Skip to content

Latest commit

 

History

History
128 lines (104 loc) · 6.6 KB

File metadata and controls

128 lines (104 loc) · 6.6 KB

Policy Generator

Generate Open Cluster Management policies from existing Kubernetes manifests in your repository using the Policy Generator Kustomize plugin through GitOps in Open Cluster Management.

Topics

Additional information

About the Policy Generator

The generator automatically wraps Kubernetes manifests in Open Cluster Management policies, allowing you to deploy policies to Open Cluster Management without needing to have an additional manifest to maintain. Furthermore, it also expands on wrapping Gatekeeper and Kyverno policies by automatically generating additional policies alongside policies from these engines to detect violation objects created by those engines, providing a full view of compliance for each Open Cluster Management policy.

For more information about contributing to the policy engine expanders, see the repository documentation.

Deploying the example manifests

In this policygenerator/ folder you will find:

  • subscription.yaml - Manifest to deploy the Subscription/Channel resource objects for GitOps for the kustomize/ folder
  • kustomize/
    • kustomization.yaml - Kustomize manifest pointing to the PolicyGenerator manifest
    • policyGenerator.yaml - Policy Generator manifest defining the policies to generate, placement, and customizations to both the policies and target manifests
    • policy1_deployment/ - Kubernetes manifests to wrap in a policy
    • policy2_gatekeeper/ - Gatekeeper policy manifests to wrap in a policy (assumes Gatekeeper is installed)
    • policy3_kyverno/ - Kyverno policy manifests to wrap in a policy (assumes Kyverno is installed)
  • policy-sets/ - A directory of generator manifests that are each using the PolicySet mechanism for organizing related policies. Requires Advanced Cluster Management 2.5 and newer for the PolicySet support.
    • stable/ - tested and supported PolicySets
    • community/ - PolicySets that have been contributed by the community

To deploy the policy generator examples in the kustomize/ folder via GitOps:

  • Clone this repository.

  • Create the subscription.yaml on an Open Cluster Management hub. This file contains the Namespace, Subscription, and Channel needed to establish GitOps with the kustomize/ folder. Additionally, it deploys an Application and PlacementRule for visibility in the Application tab of the hub (this is not a requirement for GitOps):

    oc create -f subscription.yaml

    NOTES:

    • You must be a Subscription Admin to successfully deploy this manifest. See the Subscription Administrator topic.
    • Use deploy.sh to create customized Subscription/Channel manifests or update the apps.open-cluster-management.io/git-path annotation in the Subscription of subscription.yaml to deploy a different folder of the policy-collection repository)
  • Navigate to the Governance tab of your hub to view the deployed policies!

    NOTE: The deployment could take a few minutes. Check the status of the Subscription if the policies don't appear:

    oc -n policy-generator-demo describe subscription.apps.open-cluster-management.io policy-generator-demo-subscription
  • You'll notice that all of these policies are set to remediationAction: inform, and the Gatekeeper policy itself is set to enforcementAction: dryrun. This prevents unexpected changes to your cluster. To customize these examples, like enabling the sample policies or trying out different configurations, fork this repository and update spec.pathname in the Channel manifest of subscription.yaml:

    spec:
      type: Git
      pathname: https://github.com/<organization-or-username>/policy-collection.git

    Apply the change to your hub:

    oc apply -f subscription.yaml

    Now, you can commit changes to your forked repository and view the updates on the hub! See Adding additional manifests for how to add your own files.

To generate the policy manifests locally:

  • Install the policy generator locally (See the Installation section of the generator documentation)
  • Change to the kustomize/ directory
  • Generate the policies:
    kustomize build --enable-alpha-plugins

Adding additional manifests

To add your own manifests to be generated, add your YAML files to the policygenerator/kustomize directory (or to a new or existing subdirectory there). Then, update the policies array in policyGenerator.yaml with:

  1. The name of the policy you want to generate.
  2. Paths to the manifests from which to generate policies (specifying a directory will place all manifests there in a policy).

If the manifests point to a Kyverno or Gatekeeper API version, they will automatically be expanded upon generation with additional Open Cluster Management policies to show whether the respective policy engine has detected a violation.

See Additional information for resources about additional generator configuration options and the policy expanders.

Full Policy YAML can also be deployed and customized by leveraging Kustomize directly in the kustomization.yaml by adding a resources: key and listing the files or directories underneath.