This page describes how to view and delete policy orchestrators in your folders or organization.
Before you begin
- Review OS policy and OS policy assignment.
- Review OS Config quotas.
- Ensure that you meet the prerequisites for using policy orchestrator.
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
List all policy orchestrators in a folder
To view all policy orchestrators in a folder, complete the following steps:
Console
To list policy orchestrators in a folder, do the following:
In the Google Cloud console, go to the OS policies page.
Click the Project Selector on the Google Cloud console action bar and select the folder in which you want to create the policy orchestrator.
Click Policy Orchestrators.
gcloud
To view details of a policy orchestrator that was created in a folder,
run the beta os-config policy-orchestrators list
command:
gcloud --billing-project=QUOTA_PROJECT_ID beta compute os-config policy-orchestrators list \ --folder=FOLDER_NUMBER \
Replace the following:
QUOTA_PROJECT_ID
: the project ID of the quota or the billing project.FOLDER_NUMBER
: the numeric ID of the folder in which you created the policy orchestrators.
Example
gcloud beta compute os-config policy-orchestrators list \ --folder=123456 \
REST
To view all policy orchestrators in a folder, send a GET
request to the
folders.locations.global.policyOrchestrators.list
method:
GET https://osconfig.googleapis.com/v2beta/folders/FOLDER_NUMBER/locations/global/policyOrchestrators -H "x-goog-user-project: QUOTA_PROJECT_ID"
Replace FOLDER_NUMBER
with the numeric ID of the folder in which you created the policy orchestrators.
View details of a policy orchestrator
To view details of a policy orchestrator in a folder, complete the following steps:
Console
To view a policy orchestrator, do the following:
In the Google Cloud console, go to the OS policies page.
Click the Project Selector on the Google Cloud console action bar and select the folder in which you want to create the policy orchestrator.
Click Policy Orchestrators.
Select the name of the policy orchestrator that you want to view. The Orchestrator details page opens.
To view details of the OS policies applied to VMs, click OS Policy Template.
gcloud
To view details of a policy orchestrator that was created in a folder,
run the beta os-config policy-orchestrators describe
command:
gcloud --billing-project=QUOTA_PROJECT_ID beta compute os-config policy-orchestrators describe ORCHESTRATOR_NAME \ --folder=FOLDER_NUMBER \
Replace the following:
QUOTA_PROJECT_ID
: the project ID of the quota or the billing project.ORCHESTRATOR_NAME
: name for the policy orchestrator.FOLDER_NUMBER
: the numeric ID of the folder in which you created the policy orchestrator.
Example
gcloud --billing-project=my-quota-project beta compute os-config policy-orchestrators describe my-os-policy-orchestrator \ --folder=123456 \
REST
To view details of a policy orchestrator, send a GET
request to the
folders.locations.global.policyOrchestrators.get
method,
GET https://osconfig.googleapis.com/v2beta/folders/FOLDER_NUMBER/locations/global/policyOrchestrators/ORCHESTRATOR_NAME -H "x-goog-user-project: QUOTA_PROJECT_ID"
Replace the following:
QUOTA_PROJECT_ID
: the project ID of the quota or the billing project.FOLDER_NUMBER
: the numeric ID of the folder in which the policy orchestrator exists.ORCHESTRATOR_NAME
: the name of the policy orchestrator that you want to delete.
The request body must be empty.
Edit a policy orchestrator
You can modify policy orchestrators to add or update the OS policy assignments, orchestrator scope and resources.
Console
To change the settings of a policy orchestrator, do the following:
In the Google Cloud console, go to the OS policies page.
Click the Project Selector on the Google Cloud console action bar and select the folder in which you want to create the policy orchestrator.
Click Policy Orchestrators.
Select the name of the policy orchestrator that you want to edit. The Orchestrator details page opens.
Click Edit.
In the OS policies section, upload the OS policy file.
Optional: In the State section, select one of the following options to specify the behaviour of the policy orchestrator:
ACTIVE
: Once created, the policy orchestrator takes actions immediately.STOPPED
: A policy orchestrator is created in this state does not take any actions immediately. You can edit the policy orchestrator later to change its state.
In the Orchestration scope section, specify the folders and projects in which you want to roll out the OS policies. You must enter only the project numbers and folder numbers in these fields. For example, 123456, 7654321.
Optional: Select the zones that contain the VMs that you want to apply the OS policies to.
