Policy framework
The policy framework provides governance capabilities to OCM managed Kubernetes clusters. Policies provide visibility and drive remediation for various security and configuration aspects to help IT administrators meet their requirements.
API Concepts
View the Policy API page for additional details about the Policy API managed by the Policy Framework components, including:
Architecture
The governance policy framework distributes policies to managed clusters and collects results to send back to the hub cluster.
Prerequisite
You must meet the following prerequisites to install the policy framework:
-
Ensure Golang is installed, if you are planning to install from the source.
-
Ensure the
open-cluster-managementcluster manager is installed. See Cluster Manager for more information. -
Ensure the
open-cluster-managementklusterlet is installed. See Klusterlet for more information. -
If you are using
PlacementRuleswith your policies, ensure theopen-cluster-managementapplication is installed . See Application management for more information. If you are using the defaultPlacementAPI, you can skip the Application management installation, but you do need to install thePlacementRuleCRD with this command:kubectl apply -f https://raw.githubusercontent.com/open-cluster-management-io/multicloud-operators-subscription/main/deploy/hub-common/apps.open-cluster-management.io_placementrules_crd.yaml
Install the governance-policy-framework hub components
Install via Clusteradm CLI
Ensure clusteradm CLI is installed and is at least v0.3.0. Download and extract the
clusteradm binary. For
more details see the
clusteradm GitHub page.
-
Deploy the policy framework controllers to the hub cluster:
# The context name of the clusters in your kubeconfig # If the clusters are created by KinD, then the context name will the follow the pattern "kind-<cluster name>". export CTX_HUB_CLUSTER=<your hub cluster context> # export CTX_HUB_CLUSTER=kind-hub export CTX_MANAGED_CLUSTER=<your managed cluster context> # export CTX_MANAGED_CLUSTER=kind-cluster1 # Set the deployment namespace export HUB_NAMESPACE="open-cluster-management" # Deploy the policy framework hub controllers clusteradm install hub-addon --names governance-policy-framework --context ${CTX_HUB_CLUSTER} -
Ensure the pods are running on the hub with the following command:
$ kubectl get pods -n ${HUB_NAMESPACE} NAME READY STATUS RESTARTS AGE governance-policy-addon-controller-bc78cbcb4-529c2 1/1 Running 0 94s governance-policy-propagator-8c77f7f5f-kthvh 1/1 Running 0 94s- See more about the governance-policy-framework components:
Install from source
-
Deploy the policy Custom Resource Definitions (CRD) and policy propagator component to the
open-cluster-managementnamespace on the hub cluster with the following commands:# Configure kubectl to point to the hub cluster kubectl config use-context ${CTX_HUB_CLUSTER} # Create the namespace export HUB_NAMESPACE="open-cluster-management" kubectl create ns ${HUB_NAMESPACE} # Set the hub cluster name export HUB_CLUSTER_NAME="hub" # Set the hub kubeconfig file export HUB_KUBECONFIG="hub-kubeconfig" # Apply the CRDs export GIT_PATH="https://raw.githubusercontent.com/open-cluster-management-io/governance-policy-propagator/main/deploy" kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_policies.yaml kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_placementbindings.yaml kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_policyautomations.yaml kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_policysets.yaml # Deploy the policy-propagator kubectl apply -f ${GIT_PATH}/operator.yaml -n ${HUB_NAMESPACE} -
Ensure the pods are running on the hub with the following command:
$ kubectl get pods -n ${HUB_NAMESPACE} NAME READY STATUS RESTARTS AGE governance-policy-propagator-8c77f7f5f-kthvh 1/1 Running 0 94s- See more about the governance-policy-framework components:
Deploy the synchronization components to the managed cluster(s)
Deploy via Clusteradm CLI
-
To deploy the synchronization components to a self-managed hub cluster:
clusteradm addon enable --names governance-policy-framework --clusters <managed_hub_cluster_name> --annotate addon.open-cluster-management.io/on-multicluster-hub=true --context ${CTX_HUB_CLUSTER}To deploy the synchronization components to a managed cluster:
clusteradm addon enable --names governance-policy-framework --clusters <cluster_name> --context ${CTX_HUB_CLUSTER} -
Verify that the pod is running on the managed cluster with the following command:
$ kubectl get pods -n open-cluster-management-agent-addon NAME READY STATUS RESTARTS AGE governance-policy-framework-57579b7c-652zj 3/3 Running 0 87sNOTE: A self-managed hub deployment will only have 2 containers in the pod as opposed to the
3/3shown in the example.- See more about the synchronization components:
Deploy from source
-
Export the hub cluster
kubeconfigwith the following command:For
kindcluster:kind get kubeconfig --name ${HUB_CLUSTER_NAME} --internal > ${HUB_KUBECONFIG}For non-
kindclusters:kubectl config view --context=${CTX_HUB_CLUSTER} --minify --flatten > ${HUB_KUBECONFIG} -
Deploy the policy synchronization components to each managed cluster. Run the following commands:
NOTE: The spec synchronization component should be skipped when deploying the synchronization components to a hub that is managing itself.
