tanzu operations policy
Use the policy plug-in to manage policies for resources.
Usage
CLI plugin: policy | Target: operations | Release Notes
tanzu operations policy [command]
Commands
create Create a policy
delete Delete a policy
get Get a policy
insight Provide insight on the issues related to the policies which are applied on resources
list List policies
policy-template A Policy Template wraps a Kubernetes resource that is a pre-requisite/dependency for creating policies. This is a custom template that customers can create and upload to TMC
recipe A Recipe is a TMC provided policy template that customers can use out of the box to apply policies
type A Type defines the schema of policy instances
update Update a policy
Global Flags
-h, --help help for policy command
create
Create a policy.
Usage
tanzu operations policy create [flags]
Flags
-t, --cluster-type string type of the cluster (eks/attached), required for cluster scope
--dry-run only create data model, do not apply to server
-f, --file string resource file to create policy
-s, --scope string scope to cluster/clustergroup/project
Example
To create a policy on a cluster using a resource file, sample-policy.yaml:
tanzu operations policy create -s cluster -f sample-policy.yaml
delete
Delete a policy.
Usage
tanzu operations policy delete POLICY_NAME [flags]
Flags
-t, --cluster-type string type of the cluster (eks/attached) (default "eks")
-n, --name string name of the resource
-s, --scope string scope to cluster/clustergroup/project
Example
To delete a policy applied on an attached cluster:
tanzu operations policy delete POLICY_NAME -s cluster -n CLUSTER_NAME -m attached -p attached
To delete a policy applied on a workspace:
tanzu operations policy delete POLICY_NAME -s workspace -n WORKSPACE_NAME
get
Get a policy.
Usage
tanzu operations policy get POLICY_NAME [flags]
Flags
-t, --cluster-type string type of the cluster (eks/attached) (default "eks")
-n, --name string name of the resource
-o, --output string Output format (yaml | json) (default "yaml")
-s, --scope string scope to cluster/clustergroup/project
Example
To get a policy applied on a cluster group:
tanzu operations policy get POLICY_NAME -s clustergroup -n CLUSTERGROUP_NAME
insight
Provides insight on the issues related to the policies which are applied on resources.
Usage
tanzu operations policy insight [command]
Aliases
insight, insights, pis
Commands
list Return a list of insights
insight list
Return a list of insights
Usage
tanzu operations policy insight list [flags]
Flags
--category string filter by category
--cluster-group string filter by name of clustergroup
--cluster-name string filter by name of cluster
--issue-type string filter by issue type
--max-size uint number of records to return
--offset uint offset at which to start returning records
-o, --output string output format (yaml|json)
--policy-name string filter by name of policy
Examples
To list all the policy insights:
tanzu operations policy insight list
To filter policy insights by cluster:
tanzu operations policy insight list --cluster-name cluster_name
To filter policy insights by policy:
tanzu operations policy insight list --policy-name policy_name
To filter policy insights by category (policy type):
tanzu operations policy insight list --category security
list
List policies.
Usage
tanzu operations policy list [flags]
Flags
-t, --cluster-type string type of the cluster (eks/attached)
-n, --resource-name string name of the resource
-s, --scope string scope to cluster/clustergroup/project
--show-effective show all policies effective on a resource, including inherited policies (requires target scope and resource-name flags)
Example
To list all the policies in effect for the attached clusters in a cluster group:
tanzu operations policy list -s clustergroup -t attached -n CLUSTERGROUP_NAME --show-effective
policy-template
A policy template wraps a Kubernetes resource that is a pre-requisite or dependency for creating policies. This is a custom template that you can create and upload to Tanzu Mission Control.
