous seven days.
The records of the latest 100 events that are generated within the last 7 days. To view more information about the audit log, click the icon next to Actions within Last 7 Days. In the tooltip that appears, click the hyperlink to go to the Logstore details page in the Log Service console. You can view the log that is stored in the Logstore.
Create and manage policy instances
Click the My Policies tab. Then, click Create Policy Instance and configure parameters in the Create Policy Instance dialog box.
Parameter | Description |
Policy Type | Select a policy type. Valid values:
For more information, see Predefined security policies of ACK. |
Policy Name | Select a policy name from the drop-down list. |
Action |
|
Applicable Scope | Select the namespaces to which you want to apply the policy instance. |
Parameters |
|
View policies and policy instances in the current cluster
Click the My Policies tab to view all policies in the current cluster.
You can click the filter conditions in the upper-right corner of the list to filter policies. Enabled policies are displayed at the top of the list. The Instances column displays the number of policy instances deployed for each policy.
If the number of policy instances is zero, the corresponding policy is not deployed in the cluster. You can click Enable in the Actions column of the policy to configure and deploy policy instances.
To modify the configuration of policy instances, click Modify in the Actions column.
If more than one policy instance is deployed for a policy, you can click View Instances in the Actions column and click Modify to modify the configuration.
Click Delete in the Actions column to delete all policy instances deployed for a policy.
For more information about security policies and their templates, see Predefined security policies of ACK.
Related operations: Enable deletion protection for a namespace or a Service
After you enable the policy governance feature by performing Step 1: Install or update the policy governance components, you can also enable deletion protection for namespaces or Services that involve businesses-critical and sensitive data to avoid incurring maintenance costs caused by accidental namespace or Service deletion. After you enable deletion protection, the resources can be deleted only after you manually disable deletion protection.
The following content describes how to enable deletion protection for an existing namespace. You can also go to the corresponding page in the console and follow the on-screen instructions to enable deletion protection for other resources.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, click Namespaces and Quotas.
On the Namespace page, find the namespace that you want to manage and click Edit in the Actions column. In the dialog box that appears, enable deletion protection.
References
You can configure cluster inspection to identify potential security risks in workload configurations in your cluster. For more information, see Use the inspection feature to detect security risks in the workloads of an ACK cluster.