Installing Policy Controller

This topic shows you how to install Policy Controller, a Kubernetes admission controller that checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or business rules.

Before you begin

You must have an Anthos entitlement to install Policy Controller using Anthos Config Management.
You need a cluster running GKE v1.14.x or higher with Anthos Config Management already installed.

Installing Policy Controller using Anthos Config Management

Follow these steps to configure Anthos Config Management to install the Policy Controller dynamic admission controller into the cluster.

By default, Policy Controller installs a library of constraint templates for common policy types. To skip installing the constraint templates, uncomment the line that starts with templateLibraryInstalled in the manifest.

Set the value of enabled within the spec.policyController object to true in the configuration file for the Operator:

# config-management.yaml

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  name: config-management
  namespace: config-management-system
spec:
  # clusterName is required and must be unique among all managed clusters
  clusterName: my-cluster
  # Set to true to install and enable Policy Controller
  policyController:
    enabled: true
    # Uncomment to prevent the template library from being installed
    # templateLibraryInstalled: false
    # Uncomment to disable audit, adjust value to set audit interval
    # auditIntervalSeconds: 0

Support for referential constraints is disabled by default. Before enabling it, be sure you understand the caveats about eventual consistency.

Apply the configuration using kubectl apply.
```
kubectl apply -f config-management.yaml
```

The Pod is created and Policy Controller starts checking for and enforcing constraints.

Verifying the installation

If Policy Controller is installed correctly, its Pod will be running. The Pod might restart several times before it is available.

kubectl get pods -n gatekeeper-system

Example output:

NAME                              READY   STATUS    RESTARTS   AGE
gatekeeper-controller-manager-0   1/1     Running   1          53s

The constraint template library is installed by default. This can take several minutes to complete. To verify that the template library is installed, list all ConstraintTemplate objects:

kubectl get constrainttemplates

Example output:

NAME                                      AGE
k8sallowedrepos                           84s
k8scontainerlimits                        84s
k8spspallowprivilegeescalationcontainer   84s
...[OUTPUT TRUNCATED]...

When an individual constraint template is installed correctly, its status.created field is true.

Policy Controller and Anthos Config Management

The resources essential for running Policy Controller are managed by the Config Management Operator. To avoid contention between Operator and Policy Controller, be aware of what gets put into the Anthos Config Management repo.

Some areas of concern:

You cannot sync a constraint template that is also part of the template library unless the constraint template library is disabled.

Caution: Disabling the template library might remove some of your constraint's dependencies. For more information, see Creating constraints.
If you want to sync the config resource stored in the gatekeeper-system namespace, the namespace must either be undefined in the repo, or match the configuration the Operator wants to install.
If the gatekeeper-system namespace is removed from the source-of-truth repository, the Operator may not be able to recover. To recover, delete the validating webhook configuration for Policy Controller.

Managing the constraint template library

For information on uninstalling or reinstalling constraint templates, their associated constraints, or the constraint template library, see Creating constraints.

Exempting namespaces from enforcement

You can configure Policy Controller to ignore objects within a namespace. For more information, see Excluding namespaces from Policy Controller.

Viewing the Policy Controller version

Policy Controller is built from the Gatekeeper open source project. To view which version of Gatekeeper Policy Controller is using, view the image tag:

kubectl get deployments -n gatekeeper-system gatekeeper-controller-manager \
  -o="jsonpath={.spec.template.spec.containers[0].image}"

From Anthos Config Management version 1.3.2 and later, the Git tag (or hash) used to build Gatekeeper as well as the Anthos Config Management version number are included in the image tag as follows:

.../gatekeeper:version-number-git-tag.gbuild-number

For example, for the following image:

gcr.io/config-management-release/gatekeeper:anthos1.3.2-480baac.g0

anthos1.3.2 is the version number.
480baac is the Git tag.
0 is the build number.

You can also view a list of all Anthos Config Management versions alongside their corresponding manifest, installation, and nomos binary versions at the Release version matrix.

Uninstalling Policy Controller

To uninstall the policy controller, edit the Operator configuration in config-management.yaml and set policyController.enabled to false. Once the Operator removes the policycontroller.configmanagement.gke.io finalizer, uninstallation is complete.

If you want to fully uninstall Anthos Config Management, see Uninstalling the Operator from a cluster.

What's next

Learn more about Policy Controller.
Create a constraint.
Use the constraint template library provided by Google.
Learn how to use constraints instead of PodSecurityPolicies.