A collection of policy examples for Open Cluster Management.
This repository hosts policies for Open Cluster Management. You can find policies from the following folders:
- stable -- Policies in the
stable
folder can be applied with Red Hat Advanced Cluster Management for Kubernetes. - community -- Policies in the
community
folder are contributed from the open source community and can be applied with the product governance framework.
Fork this repository and use the forked version as the target to run the sync against. This is to
avoid unintended changes to be applied to your cluster automatically. To get latest policies from
the policy-collection
repository, you can pull the latest changes from policy-collection
to your
own repository through a pull request. Any further changes to your repository are automatically be
applied to your cluster.
Make sure you have kubectl installed and that you are logged into your hub cluster in terminal.
Run kubectl create ns policies
to create a "policies" ns on hub. If you prefer to call the
namespace something else, you can run kubectl create ns <custom ns>
instead.
From within this directory in terminal, run cd deploy
to access the deployment directory, then run
bash ./deploy.sh -u <url> -p <path> -n <namespace>
. (Details on all of the parameters for this
command can be viewed in its README.) This script assumes you have enabled
Application lifecycle management as an addon in your Open Cluster Management installation. See
Application lifecycle management
for details on installing the Application addon.
Note: If you are using ArgoCD for gitops, a similar script argoDeploy.sh is provided that does
not require the Application Lifecycle addon.
The policies are applied to all managed clusters that are available, and have the environment
set
to dev
. Specifically, an available managed cluster has the status
parameter set to true
by the
system, for the ManagedClusterConditionAvailable
condition. If policies need to be applied to
another set of clusters, update the PlacementRule.spec.clusterSelector.matchExpressions
section in
the policies.
Note: As new clusters are added that fit the criteria previously mentioned, the policies are applied automatically.
In new versions of Open Cluster Management you must be a subscription administrator in order to deploy policies using a subscription. In these cases the subscription is still successfully created, but policy resources are not distributed as expected. You can view the status of the subscription to see the subscription errors. If the subscription administrator role is required, a message similar to the following one appears for any resource that is not created:
demo-stable-policies-chan-Policy-policy-cert-ocp4:
lastUpdateTime: "2021-10-15T20:37:59Z"
phase: Failed
reason: 'not deployed by a subscription admin. the resource apiVersion: policy.open-cluster-management.io/v1 kind: Policy is not deployed'
To become a subscription administrator, you must add an entry for your user to the
ClusterRoleBinding
named open-cluster-management:subscription-admin
. A new entry may look like
the following:
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: my-username
After updating the ClusterRoleBinding
, you need to delete the subscription and deploy the subscription again.
GitOps through Open Cluster Management is able to handle Kustomize files, so you can also use the Policy Generator Kustomize plugin to generate policies from Kubernetes manifests in your repository. The Policy Generator handles Kubernetes manifests as well as policy engine manifests from policy engines like Gatekeeper and Kyverno.
For additional information about the Policy Generator:
- Policy Generator product documentation
- Policy Generator source repository documentation
- Policy Generator reference YAML
- Policy Generator examples
Check the Contributing policies document for guidelines on how to contribute to the repository.
You can reach the maintainers of this project at:
Blogs: Read our blogs that are in the blogs folder.
Resources: View the following resources for more information on the components and mechanisms are implemented in the product governance framework.
-
National Cyber security Center of Excellence (NCCoE) blog, Policy Based Governance in Trusted Container Platform
-
IBM Developer blog, Policy based governance for open hybrid cloud