The Gatekeeper component lets you enable or customize security policies on the Container Service for Kubernetes (ACK) console to verify that pod deployments and updates are secure and compliant.
Policy governance
Pod Security Policy (PSP) has been deprecated since Kubernetes v1.21. ACK has redesigned its PSP-based policy management feature. Built on the Gatekeeper admission controller, which uses Open Policy Agent (OPA) policies, ACK now provides enhanced capabilities such as policy governance status monitoring and log reporting and retrieval. ACK also includes a rich, built-in library of policy governance rules that cover a wide range of Kubernetes application scenarios. You can configure these rules through a simple UI on the console, which lowers the barrier to using policy governance features.
Prerequisites
-
An ACK cluster is created. For more information, see Create an ACK cluster.
-
If you use a RAM user for policy management, ensure that the RAM user has the following permissions:
-
cs:DescribePolicies: Lists the rules in the policy governance library. -
cs:DescribePolicyDetails: Obtains the details of a policy rule template. -
cs:DescribePolicyGovernanceInCluster: Obtains the policy governance details of a cluster. -
cs:DescribePolicyInstances: Obtains the list of policy instances deployed in a cluster. -
cs:DescribePolicyInstancesStatus: Obtains the deployment status of instances for different policy types in a cluster. -
cs:DeployPolicyInstance: Deploys a policy rule instance in a specified cluster. -
cs:DeletePolicyInstance: Deletes a policy rule instance from a specified cluster. -
cs:ModifyPolicyInstance: Modifies a policy rule instance in a specified cluster.
For information about how to create a custom RAM policy, see Grant permissions to a RAM user or RAM role.
-
Limitations
-
This feature is applicable only to Linux nodes.
-
Custom policy rules are not supported. All rules are from ACK's built-in rule library.
Step 1: Install or upgrade policy governance components
To enable the security policy governance feature, you must install the following components:
-
gatekeeper component: a Kubernetes policy admission controller based on the OPA policy engine. It manages and applies OPA policies within your cluster and implements features such as namespace label management.
NoteOnly the gatekeeper component provided by ACK is supported. If you have installed a gatekeeper component from another source, you must uninstall it and then reinstall the ACK-provided version. For version information about the gatekeeper component, see gatekeeper.
-
logtail-ds log component: Collects and retrieves logs for
denyandwarnevents that result from policy violations. -
policy-template-controller component: a Kubernetes controller developed based on Alibaba Cloud policy templates. It simplifies the management of policy instances from different templates and helps you monitor the cluster's overall governance status.
-
Log on to the ACS console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Security > Policy Governance.
-
On the Policy Governance page, follow the on-screen instructions to install or upgrade the components.
Step 2: Use the policy governance feature
Access the feature
-
Log on to the ACS console. In the left navigation pane, click Clusters.
-
On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Security > Policy Governance.
-
On the Policy Governance page, follow the on-screen instructions to install or upgrade components if prompted. Then, perform the operations as needed.
View policy governance status
Click the Overview tab to view the current policy governance status of the cluster.
-
This section provides an overview of enabled policies. It includes the total and enabled counts for high-risk and medium-risk policies, along with a list of recommended policies to enable.
-
Statistics on
denyandwarnactions from the last 7 days. -
Policy enforcement records from the last 7 days. By default, the table on this page displays the 100 most recent
denyorwarnlogs from the past 7 days. To view more audit logs, click the
icon next to Actions within Last 7 Days and click the Log Service link in the pop-up window to view all logs in the specified Logstore on the Log Service (SLS) console. The table at the bottom of the page includes the following columns: Enforcement Time, Policy Type, Policy Name, Policy Description, Risk Level, Enforcement Action, and Details.
Create and manage policy instances
Click the My Policies tab, and then click Create Policy Instance. In the Create Policy Instance dialog box, configure the parameters.
|
Parameter |
Description |
|
Policy Type |
Select a policy type. The available categories are:
|
|
Action |
|
|
Policy Name |
From the drop-down list, select the policy template to deploy. |
|
Applicable Scope |
Select the namespaces in the cluster where the policy instance will be enforced. |
|
Parameters |
|
View policy list and instances
Click the My Policies tab to view all deployable policies for the cluster.
You can filter the displayed policies by using the controls in the upper-right corner of the list. Enabled policies are displayed first by default. The Policy Instances column shows the number of instances of a policy that are deployed in the cluster.
If the Policy Instances count is zero, the policy has not been deployed in the cluster. Click Enable in the Actions column to configure and deploy the policy instance. The policy list includes the Policy type, Policy name, Description, Risk level, Policy instances, and Actions columns. For policies that are not enabled, the Actions column displays an Enable link. The top of the page also shows a statistical breakdown of policies by risk level: High, Medium, and Low.
-
Click Edit in the Actions column to modify the configuration of a policy instance.
If a policy has multiple deployed instances, click View Instances in the Actions column, and then click Edit to modify a specific instance.
-
Click Delete in the Actions column to delete all of the policy's deployed instances in the cluster.
For more information about policy descriptions and template examples, see Container security policy rule library.
Related topics
For more information about the four types of built-in rule libraries supported by policy governance (Compliance, Infra, K8s-general, and PSP), see Container security policy rule library.