Source URL: https://cloud.google.com/blog/products/identity-security/how-to-use-custom-org-policies-to-enforce-cis-benchmark-for-gke/
Source: Cloud Blog
Title: Using custom Org Policies to enforce the CIS benchmark for GKE
Feedly Summary: As the adoption of container workloads increases, so does the need to establish and maintain a consistent, strong Kubernetes security posture. Failing to do so can have significant consequences for the risk posture of an organization. Nearly 50% of organizations experienced revenue or customer loss due to container and Kubernetes security incidents, according to the 2024 State of Kubernetes Security Report.
Org policies are your friend to help you achieve pervasive security across your cloud infrastructure. In particular, you can use custom Organization Policies to enforce many of the CIS Benchmarks proactively, ensuring that you’ve established proper guardrails for Google Kubernetes Engine (GKE) standard and autopilot in your infrastructure.
We’ve made implementing these preventative controls easier with a custom Organization Policy library, which can apply controls to GKE and other Google Cloud services including Dataproc, Cloud Storage, Network, Firewall, Cloud Run, Cloud Build, Identity and Access Management, and Compute Engine.
Importantly for GKE security, custom Organization Policies can be used to enforce compliance with the CIS Benchmark for GKE.
aside_block
What is CIS Benchmark for GKE?
The CIS Benchmark is a comprehensive set of security recommendations and best practices designed to enhance the security posture of GKE clusters. It provides a list of recommendations to assess and mitigate potential vulnerabilities, covering areas such as authentication and authorization, network security, and IAM.
Using the CIS benchmark can help with two crucial tasks: reducing the risk of cyberattacks and ensuring compliance with industry standards. Custom Organization Policy supports the Cluster and Nodepool resources and many CIS recommendations for GKE can be enforced.
Achieving compliance with custom organization policies
Custom Organization Policies can help you enforce your own granular security and compliance controls. They allow you to define constraints and policies using Common Expression Language (CEL) to restrict specific configurations and actions within your cloud environment.
Using custom Organization Policies can ensure that new and existing GKE clusters adhere to security standards. These policies act as preventative controls, applied at the Google Cloud level, and can be integrated with any provisioning tool. Doing so can help provide a consistent and automated approach to security enforcement.
Custom Organization Policies also support safe rollout features including dry run and simulation, which allow organizations to test and ensure policy changes don’t disrupt operations before enforcing them in a production environment.
Some of the critical CIS recommendations for GKE you can enforce using custom Organization Policies include:
Making sure only private clusters using private endpoints and nodes can be provisioned.
Nodes are configured with Secure Boot enabled.
Container-Optimized OS is used for nodes.
Here are some examples of how to implement custom Organization Policies for GKE:
Enforcing usage of private clusters
code_block
<ListValue: [StructValue([(‘code’, ‘name: organizations/<ORG_ID>/customConstraints/custom.gkeRequirePrivateNodes\r\nresource_types:\r\n- container.googleapis.com/Cluster\r\ncondition: resource.privateClusterConfig.enablePrivateNodes == false\r\naction_type: DENY\r\nmethod_types:\r\n- CREATE\r\n- UPDATE\r\ndisplay_name: Require GKE private nodes\r\ndescription: Enforce that GKE clusters are created as private clusters with private nodes’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3edd058dc0a0>)])]>
Ensuring nodes are configured to use Container-Optimized OS
code_block
<ListValue: [StructValue([(‘code’, ‘name: organizations/<ORG_ID>/customConstraints/custom.gkeRequireCOSImage\r\nresource_types:\r\n- container.googleapis.com/NodePool\r\ncondition: resource.config.imageType != “COS_CONTAINERD"\r\naction_type: DENY\r\nmethod_types:\r\n- CREATE\r\n- UPDATE\r\ndisplay_name: Require Container-Optimized OS on node pools\r\ndescription: Enforce the nodes pool are using Container-Optimized OS for running containers’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3edd058dc250>)])]>
Custom Organization Policies can help organizations to incorporate security at the infrastructure’s base layer. This proactive approach prevents misconfigurations and vulnerabilities much earlier, reducing security risks and remediation costs.
