Use VMware Tanzu Mission Control to create and apply a custom policy from an existing policy template.

Using a policy template that provides a declarative definition of a policy, you can provide parameters and apply a custom policy to manage your Kubernetes resources.

Prerequisites

Log in to the Tanzu Mission Control console, go to the Policies page and view the custom policies for the object, as described in View the Policy Assignments for an Object.

Make sure you have the appropriate permissions to add custom policies.
  • To add a custom policy, you must be associated with the .admin role on that object.

Procedure

  1. On the Policies page, click the Custom tab.
  2. Use the tree control to navigate to and select the object to which you want to apply a custom policy.
  3. Click Create Custom Policy.
  4. On the custom policy create form, select the policy template you want to use, and then provide a name for the policy.
  5. Specify the target resources on which to enforce the policy, and then click Add Resource.
    A target resource, identified by a kind and an API group, specifies the Kubernetes API resource on which the policy is enforced.
  6. Specify parameters for your policy, if defined by the schema of the selected template.
    Not all custom policies require parameters. If the selected template does not accept parameters, the Parameters section is not displayed on the form.
  7. You can optionally provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
    For more information about how label selectors work, see Policy-Driven Cluster Management in VMware Tanzu Mission Control Concepts.
  8. Select the Enforcement action you want the policy to use.
    • Deny (default) indicates the policy is fully enforced, denying admission requests with any violation.
    • Dry run indicates the policy is not enforced, but allows you to see the impact of the policy for testing. If this option is selected, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
    • Warn works like dry run, except that it provides immediate feedback when a potential denial occurs.
  9. Click Create Policy.

Results

When you click Create Policy, Tanzu Mission Control installs the Gatekeeper admission webhook on your cluster, synchronizes the policy template to your cluster, and then creates the policy and applies it to your cluster.