Migrate from the ConfigManagement API to the PolicyController API

This page explains how to migrate from the ConfigManagement API to the PolicyController API for managing Policy Controller. The PolicyController API offers the same capabilities for installing and managing Policy Controller

The steps to fully migrate differ depending on which installation method you used to install Policy Controller.

If you use gcloud CLI PolicyController commands that start with gcloud container fleet policycontroller, you are already using the PolicyController API. No action is needed. Otherwise, review the instructions for the method that you used to install Policy Controller:

config management

If you use gcloud CLI commands that start with gcloud alpha container fleet config-management, switch to using gcloud CLI Policy Controller commands that start with gcloud container fleet policycontroller. Review the gcloud CLI documentation for a list of commands. No other action is required.

If your Google Cloud CLI apply spec file has the policyController block, remove it to ensure compatibility with Config Sync.

Terraform

If you use a Terraform resource that configures Policy Controller with the feature name "configmanagement", you should switch to a Terraform resource with the feature name "policycontroller" by completing the following steps:

  1. Create a new Terraform file, or update your Terraform file, with the following block:

    resource "google_gke_hub_feature" "feature" {
  name = "policycontroller"
  location = "global"
}

resource "google_gke_hub_feature_membership" "feature_member" {
  feature = google_gke_hub_feature.feature.name
  location = "global"
  membership = MEMBERSHIP_NAME
  project = PROJECT_ID
   policycontroller {
      policy_controller_hub_config {
        install_spec = "INSTALL_SPEC_ENABLED"
    }
  }
}

    Replace the following:

    • MEMBERSHIP: the membership name of the registered cluster that has Policy Controller installed.
    • PROJECT_ID: your project ID.

  2. Remove the "policycontroller" block from the "configmanagement" block. If you're using the "configmanagement" to only manage Policy Controller, you can remove the entire block.

  3. Import the Policy Controller membership feature settings by completing one of the following steps:

    1. Run the following command:

      terraform import "google_gke_hub_feature.policycontroller" "projects/PROJECT_ID/locations/global/features/policycontroller"
terraform import "google_gke_hub_feature_membership.policycontroller" "projects/PROJECT_ID/locations/global/features/policycontroller/membershipId/MEMBERSHIP_NAME"

    2. Add an import block to your Terraform resource:

      import {
   to = google_gke_hub_feature_membership.policycontroller
   id = "projects/PROJECT_ID/locations/global/features/policycontroller/membershipId/MEMBERSHIP_NAME"
}

  4. Apply the Policy Controller settings:

    terraform apply

Config Connector

To stop using the configmanagement.policyController spec, complete the following steps:

  1. Create or update your GKEHubFeatureMembership spec by entering the spec.ResourceID number into the policycontroller field.

  2. If you have an existing GKEHubFeatureMembership that uses the spec.configmanagement.policyController field, remove any policycontroller fields from the configmanagement spec.

kubectl

If you use kubectl commands to manage Policy Controller with a ConfigManagement object, switch to using gcloud CLI Policy Controller commands that start with gcloud container fleet policycontroller. No other action is required.

If your ConfigManagement object. has the policyController block, remove it for compatibility with Config Sync.

You might want to review the following resources to learn more about the Policy Controller API: