Policy framework
The policy framework provides governance capabilities to OCM managed Kubernetes clusters. Policies provide visibility and drive remediation for various security and configuration aspects to help IT administrators meet their requirements.
API Concepts
View the Policy API page for additional details about the Policy API managed by the Policy Framework components, including:
Architecture

The governance policy framework distributes policies to managed clusters and collects results to send back to the hub cluster.
Prerequisite
You must meet the following prerequisites to install the policy framework:
-
Ensure Golang is installed, if you are planning to install from the source.
-
Ensure the
open-cluster-management
cluster manager is installed. See Cluster Manager for more information. -
Ensure the
open-cluster-management
klusterlet is installed. See Klusterlet for more information. -
If you are using
PlacementRules
with your policies, ensure theopen-cluster-management
application is installed . See Application management for more information. If you are using the defaultPlacement
API, you can skip the Application management installation, but you do need to install thePlacementRule
CRD with this command:kubectl apply -f https://raw.githubusercontent.com/open-cluster-management-io/multicloud-operators-subscription/main/deploy/hub-common/apps.open-cluster-management.io_placementrules_crd.yaml
Install the policy-framework hub components
Install via Clusteradm CLI
Ensure clusteradm
CLI is installed and is newer than v0.2.0. Download and extract the
clusteradm binary. For
more details see the
clusteradm GitHub page.
Deploy the policy framework controllers to the hub cluster:
# The context name of the clusters in your kubeconfig
# If the clusters are created by KinD, then the context name will the follow the pattern "kind-<cluster name>".
export CTX_HUB_CLUSTER=<your hub cluster context> # export CTX_HUB_CLUSTER=kind-hub
export CTX_MANAGED_CLUSTER=<your managed cluster context> # export CTX_MANAGED_CLUSTER=kind-cluster1
# Configure kubectl to point to the hub cluster
kubectl config use-context ${CTX_HUB_CLUSTER}
# Set the deployment namespace
export HUB_NAMESPACE="open-cluster-management"
# Set the hub cluster name
export HUB_CLUSTER_NAME="hub"
# Set the hub kubeconfig file
export HUB_KUBECONFIG="hub-kubeconfig"
# Deploy the policy framework hub controllers
clusteradm install hub-addon --names policy-framework
Install from source
Deploy the policy Custom Resource Definitions (CRD) and policy propagator component to the
open-cluster-management
namespace on the hub cluster with the following commands:
# Configure kubectl to point to the hub cluster
kubectl config use-context ${CTX_HUB_CLUSTER}
# Create the namespace
export HUB_NAMESPACE="open-cluster-management"
kubectl create ns ${HUB_NAMESPACE}
# Set the hub cluster name
export HUB_CLUSTER_NAME="hub"
# Set the hub kubeconfig file
export HUB_KUBECONFIG="hub-kubeconfig"
# Apply the CRDs
export GIT_PATH="https://raw.githubusercontent.com/open-cluster-management-io/governance-policy-propagator/main/deploy"
kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_policies.yaml
kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_placementbindings.yaml
kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_policyautomations.yaml
kubectl apply -f ${GIT_PATH}/crds/policy.open-cluster-management.io_policysets.yaml
# Deploy the policy-propagator
kubectl apply -f ${GIT_PATH}/operator.yaml -n ${HUB_NAMESPACE}
- See more about the policy propagator:
Verify the installation
Ensure the pods are running on the hub with the following command:
$ kubectl get pods -n ${HUB_NAMESPACE}
NAME READY STATUS RESTARTS AGE
governance-policy-propagator-8c77f7f5f-kthvh 1/1 Running 0 94s
Deploy the synchronization components to the managed cluster(s)
-
Export the hub cluster
kubeconfig
with the following command:For
kind
cluster:kind get kubeconfig --name ${HUB_CLUSTER_NAME} --internal > ${HUB_KUBECONFIG}
For non-
kind
clusters:kubectl config view --context=${CTX_HUB_CLUSTER} --minify --flatten > ${HUB_KUBECONFIG}
-
Deploy the policy synchronization components to each managed cluster. Run the following commands:
NOTE: The spec synchronization component should be skipped when deploying the synchronization components to a hub that is managing itself.
# Configure kubectl to point to the managed cluster kubectl config use-context ${CTX_MANAGED_CLUSTER} # Create the namespace for the synchronization components export MANAGED_NAMESPACE="open-cluster-management-agent-addon" kubectl create ns ${MANAGED_NAMESPACE} # Create the secret to authenticate with the hub kubectl -n ${MANAGED_NAMESPACE} create secret generic hub-kubeconfig --from-file=kubeconfig=${HUB_KUBECONFIG} # Apply the policy CRD export GIT_PATH="https://raw.githubusercontent.com/open-cluster-management-io" kubectl apply -f ${GIT_PATH}/governance-policy-propagator/main/deploy/crds/policy.open-cluster-management.io_policies.yaml # Set the managed cluster name and create the namespace export MANAGED_CLUSTER_NAME=<your managed cluster name> # export MANAGED_CLUSTER_NAME=cluster1 kubectl create ns ${MANAGED_CLUSTER_NAME} # Deploy the spec synchronization component export COMPONENT="governance-policy-spec-sync" kubectl apply -f ${GIT_PATH}/${COMPONENT}/main/deploy/operator.yaml -n ${MANAGED_NAMESPACE} kubectl set env deployment/${COMPONENT} -n ${MANAGED_NAMESPACE} --containers="${COMPONENT}" WATCH_NAMESPACE=${MANAGED_CLUSTER_NAME} # Deploy the status synchronization component export COMPONENT="governance-policy-status-sync" kubectl apply -f ${GIT_PATH}/${COMPONENT}/main/deploy/operator.yaml -n ${MANAGED_NAMESPACE} kubectl set env deployment/${COMPONENT} -n ${MANAGED_NAMESPACE} --containers="${COMPONENT}" WATCH_NAMESPACE=${MANAGED_CLUSTER_NAME} # Deploy the template synchronization component export COMPONENT="governance-policy-template-sync" kubectl apply -f ${GIT_PATH}/${COMPONENT}/main/deploy/operator.yaml -n ${MANAGED_NAMESPACE} kubectl set env deployment/${COMPONENT} -n ${MANAGED_NAMESPACE} --containers="${COMPONENT}" WATCH_NAMESPACE=${MANAGED_CLUSTER_NAME}
- See more about the synchronization components:
-
Verify that the pods are running on the managed cluster with the following command:
$ kubectl get pods -n ${MANAGED_NAMESPACE} NAME READY STATUS RESTARTS AGE governance-policy-spec-sync-6474b6d898-tmkw6 1/1 Running 0 2m14s governance-policy-status-sync-84cbb795df-pgbgt 1/1 Running 0 2m14s governance-policy-template-sync-759b9b556f-mx46t 1/1 Running 0 2m14s
What is next
Install the policy controllers to the managed clusters.