Use VMware Tanzu Mission Control to create and apply a custom policy from an existing policy template.

Using a policy template that provides a declarative definition of a policy, you can provide parameters and apply a custom policy to manage your Kubernetes resources.

Prerequisites

Log in to the Tanzu Mission Control console, go to the Policies page and view the custom policies for the object, as described in View the Policy Assignments for an Object.

Make sure you have the appropriate permissions to add custom policies.
  • To add a custom policy, you must be associated with the .admin role on that object.

Procedure

  1. On the Policies page, click the Custom tab, and then click the Clusters organization view.
  2. Use the tree control to navigate to and select the object to which you want to apply a custom policy.
  3. Click Create Custom Policy.
  4. On the custom policy create form, select the policy template you want to use, and then provide a name for the policy.
  5. Specify the target resources on which to enforce the policy, and then click Add Resource.
    A target resource, identified by a kind and an API group, specifies the Kubernetes API resource on which the policy is enforced.
  6. Specify parameters for your policy, if defined by the schema of the selected template.
    Not all custom policies require parameters. If the selected template does not accept parameters, the Parameters section is not displayed on the form.
  7. You can optionally provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
    For more information about how label selectors work, see Policy-Driven Cluster Management in VMware Tanzu Mission Control Concepts.
  8. You can optionally select Disable policy enforcement to perform a dry-run test of the policy before enforcing it.
    If this option is selected, the policy is not enforce on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
  9. Click Create Policy.

Results

When you click Create Policy, Tanzu Mission Control installs the Gatekeeper admission webhook on your cluster, synchronizes the policy template to your cluster, and then creates the policy and applies it to your cluster.