1. How to activate GKE policy controller?


    In order to activate the GKE Policy Controller, we will make use of the configConnector and policyController fields in the ConfigManagement object provided by the Container resource in GCP.

    configConnector is used to install and manage Config Connector which allows you to manage your GCP services using YAML through the Kubernetes API.

    policyController is used to install and manage Gatekeeper (GKE policy controller) which enforces policies on your GKE clusters.

    Here is a Pulumi program to accomplish this:

    import * as gcp from "@pulumi/gcp"; // Import the GCP plugin // Define a GKE deploying the Policy Controller const cluster = new gcp.container.Cluster("cluster", { // Add your basic cluster configuration here initialNodeCount: 1, location: "<GCP_REGION>", // GCP Region where the cluster will be created, eg. "us-central1" masterAuth: { username: "<GKE_MASTER_USERNAME>", // Username to authenticate in the cluster password: "<GKE_MASTER_PASSWORD>", // Password to authenticate in the cluster }, nodeConfig: { oauthScopes: [ // Scopes needed by the Policy Controller "https://www.googleapis.com/auth/cloud-platform", ], }, addonsConfig: { // Enable the Config Connector to allow the management of GCP service using K8s API configConnectorConfig: { enabled: true, }, // Config the ConfigManagement addon configManagementConfig: { enabled: true, configManagement: { // Enable Config Connector configConnector: { enabled: true, }, // Enable the Policy Controller policyController: { enabled: true, // Reference to the policy library which contain the policies to enforce templateLibraryInstalled: true, }, }, }, }, });

    Further settings can be configured for policyController and configConnector based on your specific requirements.

    Remember to replace all the placeholders like <GKE_MASTER_USERNAME> with your own values. Also, manage your secrets properly.

    For more information, you can visit the GCP Container documentation.