Create an Access Control Policy

Using the Tanzu Service Mesh CLI, you can retrieve all the API specifications that make up an access control policy configuration from Tanzu Service Mesh SaaS. You can combine these specifications in a declarative manifest file to describe a complete access control policy configuration.

A complete access control policy configuration consists of the following configurations:

Service group configurations. You must provide a configuration for each service group that you want to define as a source service group or as a destination service group in the access control policy. For more information about the service group configuration, see Create a Service Group.
Access control policy configuration. You must provide the general policy details (its name, scope, and optionally labels) and the definitions of the source and destination service groups in the policy. For more information about the access control policy configuration, see Access Control Policy: UI Configuration.

You must retrieve the API specifications that correspond to these configurations from Tanzu Service Mesh SaaS and combine them in the access control policy manifest file.

Prerequisites

Install the CLI.
Log in to the Tanzu Service Mesh CLI.
Be familiar with the concept of service group in Tanzu Service Mesh.
Be familiar with the concept of access control policy in Tanzu Service Mesh.
Be familiar with the Kubernetes YAML manifest format.

Procedure

Create a YAML manifest file to describe the access control policy configuration.
To retrieve the API specification for each configuration that is included in the access control policy configuration, run the tanzu sm get spec CLI command.
1. To retrieve the API specification for the service groups configuration, run the following command.
```
tanzu sm get spec gnsservicegroup
```
  sm is the alias for the Tanzu Service Mesh plugin in the Tanzu CLI. You can replace sm with service-mesh.
1. To retrieve the API specification for the access control policy configuration, run the following command.
```
tanzu sm get spec accesscontrolpolicies
```
Copy and paste each returned API specification into the manifest file.
Important:
- Make sure that you put --- at the end of every API specification in the file.
- You must add a configuration for each service group that you want to define as a source service group or a destination service group to the manifest file.
Provide values for the fields in the resultant configuration.
For information about the meaning of the fields in the configuration and what value to provide for each field, see the schema of the appropriate API in API Explorer in Tanzu Service Mesh. Perform the following steps:
1. In Tanzu Service Mesh SaaS UI, click API Explorer on the bottom bar.
2. Go to the appropriate API in API Explorer.
3. In the API section, under Request Body, click Schema.
Save the changes in the file.

Results

For information about how to apply the access control policy configuration in a manifest file to your Tanzu Service Mesh tenant, see Apply a Configuration to Tanzu Service Mesh SaaS Using the CLI.

What to do next

Add the access control policy manifest file to the Git repository where you maintain all your manifest files.