Fix GCP GKE Policy Controller Errors
When working with GCP GKE, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with policy controller and shows the exact fix.
A Common Mistake
Not enabling Policy Controller on GKE, allowing configurations that violate security policies (e.g., privileged containers, host networking) to be deployed.
The incorrect command:
kubectl run privileged-pod --image=nginx --privileged
Error output:
pod/privileged-pod created
The pod runs with full host privileges. It can access the host network, devices, and processes. Without Policy Controller, there is no enforcement of security policies. Any developer can deploy privileged containers.
The Correct Approach
The right way to configure policy controller in GCP GKE:
gcloud container clusters update my-cluster --region=us-central1 --enable-policy-controller && kubectl apply -f - <<EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: no-privileged-containers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
EOF
Successful result:
Policy Controller enabled.
kubectl run privileged-pod --image=nginx --privileged
Error: admission webhook "validation.gatekeeper.sh" denied the request: Privileged container is not allowed.
How to Prevent This
Enable Policy Controller on all production clusters. Use built-in constraint templates for security best practices. Enforce: no privileged containers, no host networking, no host PID/IPC, read-only root filesystem. Create custom constraints for organization-specific policies. Monitor violations in Cloud Logging.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro