Cloud Service Mesh security policy constraints

Cloud Service Mesh provides you with powerful and flexible APIs that you can use to configure your mesh. However, without proper management over these resources, your mesh might expose security vulnerabilities. Integrating Policy Controller with Cloud Service Mesh security policy constraints can help enforce your mesh with security best practices and prevent vulnerabilities.

This page assumes you are already familiar with policy constraints.

Constraints templates

When you install Policy Controller, select Install default template library. This option deploys all of the Cloud Service Mesh security policy constraint templates needed for your mesh. For a full list of the Cloud Service Mesh security constraint templates, see the Constraint template library and look for templates that are prefixed with Asm.

Constraints bundle

We offer an out-of-box constraints bundle for Cloud Service Mesh security policy. For the bundle details and instructions, see Using Cloud Service Mesh security policies.

To follow a tutorial that shows you how to apply this bundle, see Strengthen your app's security with Cloud Service Mesh, Config Sync, and Policy Controller.

Add-on constraints

Some constraint templates are installed with the default template library, but not included in the security policy bundle. These constraint templates serve specific use cases, and you can configure your own constraints:

• AsmAuthzPolicyDisallowedPrefix
• AsmAuthzPolicyEnforceSourcePrincipals