Generate Open Cluster Management policies from existing Kubernetes manifests in your repository using the Policy Generator Kustomize plugin through GitOps in Open Cluster Management.
- Policy Generator product documentation
- Policy Generator source repository documentation
- Policy Generator reference YAML
- Kustomize documentation
The generator automatically wraps Kubernetes manifests in Open Cluster Management policies, allowing you to deploy policies to Open Cluster Management without needing to have an additional manifest to maintain. Furthermore, it also expands on wrapping Gatekeeper and Kyverno policies by automatically generating additional policies alongside policies from these engines to detect violation objects created by those engines, providing a full view of compliance for each Open Cluster Management policy.
For more information about contributing to the policy engine expanders, see the repository documentation.
In this policygenerator/
folder you will find:
subscription.yaml
- Manifest to deploy the Subscription/Channel resource objects for GitOps for thekustomize/
folderkustomize/
kustomization.yaml
- Kustomize manifest pointing to the PolicyGenerator manifestpolicyGenerator.yaml
- Policy Generator manifest defining the policies to generate, placement, and customizations to both the policies and target manifestspolicy1_deployment/
- Kubernetes manifests to wrap in a policypolicy2_gatekeeper/
- Gatekeeper policy manifests to wrap in a policy (assumes Gatekeeper is installed)policy3_kyverno/
- Kyverno policy manifests to wrap in a policy (assumes Kyverno is installed)
policy-sets/
- A directory of generator manifests that are each using thePolicySet
mechanism for organizing related policies. Requires Open Cluster Management 0.8.0 and newer for thePolicySet
support.stable/
- tested and supported PolicySetscommunity/
- PolicySets that have been contributed by the community
To deploy the policy generator examples in the kustomize/
folder via GitOps:
-
Clone this repository.
-
Create the
subscription.yaml
on an Open Cluster Management hub. This file contains the Namespace, Subscription, and Channel needed to establish GitOps with thekustomize/
folder. Additionally, it deploys an Application and PlacementRule for visibility in the Application tab of the hub (this is not a requirement for GitOps):oc create -f subscription.yaml
NOTES:
- You must be a Subscription Admin to successfully deploy this manifest. See the Subscription Administrator topic.
- Use deploy.sh to create customized Subscription/Channel manifests or update the
apps.open-cluster-management.io/git-path
annotation in the Subscription ofsubscription.yaml
to deploy a different folder of thepolicy-collection
repository)
-
Navigate to the Governance tab of your hub to view the deployed policies!
NOTE: The deployment could take a few minutes. Check the status of the Subscription if the policies don't appear:
oc -n policy-generator-demo describe subscription.apps.open-cluster-management.io policy-generator-demo-subscription
-
You'll notice that all of these policies are set to
remediationAction: inform
, and the Gatekeeper policy itself is set toenforcementAction: dryrun
. This prevents unexpected changes to your cluster. To customize these examples, like enabling the sample policies or trying out different configurations, fork this repository and updatespec.pathname
in the Channel manifest ofsubscription.yaml
:spec: type: Git pathname: https://github.com/<organization-or-username>/policy-collection.git
Apply the change to your hub:
oc apply -f subscription.yaml
Now, you can commit changes to your forked repository and view the updates on the hub! See Adding additional manifests for how to add your own files.
To generate the policy manifests locally:
- Install the policy generator locally (See the Installation section of the generator documentation)
- Change to the
kustomize/
directory - Generate the policies:
kustomize build --enable-alpha-plugins
To add your own manifests to be generated, add your YAML files to the
policygenerator/kustomize
directory (or to a new or existing subdirectory there).
Then, update the policies
array in policyGenerator.yaml
with:
- The name of the policy you want to generate.
- Paths to the manifests from which to generate policies (specifying a directory will place all manifests there in a policy).
If the manifests point to a Kyverno or Gatekeeper API version, they will automatically be expanded upon generation with additional Open Cluster Management policies to show whether the respective policy engine has detected a violation.
See Additional information for resources about additional generator configuration options and the policy expanders.
Full Policy YAML can also be deployed and customized by leveraging Kustomize directly in the
kustomization.yaml
by adding a resources:
key and listing the files or directories underneath.