Create a template in the Tanzu Mission Control console that you can use to apply custom policies.

The template provides a declarative definition of a policy, which you can use to apply custom constraints on your managed Kubernetes resources. This template represents a ConstraintTemplate object, which contains the schema of the constraint and the Rego code that defines how it is enforced.
Tanzu Mission Control provides some sample preconfigured policy templates that you can use as a starting place.
  • You can use the tmc-require-labels template to enforce labels with a key and optional value on specified Kubernetes resources (for example, ensuring that all pods and namespaces in a cluster have a label with the key owner).
  • You can use tmc-https-ingress the template to enforce that all ingress objects created on a cluster have tls configuration and that the allow-http annotation set to false.

For more information about defining a ConstraintTemplate object, see Constraint Templates in the OPA Gatekeeper documentation on GitHub.


Make sure you have the appropriate permissions to create policy templates.
  • To create a policy template, you must be associated with the .admin role or the organization.policytemplate.edit role on the organization.


  1. Click Policies in the left navigation pane of the Tanzu Mission Control console to show the subpages, and then click Templates.
  2. On the Custom policy templates page, click Create Template.
  3. On the Create page, you can optionally provide a description for the template.
  4. Define the template.
    You can write the template definition directly in the code box provided, or click Import to use a YAML file that you have already written.
  5. You can optionally define Kubernetes resources to be cached for the policy.
    To enforce a custom policy, OPA might need access to more state than just the object under test. For example, if the policy calculates the number of pods running in the namespace, OPA needs access to all those pods. If your template requires such data replicated in OPA cache, specify the group, version, and kind of each Kubernetes resource that needs to be cached. For more information about cached resources, see Replicating Data in the OPA Gatekeeper documentation.
  6. Click Create.


When you click Create, Tanzu Mission Control creates the template and enters it in the table on the Custom policy templates page. You can now use this template to create a policy and apply it to your clusters.