Create a custom policy, by using templates that you define, to enforce policies on Tanzu Platform for Kubernetes beyond the built-in policy types.
Before you create a custom policy, you must have the following permissions:
For many aspects of cluster management, VMware Tanzu Platform for Kubernetes provides specific policies that you can use to enforce rules on your fleet of Kubernetes clusters. These rules include access policies, container image registry policies, and security policies. However, these baseline policies might not cover all of the aspects that you want to control.
Custom policies are open-ended and give you the opportunity to address aspects of cluster management that specifically suit the needs of your organization. Custom policies in Tanzu Platform for Kubernetes are implemented using the Gatekeeper project from Open Policy Agent (OPA). To create a custom policy template, you use Rego, which is the policy language of OPA. For more information about Rego, see the OPA Policy Language documentation.
To implement a custom policy, you must first have a template that declaratively defines the structure of the policy. You then use the custom policy template to apply custom policies to your clusters.
In Tanzu Platform hub, create a template that you can use to apply custom policies. The template provides a declarative definition of a policy, which applies custom constraints on your managed Kubernetes resources. This template represents a ConstraintTemplate object, which contains the schema of the constraint and the Rego code that defines how it is enforced.
Tanzu Platform for Kubernetes provides some sample pre-configured policy templates to get you started. For example:
The tmc-require-labels
template enforces labels with a key and optional value on specified Kubernetes resources. For example, ensuring that all pods and namespaces in a cluster have a label with the key owner
.
The tmc-https-ingress
template enforces that all ingress objects created on a cluster have TLS configuration and that the allow-http
annotation is set to false
.
To create a policy template:
In Tanzu Platform hub on the left navigation, click Operations Policies then click Cluster Policies.
Click the Custom Policy Templates tab.
Sample templates appear in the table. To create a template, click Create Custom Policy Template.
In Tanzu Platform hub, create and apply a custom policy from an existing policy template. Using a policy template that provides a declarative definition of a policy, you can provide parameters and apply a custom policy to manage your Kubernetes resources.
To apply a custom policy:
In Operations Policies > Cluster Policies, click the Cluster Groups and Clusters tab.
Use the tree control to navigate to and select the object that you want to apply the custom policy to.
Click Create Policy and select Custom.
Provide a policy name. The Scope and Object names are automatically generated based on the object you selected in the tree.
Select the policy template that you want to use.
Specify the target resources on which to enforce the policy, and then click Add.
A target resource, identified by a kind and an API group, specifies the Kubernetes API resource on which the policy is enforced.
Specify parameters for your policy, if defined by the schema of the selected template. Not all custom policies require parameters. If the selected template does not accept parameters, the Parameters section is not displayed on the form.
Select the Enforcement action you want the policy to use.
Deny: (default) indicates that the policy is fully enforced and denies admission requests with any violation.
Dry run: indicates the policy is not enforced but allows you to see the impact of the policy for testing. If you select this option, the policy does not prevent containers from being scheduled on the cluster, but you do receive alerts for policy violations. You can later edit this policy to re-enable policy enforcement.
Warn: works like dry run, except that it provides immediate feedback when a potential denial occurs.
(Optional) Provide label selectors to specify particular namespaces that you want to include or exclude for this policy.
Click Create Policy.
When you click Create Policy, Tanzu Platform for Kubernetes installs the Gatekeeper admission webhook on your cluster, synchronizes the policy template to your cluster, and creates the policy and applies it to your cluster.