This page explains how to enable Policy Controller bundles.
For more detailed information about applying and using policy bundles, read the instructions for the bundle that you want to apply using the left navigation menu. For more information about policy bundles, see the Policy Controller bundles overview.
If you installed Policy Controller using the Google Cloud console, the policy essentials bundle is installed by default, but you can enable more bundles.
Before you begin
Apply policy bundles
Console
To apply one or more policy bundles on a cluster using the Google Cloud console, complete the following steps:
- In the Google Cloud console, go to the GKE Enterprise Policy page under the Posture Management section.
Under the Settings tab, in the cluster table, select Edit edit in the Edit configuration column.
In the Add/Edit policy bundles menu, ensure the template library is toggled on.
To enable all policy bundles, toggle Add all policy bundles on check_circle.
To enable individual policy bundles, toggle on each policy bundle that you want to enable.
Optional: To exempt a namespace from enforcement, expand the Show advanced settings menu. In the Exempt namespaces field, provide a list of valid namespaces.
Best practice: Exempt system namespaces to avoid errors in your environment. You can find the instructions to exempt namespaces and a list of common namespaces created by Google Cloud services on the Exclude namespaces page.
Select Save changes.
You can view additional information about your policy coverage and violations using the Policy Controller dashboard.
gcloud
To apply a policy bundle, complete the following steps:
If any of the bundles that you're applying use referential constraints, you must enable support for referential constraints:
gcloud alpha container hub policycontroller update --referential-rules
You can check whether a bundle requires support for referential constraints on the Policy bundles overview.
For each bundle that you want to install, run the following command:
gcloud alpha container hub policycontroller content bundles set BUNDLE_NAME
Replace
BUNDLE_NAME
with the name of the bundle that you want to install. The name is the bundle prefix, for examplecis-k8s-v1.5.1
. You can find a list of names on the Policy bundles overview.Optional: To exempt a namespace from enforcement, run the following command:
gcloud alpha container hub policycontroller content bundles set BUNDLE_NAME \ --exempted-namespaces=NAMESPACES
Replace
NAMESPACES
with a comma-separated list of namespaces that you don't want enforced, for examplekube-system,gatekeeper-system
.For more information about how to add exemptable namespaces, see Exclude namespaces from Policy Controller.
To remove a bundle, run the following command:
gcloud alpha container hub policycontroller content bundles remove BUNDLE_NAME
What's next
- Learn more about applying individual constraints.
- Take a tutorial on using policy bundles in your CI/CD pipeline to shift left.