Optional: In the Target VM instances section, specify the target VMs That you want to apply the OS policies to.
- Select the OS families.
You can further filter the VMs by specifying include and exclude labels.
For example, you can select all the Ubuntu VMs in your test environment, and exclude those that are running Google Kubernetes Engine, by specifying the following:
- OS family:
ubuntu
- Include:
env:test
,env:staging
- Exclude:
goog-gke-node
- OS family:
Specify a rollout plan.
- Specify the wave size (also referred to as the disruption budget). For example, 10%.
- Specify the wait time. For example, 15 minutes.
Click Save.
gcloud
To update a policy orchestrator in a folder, complete the following steps:
Use the
beta os-config policy-orchestrators update
command to edit the policy orchestrator in a specified folder.gcloud --billing-project=QUOTA_PROJECT_ID beta compute os-config policy-orchestrators update ORCHESTRATOR_NAME \ --folder=FOLDER_NUMBER \ --state=stopped
Replace the following:
QUOTA_PROJECT_ID
: the project ID of the quota or the billing project.ORCHESTRATOR_NAME
: name for the policy orchestrator. See Resource naming convention.FOLDER_NUMBER
: the numeric folder ID of the folder in which the policy orchestrator exists.
Example
gcloud --billing-project=my-quota-project beta compute os-config policy-orchestrators update my-os-policy-orchestrator \ --folder=123456 \ --include-projects=5432134,4567890
REST
To update a policy orchestrator in a folder, complete the
following steps, send a PATCH
request to the
folders.locations.global.policyOrchestrators.patch
method.
In the request body, edit the OS policy assignment specifications.
PATCH https://osconfig.googleapis.com/v2beta/folders/FOLDER_NUMBER/locations/global/policyOrchestrators/ORCHESTRATOR_NAME -H "x-goog-user-project: QUOTA_PROJECT_ID" { JSON_OS_POLICY_ORCHESTRATOR }
Replace the following:
QUOTA_PROJECT_ID
: the project ID of the quota or the billing projectFOLDER_NUMBER
: the numeric ID of the folder in which the policy orchestrator exists.ORCHESTRATOR_NAME
: the name of the policy orchestrator that you want to edit.JSON_OS_POLICY_ORCHESTRATOR
: the policy orchestrator object in JSON format that defines the orchestrator scope, orchestrated resource, and orchestration state. For more information about the parameters and format, seeResource: folders.locations.global.policyOrchestrators
.
Delete a policy orchestrator
To delete a policy orchestrator and to cancel all ongoing rollouts, complete the following steps:
Console
To delete a policy orchestrator, do the following:
In the Google Cloud console, go to the OS policies page.
Click the Project Selector on the Google Cloud console action bar and select the folder from which you want to create the policy orchestrator.
Click Policy Orchestrators.
Select the name of the policy orchestrator that you want to delete. The Orchestrator details page opens.
Click Delete.
gcloud
To delete a policy orchestrator from a folder, do the following:
Use the
beta os-config policy-orchestrators delete
command:gcloud --billing-project=QUOTA_PROJECT_IDbeta compute os-config policy-orchestrators delete ORCHESTRATOR_NAME \ --folder=FOLDER_NUMBER \ --policy-id=POLICY_ID
Replace the following:
QUOTA_PROJECT_ID
: the project ID of the quota or the billing project.ORCHESTRATOR_NAME
: name for the policy orchestrator.FOLDER_NUMBER
: the numeric ID of the folder in which you created the policy orchestrator.POLICY_ID
: the ID assigned to the policy orchestrator.
Example
gcloud --billing-project=my-quota-project beta compute os-config policy-orchestrators create my-os-policy-orchestrator \ --folder=123456 \ --policy-id=my-policy
REST
To delete a policy orchestrator in a folder, send a DELETE
request to the
folders.locations.global.policyOrchestrators.delete
method:
DELETE https://osconfig.googleapis.com/v2beta/folders/FOLDER_NUMBER/locations/global/policyOrchestrators/ORCHESTRATOR_NAME -H "x-goog-user-project: QUOTA_PROJECT_ID"
Replace the following:
QUOTA_PROJECT_ID
: the project ID of the quota or the billing project.FOLDER_NUMBER
: the numeric ID of the folder in which the policy orchestrator exists.ORCHESTRATOR_NAME
: the name of the policy orchestrator that you want to delete.
What's next?
- Learn how to manage OS policy assignments using policy orchestrator.