platform-admin policies security-tips

Enforce Artifact Registry policies

Platform Admin Platform Admin Duration: 10 min | Persona: Platform Admin

In this section, you will enforce policies in order to make sure that the containers in your clusters are coming from a restricted list of container registries.

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh

Define “Allowed container registries” policy

Define the Constraint based on the K8sAllowedRepos ConstraintTemplate for Pods:

cat <<EOF > ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/policies/constraints/pod-allowed-container-registries.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: pod-allowed-container-registries
  annotations:
    policycontroller.gke.io/constraintData: |
      "{
        description: 'Requires container images to begin with a string from the specified list.',
        remediation: 'Any container images should begin with a string from the specified list, they are the only container registries allowed.'
      }"
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    repos:
    - auto
    - gcr.io/config-management-release
    - gcr.io/gke-release
    - gke.gcr.io
    - k8s.gcr.io
    - ${CONTAINER_REGISTRY_REPOSITORY}
EOF
Tip

We are restricting the source of the container images in the GKE cluster. Only system container images and the images from your own private Artifact Registry can be deployed in your GKE cluster.

Deploy Kubernetes manifests

cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME/
git add . && git commit -m "Policies for Artifact Registry" && git push origin main

Check deployments

List the Kubernetes resources managed by Config Sync in GKE cluster for the GKE cluster configs repository:

Run this command and click on this link:

echo -e "https://console.cloud.google.com/kubernetes/config_management/packages?project=${TENANT_PROJECT_ID}"

Wait until you see the Sync status column as Synced and the Reconcile status column as Current.

Run this command:

gcloud alpha anthos config sync repo describe \
    --project $TENANT_PROJECT_ID \
    --managed-resources all \
    --sync-name root-sync \
    --sync-namespace config-management-system

Wait and re-run this command above until you see "status": "SYNCED".

See the Policy Controller Constraints without any violations in the GKE cluster, by running this command and click on this link:

echo -e "https://console.cloud.google.com/kubernetes/policy_controller/dashboard?project=${TENANT_PROJECT_ID}"

List the GitHub runs for the GKE cluster configs repository:

cd ${WORK_DIR}$GKE_CONFIGS_DIR_NAME && gh run list