This page explains how to migrate from the ConfigManagement
API
to the PolicyController
API for managing Policy Controller.
The PolicyController
API offers the same capabilities for installing and
managing Policy Controller
The steps to fully migrate differ depending on which installation method you used to install Policy Controller.
If you use gcloud CLI PolicyController
commands that start with
gcloud container fleet policycontroller
, you are already using the PolicyController
API. No action is needed. Otherwise, review the instructions for the method
that you used to install Policy Controller:
config management
If you use gcloud CLI commands that start with gcloud alpha container fleet config-management
,
switch to using gcloud CLI Policy Controller commands that start
with gcloud container fleet policycontroller
. Review the
gcloud CLI documentation
for a list of commands. No other action is required.
If your Google Cloud CLI apply spec
file
has the policyController
block, remove it to ensure compatibility with
Config Sync.
Terraform
If you use a Terraform resource that configures Policy Controller with the
feature name "configmanagement"
,
you should switch to a Terraform resource with the feature name "policycontroller"
by completing the following steps:
Copy your existing Terraform file to a new file, or update your Terraform file, and add the following:
resource "google_gke_hub_feature" "feature" { name = "policycontroller" location = "global" } resource "google_gke_hub_feature_membership" "feature_member" { feature = google_gke_hub_feature.feature.name # "policycontroller" location = "global" membership = MEMBERSHIP_NAME project = PROJECT_ID policycontroller { policy_controller_hub_config { install_spec = "INSTALL_SPEC_ENABLED" } } }
Replace the following:
MEMBERSHIP
: the membership name of the registered cluster that has Policy Controller installed.PROJECT_ID
: your project ID.
Remove the
"policy_controller"
block from your existing Terraform resource. You can find the block under the"configmanagement"
block. If you're using the resource to only manage Policy Controller, you can remove the entireconfigmanagement
block. If you're using the resource to manage Config Sync, ensure you remove only the Policy Controller block. For example, yourconfigmanagement
block might resemble the following:resource "google_gke_hub_feature_membership" "feature_member" { provider = google-beta location = "global" feature = "configmanagement" membership = google_gke_hub_membership.membership.membership_id configmanagement { version = "1.8.0" config_sync { source_format = "unstructured" git { } } # if you're still using the config_sync block, delete only the policy_controller block policy_controller { enabled = true template_library_installed = true referential_rules_enabled = true } } }
Import the Policy Controller membership feature settings by completing one of the following steps:
Run the following command:
terraform import "google_gke_hub_feature.policycontroller" "projects/PROJECT_ID/locations/global/features/policycontroller" terraform import "google_gke_hub_feature_membership.policycontroller" "projects/PROJECT_ID/locations/global/features/policycontroller/membershipId/MEMBERSHIP_NAME"
Add an import block to your Terraform resource:
import { to = google_gke_hub_feature_membership.policycontroller id = "projects/PROJECT_ID/locations/global/features/policycontroller/membershipId/MEMBERSHIP_NAME" }
Apply the Policy Controller settings:
terraform apply
Optional: After the import is complete, you can remove the import block from your Terraform resource. Alternatively, it is safe to leave the import block in your configuration as a record of the resource's origin.
Config Connector
To stop using the configmanagement.policyController
spec, complete the
following steps:
Create or update your
GKEHubFeatureMembership
spec by entering thespec.ResourceID
number into thepolicycontroller
field.If you have an existing
GKEHubFeatureMembership
that uses thespec.configmanagement.policyController
field, remove anypolicycontroller
fields from theconfigmanagement
spec.
kubectl
If you use kubectl
commands to manage Policy Controller with a ConfigManagement
object, switch to using gcloud CLI Policy Controller commands that start
with gcloud container fleet policycontroller
. No other action is required.
If your ConfigManagement
object.
has the policyController
block, remove it for compatibility with Config Sync.
You might want to review the following resources to learn more about the Policy Controller API:
- Install Policy Controller with
gcloud container fleet policycontroller
commands - Review the Config Connector
GKEHubFeature
reference documentation - Review the Terraform
google_gke_hub_feature
reference documentation