Apply multiple Policy Controller bundles

This page explains how to enable Policy Controller bundles.

For more detailed information about applying and using policy bundles, read the instructions for the bundle that you want to apply using the left navigation menu. For more information about policy bundles, see the Policy Controller bundles overview.

If you installed Policy Controller using the Google Cloud console, the policy essentials bundle is installed by default, but you can enable more bundles.

Before you begin

Apply policy bundles

Console

To apply one or more policy bundles on a cluster using the Google Cloud console, complete the following steps:

  1. In the Google Cloud console, go to the GKE Enterprise Policy page under the Features section.

    Go to Policy

  2. Under the Settings tab, in the cluster table, select Edit in the Edit configuration column.

  3. In the Add/Edit policy bundles menu, ensure the template library is toggled on.

  4. To enable all policy bundles, toggle Add all policy bundles on .

  5. To enable individual policy bundles, toggle on each policy bundle that you want to enable.

  6. Optional: To exempt a namespace from enforcement, expand the Show advanced settings menu. In the Exempt namespaces field, provide a list of valid namespaces.

    For more information about how to add exemptable namespaces, see Exclude namespaces from Policy Controller.

  7. Select Save changes.

You can view additional information about your policy coverage and violations using the Policy Controller dashboard.

gcloud

To apply a policy bundle, complete the following steps:

  1. If any of the bundles that you're applying use referential constraints, you must enable support for referential constraints:

    gcloud alpha container hub policycontroller update --referential-rules
    

    You can check whether a bundle requires support for referential constraints on the Policy bundles overview.

  2. For each bundle that you want to install, run the following command:

    gcloud alpha container hub policycontroller content bundles set BUNDLE_NAME
    

    Replace BUNDLE_NAME with the name of the bundle that you want to install. The name is the bundle prefix, for example cis-k8s-v1.5.1. You can find a list of names on the Policy bundles overview.

  3. Optional: To exempt a namespace from enforcement, run the following command:

    gcloud alpha container hub policycontroller content bundles set BUNDLE_NAME \
      --exempted-namespaces=NAMESPACES
    

    Replace NAMESPACES with a comma-separated list of namespaces that you don't want enforced, for example kube-system,gatekeeper-system.

    For more information about how to add exemptable namespaces, see Exclude namespaces from Policy Controller.

  4. To remove a bundle, run the following command:

    gcloud alpha container hub policycontroller content bundles remove BUNDLE_NAME
    

What's next