Manually install Policy Controller with kubectl

The following instructions show you how to install Policy Controller using kubectl commands. If you want to use the Google Cloud console or the Google Cloud CLI, see Install Policy Controller.

If you configure Policy Controller using the kubectl commands described in this page, you can later make configuration changes using the Google Cloud console or the Google Cloud CLI. However, when you make configuration changes using the console or the gcloud CLI, you cannot go back to using kubectl commands for configuration changes.

By default, Policy Controller installs a library of constraint templates for common policy types. To skip installing the constraint templates, uncomment the line that starts with templateLibraryInstalled in the manifest.

1. Prepare the configuration by either creating a new config-management.yaml file or by updating an existing file.

2. Copy the following YAML file into it your config-management.yaml file:

   # config-management.yaml
   
   apiVersion: configmanagement.gke.io/v1
   kind: ConfigManagement
   metadata:
     name: config-management
   spec:
     # Set to true to install and enable Policy Controller
     policyController:
       enabled: true
       # Uncomment to prevent the template library from being installed
       # templateLibraryInstalled: false
       # Uncomment to enable support for referential constraints
       # referentialRulesEnabled: true
       # Uncomment to disable audit, adjust value to set audit interval
       # auditIntervalSeconds: 0
       # Uncomment to log all denies and dryrun failures
       # logDeniesEnabled: true
       # Uncomment to exempt namespaces
       # exemptableNamespaces: ["namespace-name"]
     # ...other fields...
   

   You must add a spec.policyController field and set the value of enabled to true. You can choose to enable other Policy Controller features. However, support for referential constraints is disabled by default. Before enabling it, be sure that you familiarize yourself with the caveats about eventual consistency.

3. Apply the configuration using kubectl apply:

   kubectl apply -f config-management.yaml
   

Verifying Policy Controller

If Policy Controller is installed correctly, its Pod will be running. The Pod might restart several times before it's available.

Since the Policy Controller Pod runs in the gatekeeper-system namespace, you can view its status by running following command:

kubectl get pods -n gatekeeper-system

You should see output similar to the following example:

NAME                              READY   STATUS    RESTARTS   AGE
gatekeeper-controller-manager-0   1/1     Running   1          53s

Uninstall Policy Controller

To uninstall Policy Controller, edit the Anthos Config Management configuration in your config-management.yaml file and set policyController.enabled to false. After Anthos Config Management removes the policycontroller.configmanagement.gke.io finalizer, uninstallation is complete.

If you want to fully uninstall Anthos Config Management, see Remove the Config Management Operator.