Usage
tanzu operations policy policy-template [command]
Aliases
policy-template, policy-templates, ptl
Commands
create Create a policy template
delete Delete a policy template
get Get a policy template
list List policy templates
update Update (overwrite) a policy template
policy-template create
Create a policy template
Usage
tanzu operations policy policy-template create [flags]
Flags
--data-inventory strings (optional) List of Kubernetes GVKs that need to be synced/replicated in Gatekeeper in order to enforce policy rules on those resources (Use format "Group/Version/Kind")
--description string (optional) Description of the policy template
--object-file string Object file containing yaml-formatted Kubernetes resource (only OPA Gatekeeper "ConstraintTemplate" object supported today)
--object-type string (set by default) Type of kubernetes resource (CRD) encoded in spec.object (only "ConstraintTemplate" supported today) (default "ConstraintTemplate")
--template-type string (set by default) Type of policy template that is being created (only "OPAGatekeeper" supported today) (default "OPAGatekeeper")
Examples
To create OPA Gatekeeper ConstraintTemplate allowedrepos as a Tanzu Mission Control policy template (similar for update):
tanzu operations policy policy-template create --object-file template.yaml
To create/update OPA Gatekeeper ConstraintTemplate uniqueingresshost which requires cached/sync resources as a Tanzu Mission Control policy template (similar for update):
tanzu operations policy policy-template create --object-file template.yaml --data-inventory "extensions/v1beta1/Ingress" --data-inventory "networking.k8s.io/v1beta1/Ingress" --data-inventory "networking.k8s.io/v1/Ingress"
policy-template delete
Delete a policy template
Usage
tanzu operations policy policy-template delete POLICYTEMPLATE_NAME [flags]
policy-template get
Usage
tanzu operations policy policy-template get POLICYTEMPLATE_NAME [flags]
Flags
--object get only Kubernetes object used in a policy template (eg. ConstraintTemplate object)
-o, --output string Output format (yaml | json) (default "yaml")
Example
To get a policy template (similar for delete):
tanzu operations policy policy-template get POLICYTEMPLATE_NAME
To get only the OPA Gatekeeper ConstraintTemplate object used in a policy template, you can use “–object” parameter with get:
tanzu operations policy policy-template get POLICYTEMPLATE_NAME --object
To create a custom-policy using a policy template created with this command, create the corresponding resource file and use the tanzu policy create command as described above. An example resource file to create policy using allowedrepos template:
fullName:
clusterName: CLUSTER_NAME
managementClusterName: MANAGEMENT_CLUSTER_NAME
provisionerName: PROVISIONER_NAME
name: POLICY_NAME
spec:
type: custom-policy
recipe: k8sallowedrepos
input:
targetKubernetesResources:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
repos:
- "REPO_PREFIX1"
- "REPO_PREFIX2"
In the resource file above: - fullName refers to the unique identifier of the Tanzu Mission Control resource along with a new policy name - type should be custom-policy for any policies created using custom policy templates - recipe is same as the ConstraintTemplate object name provided in the policy template (which is also the policy template name) - targetKubernetesResources refers to the Kubernetes resources on which the policy is applicable - parameters refers to the inputs required by the policy template as per the openAPIV3Schema mentioned in the ConstraintTemplate object
Flags
--object get only Kubernetes object used in a policy template (eg. ConstraintTemplate object)
-o, --output string Output format (yaml | json) (default "yaml")
policy-template list
Usage
tanzu operations policy policy-template list [flags]
Flags
--max-size uint Number of records to return
--name string scope search to the specified name (default "*")
--offset uint Offset at which to start returning records
-o, --output string Output format (yaml|json)
policy-template update
Usage
tanzu operations policy policy-template update [flags]
Flags
--data-inventory strings (optional) List of Kubernetes GVKs that need to be synced/replicated in Gatekeeper in order to enforce policy rules on those resources (Use format "Group/Version/Kind")
--description string (optional) Description of the policy template
--force Force in-place update
--object-file string Object file containing yaml-formatted Kubernetes resource (only OPA Gatekeeper "ConstraintTemplate" object supported today)
--object-type string Type of kubernetes resource (CRD) encoded in spec.object (only "ConstraintTemplate" supported today) (default "ConstraintTemplate")
--template-type string Type of policy template that is being updated (only "OPAGatekeeper" supported today) (default "OPAGatekeeper")
recipe
A recipe is a preconfigured policy template that you can use to apply policies.
Usage
tanzu operations policy recipe [command]
Aliases
recipe, recipes, pr
Commands
get Retrieve a recipe object
list Return a list of recipes
recipe get
Retrieve a recipe object
Usage
tanzu operations policy recipe get RECIPE_NAME [flags]
Flags
-o, --output string output format (yaml | json) (default "yaml")
--type-name string name of the type
recipe list
Return a list of recipes
Usage
tanzu operations policy recipe list [flags]
Flags
--max-size uint number of records to return
--name string filter by specified policy recipe name
--offset uint offset at which to start returning records
-o, --output string output format (yaml|json)
--type-name string filter by specified policy type
Examples
To list all the recipes:
tanzu operations policy recipe list
To filter recipes of type custom-policy:
tanzu operations policy recipe list --type-name custom-policy
type
A Type defines the schema of policy instances.
Usage
tanzu operations policy type [command]
Aliases
type, types, pt
Commands
get Retrieve a type object
list Return a list of types
type get
Retrieve a type object
Usage
tanzu operations policy type get RECIPE_NAME [flags]
Flags
-o, --output string output format (yaml | json) (default "yaml")
type list
Return a list of types
Usage
tanzu operations policy type list [flags]
Flags
--max-size uint number of records to return
--name string scope search to the specified name
--offset uint offset at which to start returning records
-o, --output string output format (yaml|json)
update
Update a policy.
Usage
tanzu operations policy update [flags]
Flags
-f, --file string resource file to create policy
-s, --scope string scope to cluster/clustergroup/project
Example
To update a policy on a workspace using a resource file, update-policy.yaml:
tanzu operations policy update -s workspace -f update-policy.yaml