Simplify onboarding with custom organization policy library
To simplify the adoption of custom Organization Policies, we have developed a library of policies accessible on the Google Cloud Professional Services GitHub public repository. The library already provides around 80 ready-to-use policies that translate security and compliance recommendations into actionable controls for a Google Cloud environment.
The library includes recommendations from the CIS Benchmark for GKE described above, with more than 30 controls already available. With this library, organizations can quickly and efficiently adopt security best practices using custom Organization Policies. Here are some key features and benefits of this library:
The library provides a starting point to gain inspiration from and can help make it easy to add policies to meet security and compliance standards. Policies can further be customized to meet your unique needs.
These policies can be integrated with your provisioning tools, enabling automated enforcement of security best practices. Integration with both gcloud and Terraform by using Cloud Foundation Fabric modules.
The library will continue to grow to include new policies and enhancements based on the new services that will be compatible with custom organization policies. They already supports more than 30 Google Cloud services
How to get started
By using custom organization policies, you can establish a robust security posture and mitigate potential vulnerabilities more easily than before. The custom Organization Policy library available on GitHub provides a great start for any organization to implement compliance and security controls for both GKE Standard and Autopilot, but also for many other services.
We encourage you to explore the GitHub policy library repository and use the power of custom Organization Policies to enforce security controls in your organization.
AI Summary and Description: Yes
Summary: The text provides a comprehensive overview of Kubernetes security, emphasizing the growing need for robust security measures as the use of container workloads increases. It highlights the importance of custom Organization Policies for ensuring compliance with CIS Benchmarks in Google Kubernetes Engine (GKE), reducing vulnerabilities, and automating security tasks. The availability of a custom Organization Policy library simplifies the implementation of security and compliance controls.
Detailed Description: The text elaborates on the critical elements of establishing a strong security posture for Kubernetes, particularly focusing on Google Kubernetes Engine (GKE) amid increasing container adoption. Key points include:
– **Rising Container Workloads**: As organizations increasingly rely on container workloads, the necessity for a strong Kubernetes security posture becomes crucial. Security breaches can lead to substantial revenue and customer losses.
– **CIS Benchmarks and Compliance**: The CIS Benchmark for GKE serves as a benchmark of security recommendations aimed at improving the security of GKE clusters. These include areas such as:
– Authentication and authorization
– Network security
– Identity and Access Management (IAM)
– **Custom Organization Policies**: These policies allow organizations to tailor security controls and compliance measures, enabling:
– Enforcement of CIS Benchmarks by applying constraints and policy definitions using Common Expression Language (CEL).
– Automated security enforcement integrated with provisioning tools like Terraform and gcloud.
– **Preventative Measures**: Custom Organization Policies provide a means to enforce security at the infrastructure level, applying preventive controls to avoid misconfigurations that could lead to vulnerabilities.
– **Onboarding with the Policy Library**: A library of about 80 ready-to-use custom Organization Policies is provided to assist organizations in adopting security controls effectively. The library includes:
– Policies that ensure the creation of private clusters with secure endpoints.
– Requirements for node configurations, such as the use of Container-Optimized OS.
– **Testing and Simulation**: The features including dry run and simulation allow organizations to assess policy impacts before actual implementation, ensuring operational continuity.
– **Ongoing Development**: The policy library is continuously evolving to include new controls, enhancing ease of adoption for organizations aiming for compliance and security in their cloud infrastructures.
In conclusion, utilizing custom Organization Policies is pivotal for organizations to establish a robust security framework within GKE and across other Google Cloud services. The proactive approach advocated in the text can significantly reduce cybersecurity risks and remediation costs, providing a solid foundation for secure cloud operations.