Cloud Service Mesh with Istio APIs provides you with powerful and flexible
APIs that you can use to configure your mesh. However, without proper management
over these resources, your mesh might expose security vulnerabilities.
Integrating
Policy Controller
with Cloud Service Mesh security policy constraints can help enforce your mesh
with security best practices and prevent vulnerabilities.
When you install Policy Controller,
select Install default template library. This option deploys
all of the Cloud Service Mesh security policy constraint templates needed for your
mesh. For a full list of the Cloud Service Mesh security constraint templates, see
the Constraint template library
and look for templates that are prefixed with Asm.
Constraints bundle
We offer an out-of-box constraints bundle for Cloud Service Mesh security policy.
For the bundle details and instructions, see
Using Cloud Service Mesh security policies.
Some constraint templates are installed with the default template library,
but not included in the security policy bundle. These constraint
templates serve specific use cases, and you can configure your own constraints:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Cloud Service Mesh security policy constraints\n==============================================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/docs/overview).\n\nThis guide does not support `TRAFFIC_DIRECTOR`\n[control plane implementation](/service-mesh/docs/check-control-plane-implementation).\n\nCloud Service Mesh with Istio APIs provides you with powerful and flexible\nAPIs that you can use to configure your mesh. However, without proper management\nover these resources, your mesh might expose security vulnerabilities.\nIntegrating\n[Policy Controller](/anthos-config-management/docs/concepts/policy-controller)\nwith Cloud Service Mesh security policy constraints can help enforce your mesh\nwith security best practices and prevent vulnerabilities.\n\nThis page assumes you are already familiar with\n[policy constraints](/anthos-config-management/docs/how-to/creating-policy-controller-constraints).\n\nConstraints templates\n---------------------\n\nWhen you [install Policy Controller](/anthos-config-management/docs/how-to/installing-policy-controller),\nselect **Install default template library** . This option deploys\nall of the Cloud Service Mesh security policy constraint templates needed for your\nmesh. For a full list of the Cloud Service Mesh security constraint templates, see\nthe [Constraint template library](/anthos-config-management/docs/latest/reference/constraint-template-library)\nand look for templates that are prefixed with `Asm`.\n\nConstraints bundle\n------------------\n\nWe offer an out-of-box constraints bundle for Cloud Service Mesh security policy.\nFor the bundle details and instructions, see\n[Using Cloud Service Mesh security policies](/anthos-config-management/docs/how-to/using-asm-security-policy).\n\nTo follow a tutorial that shows you how to apply this bundle, see\n[Strengthen your app's security with Cloud Service Mesh, Config Sync, and Policy Controller](/service-mesh/docs/strengthen-app-security).\n\nAdd-on constraints\n------------------\n\nSome constraint templates are installed with the default template library,\nbut not included in the security policy bundle. These constraint\ntemplates serve specific use cases, and you can configure your own constraints:\n\n- [AsmAuthzPolicyDisallowedPrefix](/anthos-config-management/docs/latest/reference/constraint-template-library#asmauthzpolicydisallowedprefix)\n- [AsmAuthzPolicyEnforceSourcePrincipals](/anthos-config-management/docs/latest/reference/constraint-template-library#asmauthzpolicyenforcesourceprincipals)"]]
