This topic shows you how to install Policy Controller, a Kubernetes admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or business rules.
Before you begin
You must have an Anthos entitlement to install Policy Controller using Anthos Config Management.
You need a cluster running GKE v1.14.x or higher with Anthos Config Management already installed.
Installing Policy Controller using Anthos Config Management
Follow these steps to configure Anthos Config Management to install the Policy Controller dynamic admission controller into the cluster.
By default, Policy Controller installs a library of constraint
templates for common policy types. To skip installing the constraint templates,
uncomment the line that starts with templateLibraryInstalled
in the manifest.
Set the value of
enabled
within thespec.policyController
object totrue
in the configuration file for the Operator:# config-management.yaml apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: name: config-management namespace: config-management-system spec: # clusterName is required and must be unique among all managed clusters clusterName: my-cluster # Set to true to install and enable Policy Controller policyController: enabled: true # Uncomment to prevent the template library from being installed # templateLibraryInstalled: false # Uncomment to disable audit, adjust value to set audit interval # auditIntervalSeconds: 0
Support for referential constraints is disabled by default. Before enabling it, be sure you understand the caveats about eventual consistency.
Apply the configuration using
kubectl apply
.kubectl apply -f config-management.yaml
The Pod is created and Policy Controller starts checking for and enforcing constraints.
Verifying the installation
If Policy Controller is installed correctly, its Pod will be running. The Pod might restart several times before it is available.
kubectl get pods -n gatekeeper-system
Example output:
NAME READY STATUS RESTARTS AGE gatekeeper-controller-manager-0 1/1 Running 1 53s
The constraint template library is installed by default. This can take several
minutes to complete. To verify that the template library is installed, list
all ConstraintTemplate
objects:
kubectl get constrainttemplates
Example output:
NAME AGE k8sallowedrepos 84s k8scontainerlimits 84s k8spspallowprivilegeescalationcontainer 84s ...[OUTPUT TRUNCATED]...
When an individual constraint template is installed correctly, its
status.created
field is true
.
Policy Controller and Anthos Config Management
The resources essential for running Policy Controller are managed by the Config Management Operator. To avoid contention between Operator and Policy Controller, be aware of what gets put into the Anthos Config Management repo.
Some areas of concern:
You cannot sync a constraint template that is also part of the template library unless the constraint template library is disabled.
If you want to sync the config resource stored in the
gatekeeper-system
namespace, the namespace must either be undefined in the repo, or match the configuration the Operator wants to install.If the
gatekeeper-system
namespace is removed from the source-of-truth repository, the Operator may not be able to recover. To recover, delete the validating webhook configuration for Policy Controller.
Managing the constraint template library
For information on uninstalling or reinstalling constraint templates, their associated constraints, or the constraint template library, see Creating constraints.
Exempting namespaces from enforcement
You can configure Policy Controller to ignore objects within a namespace. For more information, see Excluding namespaces from Policy Controller.
Viewing the Policy Controller version
Policy Controller is built from the Gatekeeper open source project. To view which version of Gatekeeper Policy Controller is using, view the image tag:
kubectl get deployments -n gatekeeper-system gatekeeper-controller-manager \
-o="jsonpath={.spec.template.spec.containers[0].image}"
From Anthos Config Management version 1.3.2 and later, the Git tag (or hash) used to build Gatekeeper as well as the Anthos Config Management version number are included in the image tag as follows:
.../gatekeeper:version-number-git-tag.gbuild-number
For example, for the following image:
gcr.io/config-management-release/gatekeeper:anthos1.3.2-480baac.g0
anthos1.3.2
is the version number.480baac
is the Git tag.0
is the build number.
You can also view a list of all Anthos Config Management versions alongside their
corresponding manifest, installation, and nomos
binary versions
at the Release version matrix.
Uninstalling Policy Controller
To uninstall the policy controller, edit the Operator configuration
in config-management.yaml
and set
policyController.enabled
to false
. Once the Operator removes
the policycontroller.configmanagement.gke.io
finalizer, uninstallation is
complete.
If you want to fully uninstall Anthos Config Management, see Uninstalling the Operator from a cluster.
What's next
- Learn more about Policy Controller.
- Create a constraint.
- Use the constraint template library provided by Google.
- Learn how to use constraints instead of PodSecurityPolicies.