Manage CV platform policies

Manage platform policies

This section describes how to manage CV platform policies.

Create a platform policy

This section shows you how to create a platform policy.

Before using any of the command data below, make the following replacements:

• POLICY_ID: A platform policy ID of your choice. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
• POLICY_PATH: A path to the policy file.
• POLICY_PROJECT_ID: The policy project ID.

Execute the following command:

gcloudbetacontainerbinauthzpolicycreatePOLICY_ID\
--platform=gke\
--policy-file=POLICY_PATH\
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicycreatePOLICY_ID`
--platform=gke`
--policy-file=POLICY_PATH`
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicycreatePOLICY_ID^
--platform=gke^
--policy-file=POLICY_PATH^
--project=POLICY_PROJECT_ID

List a CV platform policy

This section shows you how to list platform policies.

Before using any of the command data below, make the following replacements:

• POLICY_PROJECT_ID: the ID of the project that contains the policies to list

Execute the following command:

gcloudbetacontainerbinauthzpolicylistgke\
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicylistgke`
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicylistgke^
--project=POLICY_PROJECT_ID

Describe a CV platform policy

This section shows you how to describe a platform policy project.

Before using any of the command data below, make the following replacements:

• POLICY_PROJECT_ID: the ID of the project that contains the policy
• POLICY_ID: the platform policy ID. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.

Execute the following command:

gcloudbetacontainerbinauthzpolicydescribePOLICY_ID\
--project=POLICY_PROJECT_ID\
--platform=gke

gcloudbetacontainerbinauthzpolicydescribePOLICY_ID`
--project=POLICY_PROJECT_ID`
--platform=gke

gcloudbetacontainerbinauthzpolicydescribePOLICY_ID^
--project=POLICY_PROJECT_ID^
--platform=gke

Update a CV platform policy

This section shows you how to update a platform policy.

Before using any of the command data below, make the following replacements:

• POLICY_ID: a platform policy ID. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
• POLICY_PROJECT_ID: the policy project ID
• POLICY_PATH: a path to the updated policy file

Execute the following command:

gcloudbetacontainerbinauthzpolicyupdatePOLICY_ID\
--policy-file=POLICY_PATH\
--platform=gke\
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicyupdatePOLICY_ID`
--policy-file=POLICY_PATH`
--platform=gke`
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicyupdatePOLICY_ID^
--policy-file=POLICY_PATH^
--platform=gke^
--project=POLICY_PROJECT_ID

Delete a CV platform policy

This section shows you how to delete a platform policy.

Before using any of the command data below, make the following replacements:

• POLICY_ID: The ID of the local platform policy. If the policy is in another project, you can use the full resource name: projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID.
• POLICY_PROJECT_ID: the policy project ID

Execute the following command:

gcloudbetacontainerbinauthzpolicydeletePOLICY_ID\
--platform=gke\
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicydeletePOLICY_ID`
--platform=gke`
--project=POLICY_PROJECT_ID

gcloudbetacontainerbinauthzpolicydeletePOLICY_ID^
--platform=gke^
--project=POLICY_PROJECT_ID

Manage GKE clusters with CV policies

This section shows you how to enable CV with platform policies for GKE.

Update cluster to use only CV monitoring

This section shows you how to update a cluster to use only CV platform policy-based monitoring. If this cluster already has a project-singleton policy enforcement enabled, running this command disables it. Instead, consider updating the cluster with enforcement and CV monitoring enabled.

Before using any of the command data below, make the following replacements:

• CLUSTER_NAME: the cluster name
• LOCATION: the location—for example: us-central1 or asia-south1
• POLICY_PROJECT_ID: the ID of the project where the policy is stored
• POLICY_ID: the policy ID
• CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

gcloudbetacontainerclustersupdateCLUSTER_NAME\
--location=LOCATION\
--binauthz-evaluation-mode=POLICY_BINDINGS\
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID\
--project=CLUSTER_PROJECT_ID

gcloudbetacontainerclustersupdateCLUSTER_NAME`
--location=LOCATION`
--binauthz-evaluation-mode=POLICY_BINDINGS`
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID`
--project=CLUSTER_PROJECT_ID

gcloudbetacontainerclustersupdateCLUSTER_NAME^
--location=LOCATION^
--binauthz-evaluation-mode=POLICY_BINDINGS^
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID^
--project=CLUSTER_PROJECT_ID

Update a cluster to use Binary Authorization enforcement with CV monitoring

This section shows you how to update a cluster to use both project-singleton policy enforcement and CV platform policy-based monitoring.

Before using any of the command data below, make the following replacements:

• CLUSTER_NAME: a cluster name
• LOCATION: the location—for example: us-central1 or asia-south1
• POLICY_PROJECT_ID: the ID of the project where the policy is stored
• POLICY_ID: the policy ID
• CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

gcloudbetacontainerclustersupdateCLUSTER_NAME\
--location=LOCATION\
--binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE\
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID\
--project=CLUSTER_PROJECT_ID

gcloudbetacontainerclustersupdateCLUSTER_NAME`
--location=LOCATION`
--binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE`
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID`
--project=CLUSTER_PROJECT_ID

gcloudbetacontainerclustersupdateCLUSTER_NAME^
--location=LOCATION^
--binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE^
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID^
--project=CLUSTER_PROJECT_ID

Disable CV

You can enable CV on a GKE cluster that also uses Binary Authorization and the project-singleton policy for enforcement.

If this is the case and you want to disable only CV, run the following command:

Before using any of the command data below, make the following replacements:

• CLUSTER_NAME: a cluster name
• LOCATION: the location—for example: us-central1 or asia-south1
• POLICY_PROJECT_ID: the ID of the project where the policy is stored
• POLICY_ID: the policy ID
• CLUSTER_PROJECT_ID: the cluster project ID

Execute the following command:

gcloudbetacontainerclustersupdateCLUSTER_NAME\
--location=LOCATION\
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE\
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID\
--project=CLUSTER_PROJECT_ID

gcloudbetacontainerclustersupdateCLUSTER_NAME`
--location=LOCATION`
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE`
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID`
--project=CLUSTER_PROJECT_ID

gcloudbetacontainerclustersupdateCLUSTER_NAME^
--location=LOCATION^
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE^
--binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID^
--project=CLUSTER_PROJECT_ID

What's next

• Use the image freshness check
• Use the simple signing attestation check
• Use the Sigstore signature check
• Use the SLSA check
• Use the trusted directory check
• Use the vulnerability check
• View CV logs