policy
Use the policy plug-in to manage policies for resources.
Usage
tanzu mission-control policy [command]
Commands
completion Generate the autocompletion script for the specified shell
create Create a policy
delete Delete a policy
get Get a policy
insight Provide insight on the issues related to the policies which are applied on resources
list List policies
policy-template Policy Template wraps a Kubernetes resource that is a pre-requisite/dependency for creating policies. This is a custom template that you can create and upload to TMC
recipe Recipe is a TMC provided policy template that customers can use out of the box to apply policies
type Type defines the schema of policy instances
update Update a policy
completion
Generate the auto-completion script for the specified shell.
Usage
tanzu mission-control policy completion [command]
Commands
bash Generate the autocompletion script for bash
fish Generate the autocompletion script for fish
powershell Generate the autocompletion script for powershell
zsh Generate the autocompletion script for zsh
Example
To generate the autocompletion script for bash:
tanzu mission-control policy completion bash
create
Create a policy.
Usage
tanzu mission-control policy create [flags]
Flags
--dry-run only create data model, do not apply to server
-f, --file string resource file to create policy
-s, --scope string scope to cluster/clustergroup/workspace/organization
Example
To create a policy on a cluster using a resource file, sample-policy.yaml:
tanzu mission-control policy create -s cluster -f sample-policy.yaml
delete
Delete a policy.
Usage
tanzu mission-control policy delete POLICY_NAME [flags]
Flags
-m, --management-cluster-name string name of the management-cluster (applicable for clusters scoped policies only)
-n, --name string name of the resource
-p, --provisioner-name string name of the provisioner (applicable for clusters scoped policies only)
-s, --scope string scope to cluster/clustergroup/workspace/organization
Example
To delete a policy applied on an attached cluster:
tanzu mission-control policy delete POLICY_NAME -s cluster -n CLUSTER_NAME -m attached -p attached
To delete a policy applied on a workspace:
tanzu mission-control policy delete POLICY_NAME -s workspace -n WORKSPACE_NAME
get
Get a policy.
Usage
tanzu mission-control policy get POLICY_NAME [flags]
Flags
-m, --management-cluster-name string name of the management-cluster (applicable for clusters scoped policies only)
-n, --name string name of the resource
-o, --output string Output format (yaml | json) (default "yaml")
-p, --provisioner-name string name of the provisioner (applicable for clusters scoped policies only)
-s, --scope string scope to cluster/clustergroup/workspace/organization
Example
To get a policy applied on a cluster group:
tanzu mission-control policy get POLICY_NAME -s clustergroup -n CLUSTERGROUP_NAME
insight
Provides insight on the issues related to the policies which are applied on resources.
Usage
tanzu mission-control policy insight [command]
Aliases
insight, insights, pis
Commands
list Return a list of insights
Example
To list all the policy insights:
tanzu mission-control policy insight list
To filter policy insights by cluster:
tanzu mission-control policy insight list --cluster-name cluster_name
To filter policy insights by policy:
tanzu mission-control policy insight list --policy-name policy_name
To filter policy insights by category (policy type):
tanzu mission-control policy insight list --category security
list
List policies.
Usage
tanzu mission-control policy list [flags]
Flags
--direct list only direct policies on the resource (by default, all effective policies are listed)
-m, --management-cluster-name string name of the management-cluster (applicable for clusters scoped policies only)
-n, --name string name of the resource
-o, --output string Output format (yaml | json) (default "yaml")
-p, --provisioner-name string name of the provisioner (applicable for clusters scoped policies only)
-s, --scope string scope to cluster/clustergroup/workspace/organization
Example
To list all the policies in a cluster with management cluster as attached and provisioner as attached:
tanzu mission-control policy list -s cluster -c cluster_name -m attached -p attached
policy-template
A policy template wraps a Kubernetes resource that is a pre-requisite or dependency for creating policies. This is a custom template that you can create and upload to Tanzu Mission Control.
Usage
tanzu mission-control policy policy-template [command]
Aliases
policy-template, policy-templates, ptl
Commands
create Create a policy template
delete Delete a policy template
get Get a policy template
list List policy templates
update Update (overwrite) a policy template
Example
To create OPA Gatekeeper ConstraintTemplate allowedrepos as a Tanzu Mission Control policy template (similar for update):
tanzu mission-control policy policy-template create --object-file template.yaml
To create/update OPA Gatekeeper ConstraintTemplate uniqueingresshost which requires cached/sync resources as a Tanzu Mission Control policy template (similar for update):
tanzu mission-control policy policy-template create --object-file template.yaml --data-inventory "extensions/v1beta1/Ingress" --data-inventory "networking.k8s.io/v1beta1/Ingress" --data-inventory "networking.k8s.io/v1/Ingress"
To get a policy template (similar for delete):
tanzu mission-control policy policy-template get POLICYTEMPLATE_NAME
To get only the OPA Gatekeeper ConstraintTemplate object used in a policy template, you can use “–object” parameter with get:
tanzu mission-control policy policy-template get POLICYTEMPLATE_NAME --object
To create a custom-policy using a policy template created with this command, create the corresponding resource file and use the tanzu policy create command as described above. An example resource file to create policy using allowedrepos template:
fullName:
clusterName: CLUSTER_NAME
managementClusterName: MANAGEMENT_CLUSTER_NAME
provisionerName: PROVISIONER_NAME
name: POLICY_NAME
spec:
type: custom-policy
recipe: k8sallowedrepos
input:
targetKubernetesResources:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
repos:
- "REPO_PREFIX1"
- "REPO_PREFIX2"
In the resource file above: - fullName refers to the unique identifier of the Tanzu Mission Control resource along with a new policy name - type should be custom-policy for any policies created using custom policy templates - recipe is same as the ConstraintTemplate object name provided in the policy template (which is also the policy template name) - targetKubernetesResources refers to the Kubernetes resources on which the policy is applicable - parameters refers to the inputs required by the policy template as per the openAPIV3Schema mentioned in the ConstraintTemplate object
recipe
A recipe is a preconfigured policy template that you can use to apply policies.
Usage
tanzu mission-control policy recipe [command]
Aliases
recipe, recipes, pr
Commands
get Retrieve a policy recipe object
list Return a list of policy recipes
Example
To list all the recipes:
tanzu mission-control policy recipe list
To filter recipes of type custom-policy:
tanzu mission-control policy recipe list --type-name custom-policy
type
A type defines the schema of policy instances.
Usage
tanzu mission-control policy type [command]
Aliases
type, types, pt
Commands
get Retrieve a policy type object
list Return a list of policy types
update
Update a policy.
Usage
tanzu mission-control policy update [flags]
Flags
-f, --file string resource file to create policy
-s, --scope string scope to cluster/clustergroup/workspace/organization
Example
To update a policy on a workspace using a resource file, update-policy.yaml:
tanzu mission-control policy update -s workspace -f update-policy.yaml
