Manage CV platform policies

Manage platform policies

This section describes how to manage CV platform policies.

Create a platform policy

This section shows you how to create a platform policy.

Before using any of the command data below, make the following replacements:

  • POLICY_ID: A platform policy ID of your choice. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
  • POLICY_PATH: A path to the policy file.
  • POLICY_PROJECT_ID: The policy project ID.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy create POLICY_ID \
    --platform=gke \
    --policy-file=POLICY_PATH \
gcloud beta container binauthz policy create POLICY_ID `
    --platform=gke `
    --policy-file=POLICY_PATH `
gcloud beta container binauthz policy create POLICY_ID ^
    --platform=gke ^
    --policy-file=POLICY_PATH ^

List a CV platform policy

This section shows you how to list platform policies.

Before using any of the command data below, make the following replacements:

  • POLICY_PROJECT_ID: the ID of the project that contains the policies to list

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy list gke \
gcloud beta container binauthz policy list gke `
gcloud beta container binauthz policy list gke ^

Describe a CV platform policy

This section shows you how to describe a platform policy project.

Before using any of the command data below, make the following replacements:

  • POLICY_PROJECT_ID: the ID of the project that contains the policy
  • POLICY_ID: the platform policy ID. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy describe POLICY_ID \
    --project=POLICY_PROJECT_ID \
gcloud beta container binauthz policy describe POLICY_ID `
    --project=POLICY_PROJECT_ID `
gcloud beta container binauthz policy describe POLICY_ID ^
    --project=POLICY_PROJECT_ID ^

Update a CV platform policy

This section shows you how to update a platform policy.

Before using any of the command data below, make the following replacements:

  • POLICY_ID: a platform policy ID. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
  • POLICY_PROJECT_ID: the policy project ID
  • POLICY_PATH: a path to the updated policy file

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy update POLICY_ID \
  --policy-file=POLICY_PATH \
  --platform=gke \
gcloud beta container binauthz policy update POLICY_ID `
  --policy-file=POLICY_PATH `
  --platform=gke `
gcloud beta container binauthz policy update POLICY_ID ^
  --policy-file=POLICY_PATH ^
  --platform=gke ^

Delete a CV platform policy

This section shows you how to delete a platform policy.

Before using any of the command data below, make the following replacements:

  • POLICY_ID: The ID of the local platform policy. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
  • POLICY_PROJECT_ID: the policy project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container binauthz policy delete POLICY_ID  \
    --platform=gke \
gcloud beta container binauthz policy delete POLICY_ID  `
    --platform=gke `
gcloud beta container binauthz policy delete POLICY_ID  ^
    --platform=gke ^

Manage GKE clusters with CV policies

This section shows you how to enable CV with platform policies for GKE.

Update cluster to use only CV monitoring

This section shows you how to update a cluster to use only CV platform policy-based monitoring. If this cluster already has a project-singleton policy enforcement enabled, running this command disables it. Instead, consider updating the cluster with enforcement and CV monitoring enabled.

Before using any of the command data below, make the following replacements:

  • CLUSTER_NAME: the cluster name
  • LOCATION: the location—for example: us-central1 or asia-south1
  • POLICY_PROJECT_ID: the ID of the project where the policy is stored
  • POLICY_ID: the policy ID
  • CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-evaluation-mode=POLICY_BINDINGS \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
gcloud beta container clusters update CLUSTER_NAME `
    --location=LOCATION `
    --binauthz-evaluation-mode=POLICY_BINDINGS `
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID `
gcloud beta container clusters update CLUSTER_NAME ^
    --location=LOCATION ^
    --binauthz-evaluation-mode=POLICY_BINDINGS ^
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^

Update a cluster to use Binary Authorization enforcement with CV monitoring

This section shows you how to update a cluster to use both project-singleton policy enforcement and CV platform policy-based monitoring.

Before using any of the command data below, make the following replacements:

  • CLUSTER_NAME: a cluster name
  • LOCATION: the location—for example: us-central1 or asia-south1
  • POLICY_PROJECT_ID: the ID of the project where the policy is stored
  • POLICY_ID: the policy ID
  • CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
gcloud beta container clusters update CLUSTER_NAME `
    --location=LOCATION `
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID `
gcloud beta container clusters update CLUSTER_NAME ^
    --location=LOCATION ^
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^

Disable CV

You can enable CV on a GKE cluster that also uses Binary Authorization and the project-singleton policy for enforcement.

If this is the case and you want to disable only CV, run the following command:

Before using any of the command data below, make the following replacements:

  • CLUSTER_NAME: a cluster name
  • LOCATION: the location—for example: us-central1 or asia-south1
  • POLICY_PROJECT_ID: the ID of the project where the policy is stored
  • POLICY_ID: the policy ID
  • CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
gcloud beta container clusters update CLUSTER_NAME `
    --location=LOCATION `
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE `
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID `
gcloud beta container clusters update CLUSTER_NAME ^
    --location=LOCATION ^
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE ^
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^

What's next