# Configure kubectl to point to the managed cluster kubectl config use-context ${CTX_MANAGED_CLUSTER} # Create the namespace for the synchronization components export MANAGED_NAMESPACE="open-cluster-management-agent-addon" kubectl create ns ${MANAGED_NAMESPACE} # Create the secret to authenticate with the hub kubectl -n ${MANAGED_NAMESPACE} create secret generic hub-kubeconfig --from-file=kubeconfig=${HUB_KUBECONFIG} # Apply the policy CRD export GIT_PATH="https://raw.githubusercontent.com/open-cluster-management-io" kubectl apply -f ${GIT_PATH}/governance-policy-propagator/main/deploy/crds/policy.open-cluster-management.io_policies.yaml # Set the managed cluster name and create the namespace export MANAGED_CLUSTER_NAME=<your managed cluster name> # export MANAGED_CLUSTER_NAME=cluster1 kubectl create ns ${MANAGED_CLUSTER_NAME} # Deploy the spec synchronization component export COMPONENT="governance-policy-spec-sync" kubectl apply -f ${GIT_PATH}/${COMPONENT}/main/deploy/operator.yaml -n ${MANAGED_NAMESPACE} kubectl set env deployment/${COMPONENT} -n ${MANAGED_NAMESPACE} --containers="${COMPONENT}" WATCH_NAMESPACE=${MANAGED_CLUSTER_NAME} # Deploy the status synchronization component export COMPONENT="governance-policy-status-sync" kubectl apply -f ${GIT_PATH}/${COMPONENT}/main/deploy/operator.yaml -n ${MANAGED_NAMESPACE} kubectl set env deployment/${COMPONENT} -n ${MANAGED_NAMESPACE} --containers="${COMPONENT}" WATCH_NAMESPACE=${MANAGED_CLUSTER_NAME} # Deploy the template synchronization component export COMPONENT="governance-policy-template-sync" kubectl apply -f ${GIT_PATH}/${COMPONENT}/main/deploy/operator.yaml -n ${MANAGED_NAMESPACE} kubectl set env deployment/${COMPONENT} -n ${MANAGED_NAMESPACE} --containers="${COMPONENT}" WATCH_NAMESPACE=${MANAGED_CLUSTER_NAME}- See more about the synchronization components:
-
Verify that the pods are running on the managed cluster with the following command:
$ kubectl get pods -n ${MANAGED_NAMESPACE} NAME READY STATUS RESTARTS AGE governance-policy-spec-sync-6474b6d898-tmkw6 1/1 Running 0 2m14s governance-policy-status-sync-84cbb795df-pgbgt 1/1 Running 0 2m14s governance-policy-template-sync-759b9b556f-mx46t 1/1 Running 0 2m14sNOTE: A hub that is managing itself should not have the
policy-spec-syncpod deployed.
What is next
Install the policy controllers to the managed clusters.