Add a mutation policy that can alter a podspec to specify how pods can run in your clusters.
A mutation policy, implemented using OPA Gatekeeper, allows you to enforce the conformance of pods running in your clusters by changing certain properties of the pod specification (podspec) prior to allowing deployment.
Prerequisites
Log in to the Tanzu Mission Control console, go to the Policies page and view the mutation policies for the object, as described in View the Policy Assignments for an Object.
Make sure you have the appropriate permissions.
- To create a mutation policy for an object, you must be associated with the .admin role for that object.
Procedure
- On the Policies page, click the Mutation tab.
- Use the tree control to navigate to and select the object for which you want to create a mutation policy.
- Click Create Mutation Policy.
- Select the mutation template that you want to use.
- Provide a policy name.
- In the grid, locate the property for which you want to provide a mutation, and then click the edit icon.
You can optionally filter the displayed properties by
Property or
Description, and use the toggle to
Show only defined mutations.
- Provide the details about how you want to mutate the property.
The contents of the property mutation dialog shows the options available for the property, and varies according to which property you choose to mutate.
- Click Save.
- You can optionally provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
- Click Create policy.
Results
When you click
Create policy, the policy is created and applied to the object and is displayed on the Policies page. Because a mutation policy assesses and mutates pods only at the time of admission, the policy impacts only new, incoming requests for creating or updating pods. The mutation policy does not impact pods that have already been admitted into the cluster.