Add a security policy that governs how pods can run in your clusters.

Prerequisites

Log in to the Tanzu Mission Control console, go to the Policies page and view the security policies for the object, as described in View the Policy Assignments for an Object.

Make sure you have the appropriate permissions.
  • To create a security policy for an object, you must be associated with the .admin role for that object.

Procedure

  1. On the Policies page, click the Security tab, and then click the Clusters organization view.
  2. Use the tree control to navigate to and select the object for which you want to create a security policy.
  3. Click Create Security Policy.
  4. Select the security template that you want to use.
    • The Strict template is a preconfigured set of constraints that define a tight security context for pods in your clusters. The detailed options defined in this template are displayed on the form in the Tanzu Mission Control console.
    • The Custom template allows you to specify how to handle the various aspects of pod security for your clusters.
  5. Provide a policy name.
  6. If you choose the Custom policy template, specify the detailed aspects for the policy.
  7. You can optionally provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
    For more information about how label selectors work, see Policy-Driven Cluster Management in VMware Tanzu Mission Control Concepts.
  8. You can optionally select Disable policy enforcement to perform a dry-run test of the policy before enforcing it.
    If this option is selected, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
  9. You can optionally select Disable native pod security policies to restrict the enforcement of native Kubernetes pod security policies that are implemented on the cluster.
    If this option is selected for any policy (direct or inherited) that impacts a cluster, then native Kubernetes pod security policies are disabled for that cluster. If this option is not selected, then any native pod security policies defined on the cluster take precedence over the policy you define here.
    You can later edit this policy to re-enable native pod security policies.
  10. Click Create policy.