Policy Generator

Generate Open Cluster Management policies from existing Kubernetes manifests in your repository using the Policy Generator Kustomize plugin through GitOps in Open Cluster Management.

Topics

• About the Policy Generator
• Deploying the example manifests
• Adding additional manifests

Additional information

• Policy Generator product documentation
• Policy Generator source repository documentation
• Policy Generator reference YAML

About the Policy Generator

The generator automatically wraps Kubernetes manifests in Open Cluster Management policies, allowing you to deploy policies to Open Cluster Management without needing to have an additional manifest to maintain. Furthermore, it also expands on wrapping Gatekeeper and Kyverno policies by automatically generating additional policies alongside policies from these engines to detect violation objects created by those engines, providing a full view of compliance for each Open Cluster Management policy.

For more information about contributing to the policy engine expanders, see the repository documentation.

Deploying the example manifests

In this policygenerator/ folder you will find:

• subscription.yaml - Manifest to deploy the Subscription/Channel resource objects for GitOps for this folder
• kustomize/
  • kustomization.yaml - Kustomize manifest pointing to the PolicyGenerator manifest
  • policyGenerator.yaml - Policy Generator manifest defining the policies to generate, placement, and customizations to both the policies and target manifests
  • policy1_deployment/ - Kubernetes manifests to wrap in a policy
  • policy2_gatekeeper/ - Gatekeeper policy manifests to wrap in a policy (assumes Gatekeeper is installed)
  • policy3_kyverno/ - Kyverno policy manifests to wrap in a policy (assumes Kyverno is installed)

To deploy the examples in this folder via GitOps:

• Clone this repository.

• Create the subscription.yaml on an Open Cluster Management hub. This file contains the Namespace, Subscription, and Channel needed to establish GitOps with the kustomize/ folder. Additionally, it deploys an Application and PlacementRule for visibility in the Application tab of the hub (this is not a requirement for GitOps):

  oc create -f subscription.yaml

  NOTE: You must be a Subscription Admin to successfully deploy this manifest. See the Subscription Administrator topic.

• Navigate to the Governance tab of your hub to view the deployed policies!

  NOTE: The deployment could take a few minutes. Check the status of the Subscription if the policies don't appear:

  oc -n policy-generator-demo describe subscription.apps.open-cluster-management.io policy-generator-demo-subscription

• You'll notice that all of these policies are set to remediationAction: inform, and the Gatekeeper policy itself is set to enforcementAction: dryrun. This prevents unexpected changes to your cluster. To customize these examples, like enabling the sample policies or trying out different configurations, fork this repository and update spec.pathname in the Channel manifest of subscription.yaml:

  spec:
    type: Git
    pathname: https://github.com/<organization-or-username>/policy-collection.git

  Apply the change to your hub:

  oc apply -f subscription.yaml

  Now, you can commit changes to your forked repository and view the updates on the hub! See Adding additional manifests for how to add your own files.

To generate the policy manifests locally:

• Install the policy generator locally (See the Installation section of the generator documentation)
• Change to the kustomize/ directory
• Generate the policies:

  kustomize build --enable-alpha-plugins

Adding additional manifests

To add your own manifests, add your YAML files to the policygenerator/kustomize directory (or to a new or existing subdirectory there). Then, update the policies array in policyGenerator.yaml with:

1. The name of the policy you want to generate.
2. Paths to the manifests from which to generate policies (specifying a directory will place all manifests there in a policy).

If the manifests point to a Kyverno or Gatekeeper API version, they will automatically be expanded upon generation with additional Open Cluster Management policies to show whether the respective policy engine has detected a violation.

See Additional information for more about additional configuration options and the policy expanders.