Manually install Policy Controller with kubectl
The following instructions show you how to install Policy Controller using
kubectl
commands. If you want to use the Google Cloud console or the
Google Cloud CLI, see Install Policy Controller.
If you configure Policy Controller using the kubectl
commands described in this
page, you can later make configuration changes using the Google Cloud console or the
Google Cloud CLI. However, when you make configuration changes using the
console or the gcloud CLI, you cannot go back to
using kubectl
commands for configuration changes.
By default, Policy Controller installs a library of constraint
templates for common policy types. To skip installing the constraint templates,
uncomment the line that starts with templateLibraryInstalled
in the manifest.
Prepare the configuration by either creating a new
config-management.yaml
file or by updating an existing file.Copy the following YAML file into it your
config-management.yaml
file:# config-management.yaml apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: name: config-management spec: # Set to true to install and enable Policy Controller policyController: enabled: true # Uncomment to prevent the template library from being installed # templateLibraryInstalled: false # Uncomment to enable support for referential constraints # referentialRulesEnabled: true # Uncomment to disable audit, adjust value to set audit interval # auditIntervalSeconds: 0 # Uncomment to log all denies and dryrun failures # logDeniesEnabled: true # Uncomment to exempt namespaces # exemptableNamespaces: ["namespace-name"] # ...other fields...
You must add a
spec.policyController
field and set the value ofenabled
totrue
. You can choose to enable other Policy Controller features. However, support for referential constraints is disabled by default. Before enabling it, be sure that you familiarize yourself with the caveats about eventual consistency.Apply the configuration using
kubectl apply
:kubectl apply -f config-management.yaml
Verifying Policy Controller
If Policy Controller is installed correctly, its Pod will be running. The Pod might restart several times before it's available.
Since the Policy Controller Pod runs in the gatekeeper-system
namespace,
you can view its status by running following command:
kubectl get pods -n gatekeeper-system
You should see output similar to the following example:
NAME READY STATUS RESTARTS AGE gatekeeper-controller-manager-0 1/1 Running 1 53s
Uninstall Policy Controller
To uninstall Policy Controller, edit the Anthos Config Management configuration
in your config-management.yaml
file and set
policyController.enabled
to false
. After Anthos Config Management removes
the policycontroller.configmanagement.gke.io
finalizer, uninstallation is
complete.
If you want to fully uninstall Anthos Config Management, see Remove the Config Management Operator.