Policy Collection
A collection of policy examples for Open Cluster Management.
Repository structure
This repository hosts policies for Open Cluster Management. You can find policies from the following folders:
- stable -- Policies in the
stable
folder can be applied with Red Hat Advanced Cluster Management for Kubernetes. - community -- Policies in the
community
folder are contributed from the open source community and can be applied with the product governance framework.
Using GitOps to deploy policies to a cluster
Fork this repository and use the forked version as the target to run the sync against. This is to
avoid unintended changes to be applied to your cluster automatically. To get latest policies from
the policy-collection
repository, you can pull the latest changes from policy-collection
to your
own repository through a pull request. Any further changes to your repository are automatically be
applied to your cluster.
Make sure you have kubectl installed and that you are logged into your hub cluster in terminal.
Run kubectl create ns policies
to create a "policies" ns on hub. If you prefer to call the
namespace something else, you can run kubectl create ns <custom ns>
instead.
From within this directory in terminal, run cd deploy
to access the deployment directory, then run
bash ./deploy.sh -u <url> -p <path> -n <namespace>
. (Details on all of the parameters for this
command can be viewed in its README.)
The policies are applied to all managed clusters that are available, and have the environment
set
to dev
. Specifically, an available managed cluster has the status
parameter set to true
by the
system, for the ManagedClusterConditionAvailable
condition. If policies need to be applied to
another set of clusters, update the PlacementRule.spec.clusterSelector.matchExpressions
section in
the policies.
Note: As new clusters are added that fit the criteria previously mentioned, the policies are applied automatically.
Policy Generator
GitOps through Open Cluster Management is able to handle Kustomize manifests, so you can also use the Policy Generator Kustomize plugin to generate policies from Kustomize manifests in your repository. See the Policy Generator documentation for additional information.
Community, discussion, contribution, and support
Check the Contributing policies document for guidelines on how to contribute to the repository.
You can reach the maintainers of this project at:
Blogs: Read our blogs that are in the blogs folder.
Resources: View the following resources for more information on the components and mechanisms are implemented in the product governance framework.
-
National Cyber security Center of Excellence (NCCoE) blog, Policy Based Governance in Trusted Container Platform
-
IBM Developer blog, Policy based governance for open hybrid cloud