Manage platform policies
This section describes how to manage CV platform policies .
Create a platform policy
This section shows you how to create a platform policy.
Before using any of the command data below, make the following replacements:
- POLICY_ID
: A platform policy ID
of your choice. If the policy is in another project, you can use the full resource name:
projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID. - POLICY_PATH : A path to the policy file.
- POLICY_PROJECT_ID : The policy project ID.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container binauthz policy create POLICY_ID \ --platform = gke \ --policy-file = POLICY_PATH \ --project = POLICY_PROJECT_ID
Windows (PowerShell)
gcloud beta container binauthz policy create POLICY_ID ` --platform = gke ` --policy-file = POLICY_PATH ` --project = POLICY_PROJECT_ID
Windows (cmd.exe)
gcloud beta container binauthz policy create POLICY_ID ^ --platform = gke ^ --policy-file = POLICY_PATH ^ --project = POLICY_PROJECT_ID
List a CV platform policy
This section shows you how to list platform policies.
Before using any of the command data below, make the following replacements:
-
POLICY_PROJECT_ID: the ID of the project that contains the policies to list
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container binauthz policy list gke \ --project = POLICY_PROJECT_ID
Windows (PowerShell)
gcloud beta container binauthz policy list gke ` --project = POLICY_PROJECT_ID
Windows (cmd.exe)
gcloud beta container binauthz policy list gke ^ --project = POLICY_PROJECT_ID
Describe a CV platform policy
This section shows you how to describe a platform policy project.
Before using any of the command data below, make the following replacements:
-
POLICY_PROJECT_ID: the ID of the project that contains the policy -
POLICY_ID: the platform policy ID. If the policy is in another project, you can use the full resource name:projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container binauthz policy describe POLICY_ID \ --project = POLICY_PROJECT_ID \ --platform = gke
Windows (PowerShell)
gcloud beta container binauthz policy describe POLICY_ID ` --project = POLICY_PROJECT_ID ` --platform = gke
Windows (cmd.exe)
gcloud beta container binauthz policy describe POLICY_ID ^ --project = POLICY_PROJECT_ID ^ --platform = gke
Update a CV platform policy
This section shows you how to update a platform policy.
Before using any of the command data below, make the following replacements:
- POLICY_ID
: a platform policy ID. If the policy is in another project, you can use the full resource name:
projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID. - POLICY_PROJECT_ID : the policy project ID
- POLICY_PATH : a path to the updated policy file
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container binauthz policy update POLICY_ID \ --policy-file = POLICY_PATH \ --platform = gke \ --project = POLICY_PROJECT_ID
Windows (PowerShell)
gcloud beta container binauthz policy update POLICY_ID ` --policy-file = POLICY_PATH ` --platform = gke ` --project = POLICY_PROJECT_ID
Windows (cmd.exe)
gcloud beta container binauthz policy update POLICY_ID ^ --policy-file = POLICY_PATH ^ --platform = gke ^ --project = POLICY_PROJECT_ID
Delete a CV platform policy
This section shows you how to delete a platform policy.
Before using any of the command data below, make the following replacements:
-
POLICY_ID: The ID of the local platform policy. If the policy is in another project, you can use the full resource name:projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID. - POLICY_PROJECT_ID : the policy project ID
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container binauthz policy delete POLICY_ID \ --platform = gke \ --project = POLICY_PROJECT_ID
Windows (PowerShell)
gcloud beta container binauthz policy delete POLICY_ID ` --platform = gke ` --project = POLICY_PROJECT_ID
Windows (cmd.exe)
gcloud beta container binauthz policy delete POLICY_ID ^ --platform = gke ^ --project = POLICY_PROJECT_ID
Manage GKE clusters with CV policies
This section shows you how to enable CV with platform policies for GKE.
Update cluster to use only CV monitoring
This section shows you how to update a cluster to use only CV platform policy-based monitoring. If this cluster already has a project-singleton policy enforcement enabled, running this command disables it. Instead, consider updating the cluster with enforcement and CV monitoring enabled.
Before using any of the command data below, make the following replacements:
-
CLUSTER_NAME: the cluster name -
LOCATION: the location—for example:us-central1orasia-south1 -
POLICY_PROJECT_ID: the ID of the project where the policy is stored -
POLICY_ID: the policy ID -
CLUSTER_PROJECT_ID: the cluster project ID
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container clusters update CLUSTER_NAME \ --location = LOCATION \ --binauthz-evaluation-mode = POLICY_BINDINGS \ --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID \ --project = CLUSTER_PROJECT_ID
Windows (PowerShell)
gcloud beta container clusters update CLUSTER_NAME ` --location = LOCATION ` --binauthz-evaluation-mode = POLICY_BINDINGS ` --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID ` --project = CLUSTER_PROJECT_ID
Windows (cmd.exe)
gcloud beta container clusters update CLUSTER_NAME ^ --location = LOCATION ^ --binauthz-evaluation-mode = POLICY_BINDINGS ^ --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID ^ --project = CLUSTER_PROJECT_ID
Update a cluster to use Binary Authorization enforcement with CV monitoring
This section shows you how to update a cluster to use both project-singleton policy enforcement and CV platform policy-based monitoring.
Before using any of the command data below, make the following replacements:
-
CLUSTER_NAME: a cluster name -
LOCATION: the location—for example:us-central1orasia-south1 -
POLICY_PROJECT_ID: the ID of the project where the policy is stored -
POLICY_ID: the policy ID -
CLUSTER_PROJECT_ID: the cluster project ID
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container clusters update CLUSTER_NAME \ --location = LOCATION \ --binauthz-evaluation-mode = POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE \ --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID \ --project = CLUSTER_PROJECT_ID
Windows (PowerShell)
gcloud beta container clusters update CLUSTER_NAME ` --location = LOCATION ` --binauthz-evaluation-mode = POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE ` --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID ` --project = CLUSTER_PROJECT_ID
Windows (cmd.exe)
gcloud beta container clusters update CLUSTER_NAME ^ --location = LOCATION ^ --binauthz-evaluation-mode = POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE ^ --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID ^ --project = CLUSTER_PROJECT_ID
Disable CV
You can enable CV on a GKE cluster that also uses Binary Authorization and the project-singleton policy for enforcement.
If this is the case and you want to disable only CV, run the following command:
Before using any of the command data below, make the following replacements:
-
CLUSTER_NAME: a cluster name -
LOCATION: the location—for example:us-central1orasia-south1 -
POLICY_PROJECT_ID: the ID of the project where the policy is stored -
POLICY_ID: the policy ID -
CLUSTER_PROJECT_ID: the cluster project ID
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud beta container clusters update CLUSTER_NAME \ --location = LOCATION \ --binauthz-evaluation-mode = PROJECT_SINGLETON_POLICY_ENFORCE \ --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID \ --project = CLUSTER_PROJECT_ID
Windows (PowerShell)
gcloud beta container clusters update CLUSTER_NAME ` --location = LOCATION ` --binauthz-evaluation-mode = PROJECT_SINGLETON_POLICY_ENFORCE ` --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID ` --project = CLUSTER_PROJECT_ID
Windows (cmd.exe)
gcloud beta container clusters update CLUSTER_NAME ^ --location = LOCATION ^ --binauthz-evaluation-mode = PROJECT_SINGLETON_POLICY_ENFORCE ^ --binauthz-policy-bindings = name = projects/ POLICY_PROJECT_ID /platforms/gke/policies/ POLICY_ID ^ --project = CLUSTER_PROJECT_ID
