Create and manage mutation policies on Tanzu Platform for Kubernetes

Use a mutation policy to edit Kubernetes resources when pods are deployed in your clusters.

Before you begin

Before you can create a mutation policy for an object, you must be associated with the .admin role for that object.

To confirm you have the correct permissions:

1. Log in to the Tanzu Platform hub.
2. On the left navigation, click Operations Policies then click Cluster Policies.
3. Verify you have the appropriate permissions.

About mutation policies on Tanzu Platform for Kubernetes

Using VMware Tanzu Platform for Kubernetes, you can make the deployments to your clusters more consistent by implementing policies that add or edit resources in those deployments before they are admitted. Mutation policies, implemented using OPA Gatekeeper, can help prevent the deployment of pods that don’t conform to your specifications. You can use a mutation policy to alter the following types of Kubernetes resource properties:

• Annotations
• Labels
• Pod security properties

A mutation policy can alter (mutate) the pod specification (podspec) to enforce conformance to the policy. When a pod is deployed to the cluster, the policy mutates the podspec as defined in the policy before admitting the request to deploy the pod.

Mutating labels and annotations

You can create a mutation policy to specify a label to be applied to a Kubernetes resource before it is admitted to a cluster. When a deployment is evaluated for admission, the policy creates the key-value pair for the label only if it does not already exist. If there is an existing label on the resource, the policy cannot change it. Because the policy evaluates deployments only during admission, you can manually alter mutations implemented by the policy after admission.

Evaluation and precedence of mutation policies

You can apply mutation policies in the clusters hierarchy (infrastructure view) in Tanzu Platform for Kubernetes, and they are inherited down through the hierarchy.

When multiple mutation policies are applied to a cluster, through either direct or inherited policies, they are evaluated as follows:

• Mutation policies are run against the podspec starting with those applied to the cluster, then those inherited from the cluster group, and finally those inherited from the organization.
• If there are multiple mutation policies at any level of the hierarchy, they are run in alphanumeric order.

Because a mutation policy can overwrite changes applied by a previously run mutation policy, the order in which they are run is significant. When a workload is deployed to a cluster that has both mutation policies and security policies, first the mutation policies are evaluated and applied to mutate the podspec as specified. After all mutations are applied, the security policies are evaluated to verify that the podspec is conformant to allow deployment.

Create a mutation policy

To create a policy in the Tanzu Platform hub:

1. In Operations Policies > Cluster Policies, click the Cluster Groups and Clusters tab.

2. Use the tree control to navigate to and select the object for which you want to create a mutation policy.

3. Click Create Policy and select Mutation.

4. Provide a policy name. The Scope and Object name is automatically generated based on the object you selected in the tree.

5. Select a mutation template.

6. Provide the details about how you want to mutate the property. Click Save.

7. (Optional) You can provide label selectors to specify particular namespaces that you want to include or exclude for this policy.

8. Click Create Policy.

After clicking Create Policy, the policy is created and applied to the object and is displayed on the Policies page. Because a mutation policy assesses and mutates pods only at the time of admission, the policy impacts only new, incoming requests for creating or updating pods. The mutation policy does not impact pods that have already been admitted to the cluster.