Policy Generator
Generate Open Cluster Management policies from existing Kubernetes manifests in your repository using the Policy Generator Kustomize plugin through GitOps in Open Cluster Management.
Topics
Additional information
- Policy Generator product documentation
- Policy Generator source repository documentation
- Policy Generator reference YAML
About the Policy Generator
The generator automatically wraps Kubernetes manifests in Open Cluster Management policies, allowing you to deploy policies to Open Cluster Management without needing to have an additional manifest to maintain. Furthermore, it also expands on wrapping Gatekeeper and Kyverno policies by automatically generating additional policies alongside policies from these engines to detect violation objects created by those engines, providing a full view of compliance for each Open Cluster Management policy.
For more information about contributing to the policy engine expanders, see the repository documentation.
Deploying the example manifests
In this policygenerator/
folder you will find:
subscription.yaml
- Manifest to deploy the Subscription/Channel resource objects for GitOps for this folderkustomize/
kustomization.yaml
- Kustomize manifest pointing to the PolicyGenerator manifestpolicyGenerator.yaml
- Policy Generator manifest defining the policies to generate, placement, and customizations to both the policies and target manifestspolicy1_deployment/
- Kubernetes manifests to wrap in a policypolicy2_gatekeeper/
- Gatekeeper policy manifests to wrap in a policy (assumes Gatekeeper is installed)policy3_kyverno/
- Kyverno policy manifests to wrap in a policy (assumes Kyverno is installed)
To deploy the examples in this folder via GitOps:
-
Clone this repository.
-
Create the
subscription.yaml
on an Open Cluster Management hub. This file contains the Namespace, Subscription, and Channel needed to establish GitOps with thekustomize/
folder. Additionally, it deploys an Application and PlacementRule for visibility in the Application tab of the hub (this is not a requirement for GitOps):oc create -f subscription.yaml
NOTE: You must be a Subscription Admin to successfully deploy this manifest. See the Subscription Administrator topic.
-
Navigate to the Governance tab of your hub to view the deployed policies!
NOTE: The deployment could take a few minutes. Check the status of the Subscription if the policies don't appear:
oc -n policy-generator-demo describe subscription.apps.open-cluster-management.io policy-generator-demo-subscription
-
You'll notice that all of these policies are set to
remediationAction: inform
, and the Gatekeeper policy itself is set toenforcementAction: dryrun
. This prevents unexpected changes to your cluster. To customize these examples, like enabling the sample policies or trying out different configurations, fork this repository and updatespec.pathname
in the Channel manifest ofsubscription.yaml
:spec: type: Git pathname: https://github.com/<organization-or-username>/policy-collection.git
Apply the change to your hub:
oc apply -f subscription.yaml
Now, you can commit changes to your forked repository and view the updates on the hub! See Adding additional manifests for how to add your own files.
To generate the policy manifests locally:
- Install the policy generator locally (See the Installation section of the generator documentation)
- Change to the
kustomize/
directory - Generate the policies:
kustomize build --enable-alpha-plugins
Adding additional manifests
To add your own manifests, add your YAML files to the policygenerator/kustomize
directory (or to a new or existing subdirectory there). Then, update the policies
array in
policyGenerator.yaml
with:
- The name of the policy you want to generate.
- Paths to the manifests from which to generate policies (specifying a directory will place all manifests there in a policy).
If the manifests point to a Kyverno or Gatekeeper API version, they will automatically be expanded upon generation with additional Open Cluster Management policies to show whether the respective policy engine has detected a violation.
See Additional information for more about additional configuration options and the policy expanders.