Manage CV platform policies

Manage platform policies

This section describes how to manage CV platform policies.

Create a platform policy

This section shows you how to create a platform policy.

Before using any of the command data below, make the following replacements:

POLICY_ID: A platform policy ID of your choice. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
POLICY_PATH: A path to the policy file.
POLICY_PROJECT_ID: The policy project ID.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy create POLICY_ID \
    --platform=gke \
    --policy-file=POLICY_PATH \
    --project=POLICY_PROJECT_ID

Windows (PowerShell)

gcloud beta container binauthz policy create POLICY_ID `
    --platform=gke `
    --policy-file=POLICY_PATH `
    --project=POLICY_PROJECT_ID

Windows (cmd.exe)

gcloud beta container binauthz policy create POLICY_ID ^
    --platform=gke ^
    --policy-file=POLICY_PATH ^
    --project=POLICY_PROJECT_ID

List a CV platform policy

This section shows you how to list platform policies.

Before using any of the command data below, make the following replacements:

POLICY_PROJECT_ID: the ID of the project that contains the policies to list

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy list gke \
    --project=POLICY_PROJECT_ID

Windows (PowerShell)

gcloud beta container binauthz policy list gke `
    --project=POLICY_PROJECT_ID

Windows (cmd.exe)

gcloud beta container binauthz policy list gke ^
    --project=POLICY_PROJECT_ID

Describe a CV platform policy

This section shows you how to describe a platform policy project.

Before using any of the command data below, make the following replacements:

POLICY_PROJECT_ID: the ID of the project that contains the policy
POLICY_ID: the platform policy ID. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy describe POLICY_ID \
    --project=POLICY_PROJECT_ID \
    --platform=gke

Windows (PowerShell)

gcloud beta container binauthz policy describe POLICY_ID `
    --project=POLICY_PROJECT_ID `
    --platform=gke

Windows (cmd.exe)

gcloud beta container binauthz policy describe POLICY_ID ^
    --project=POLICY_PROJECT_ID ^
    --platform=gke

Update a CV platform policy

This section shows you how to update a platform policy.

Before using any of the command data below, make the following replacements:

POLICY_ID: a platform policy ID. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
POLICY_PROJECT_ID: the policy project ID
POLICY_PATH: a path to the updated policy file

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy update POLICY_ID \
  --policy-file=POLICY_PATH \
  --platform=gke \
  --project=POLICY_PROJECT_ID

Windows (PowerShell)

gcloud beta container binauthz policy update POLICY_ID `
  --policy-file=POLICY_PATH `
  --platform=gke `
  --project=POLICY_PROJECT_ID

Windows (cmd.exe)

gcloud beta container binauthz policy update POLICY_ID ^
  --policy-file=POLICY_PATH ^
  --platform=gke ^
  --project=POLICY_PROJECT_ID

Delete a CV platform policy

This section shows you how to delete a platform policy.

Before using any of the command data below, make the following replacements:

POLICY_ID: The ID of the local platform policy. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
POLICY_PROJECT_ID: the policy project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy delete POLICY_ID  \
    --platform=gke \
    --project=POLICY_PROJECT_ID

Windows (PowerShell)

gcloud beta container binauthz policy delete POLICY_ID  `
    --platform=gke `
    --project=POLICY_PROJECT_ID

Windows (cmd.exe)

gcloud beta container binauthz policy delete POLICY_ID  ^
    --platform=gke ^
    --project=POLICY_PROJECT_ID

Manage GKE clusters with CV policies

This section shows you how to enable CV with platform policies for GKE.

Update cluster to use only CV monitoring

This section shows you how to update a cluster to use only CV platform policy-based monitoring. If this cluster already has a project-singleton policy enforcement enabled, running this command disables it. Instead, consider updating the cluster with enforcement and CV monitoring enabled.

Before using any of the command data below, make the following replacements:

CLUSTER_NAME: the cluster name
LOCATION: the location—for example: us-central1 or asia-south1
POLICY_PROJECT_ID: the ID of the project where the policy is stored
POLICY_ID: the policy ID
CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-evaluation-mode=POLICY_BINDINGS \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
    --project=CLUSTER_PROJECT_ID

Windows (PowerShell)

gcloud beta container clusters update CLUSTER_NAME `
    --location=LOCATION `
    --binauthz-evaluation-mode=POLICY_BINDINGS `
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID `
    --project=CLUSTER_PROJECT_ID

Windows (cmd.exe)

gcloud beta container clusters update CLUSTER_NAME ^
    --location=LOCATION ^
    --binauthz-evaluation-mode=POLICY_BINDINGS ^
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^
    --project=CLUSTER_PROJECT_ID

Update a cluster to use Binary Authorization enforcement with CV monitoring

This section shows you how to update a cluster to use both project-singleton policy enforcement and CV platform policy-based monitoring.

Before using any of the command data below, make the following replacements:

CLUSTER_NAME: a cluster name
LOCATION: the location—for example: us-central1 or asia-south1
POLICY_PROJECT_ID: the ID of the project where the policy is stored
POLICY_ID: the policy ID
CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
    --project=CLUSTER_PROJECT_ID

Windows (PowerShell)

gcloud beta container clusters update CLUSTER_NAME `
    --location=LOCATION `
    --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE `
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID `
    --project=CLUSTER_PROJECT_ID

Windows (cmd.exe)

gcloud beta container clusters update CLUSTER_NAME ^
    --location=LOCATION ^
    --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE ^
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^
    --project=CLUSTER_PROJECT_ID

Disable CV

You can enable CV on a GKE cluster that also uses Binary Authorization and the project-singleton policy for enforcement.

If this is the case and you want to disable only CV, run the following command:

Before using any of the command data below, make the following replacements:

CLUSTER_NAME: a cluster name
LOCATION: the location—for example: us-central1 or asia-south1
POLICY_PROJECT_ID: the ID of the project where the policy is stored
POLICY_ID: the policy ID
CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
    --project=CLUSTER_PROJECT_ID

Windows (PowerShell)

gcloud beta container clusters update CLUSTER_NAME `
    --location=LOCATION `
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE `
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID `
    --project=CLUSTER_PROJECT_ID

Windows (cmd.exe)

gcloud beta container clusters update CLUSTER_NAME ^
    --location=LOCATION ^
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE ^
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^
    --project=CLUSTER_PROJECT_ID

Manage CV platform policies

Manage platform policies

Create a platform policy

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

List a CV platform policy

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

Describe a CV platform policy

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

Update a CV platform policy

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

Delete a CV platform policy

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

Manage GKE clusters with CV policies

Update cluster to use only CV monitoring

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

Update a cluster to use Binary Authorization enforcement with CV monitoring

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

Disable CV

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

What's next