diff --git a/content/en/docs/getting-started/integration/policy-controllers/_index.md b/content/en/docs/getting-started/integration/policy-controllers/_index.md index 6d90f14bc..c099cf91f 100644 --- a/content/en/docs/getting-started/integration/policy-controllers/_index.md +++ b/content/en/docs/getting-started/integration/policy-controllers/_index.md @@ -3,22 +3,34 @@ title: Policy weight: 1 --- -The [Policy API]({{< ref "docs/getting-started/integration/policy-controllers/policy" >}}) on the hub delivers the policies defined in `spec.policy-templates` to the managed -clusters via the [policy framework controllers]({{< ref "docs/getting-started/integration/policy-controllers/policy-framework" >}}). Once on the managed -cluster, these _Policy Templates_ are acted upon by the associated controller on the managed cluster. The policy -framework supports delivering the _Policy Template_ kinds listed. +The Policy Add-on enables auditing and enforcement of configuration across clusters managed by OCM, enhancing security, +easing maintenance burdens, and increasing consistency across the clusters for your compliance and reliability +requirements. +View the following sections to learn more about the Policy Add-on: -## [Configuration policy]({{< ref "docs/getting-started/integration/policy-controllers/configuration-policy" >}}) +- ### [Policy framework]({{< ref "docs/getting-started/integration/policy-controllers/policy-framework" >}}) - The `ConfigurationPolicy` is provided by OCM and defines Kubernetes manifests to compare with objects that currently - exist on the cluster. The action that the `ConfigurationPolicy` will take is determined by its `complianceType`. - Compliance types include `musthave`, `mustnothave`, and `mustonlyhave`. `musthave` means the object should have the - listed keys and values as a subset of the larger object. `mustnothave` means an object matching the listed keys and - values should not exist. `mustonlyhave` ensures objects only exist with the keys and values exactly as defined. + Learn about the architecture of the Policy Add-on that delivers policies defined on the hub cluster to the managed + clusters and how to install and enable the add-on for your OCM clusters. -## [Open Policy Agent Gatekeeper]({{< ref "docs/getting-started/integration/policy-controllers/gatekeeper" >}}) +- ### [Policy API concepts]({{< ref "docs/getting-started/integration/policy-controllers/policy" >}}) - Gatekeeper is a validating webhook with auditing capabilities that can enforce custom resource definition-based - policies that are run with the Open Policy Agent (OPA). Gatekeeper `ConstraintTemplates` and constraints can be - provided in an OCM `Policy` to sync to managed clusters that have Gatekeeper installed on them. + Learn about the APIs that the Policy Add-on uses and how the APIs are related to one another to deliver policies to + the clusters managed by OCM. + +- ### Supported managed cluster policy engines + + - #### [Configuration policy]({{< ref "docs/getting-started/integration/policy-controllers/configuration-policy" >}}) + + The `ConfigurationPolicy` is provided by OCM and defines Kubernetes manifests to compare with objects that currently + exist on the cluster. The action that the `ConfigurationPolicy` will take is determined by its `complianceType`. + Compliance types include `musthave`, `mustnothave`, and `mustonlyhave`. `musthave` means the object should have the + listed keys and values as a subset of the larger object. `mustnothave` means an object matching the listed keys and + values should not exist. `mustonlyhave` ensures objects only exist with the keys and values exactly as defined. + + - #### [Open Policy Agent Gatekeeper]({{< ref "docs/getting-started/integration/policy-controllers/gatekeeper" >}}) + + Gatekeeper is a validating webhook with auditing capabilities that can enforce custom resource definition-based + policies that are run with the Open Policy Agent (OPA). Gatekeeper `ConstraintTemplates` and constraints can be + provided in an OCM `Policy` to sync to managed clusters that have Gatekeeper installed on them. diff --git a/content/en/docs/getting-started/integration/policy-controllers/configuration-policy.md b/content/en/docs/getting-started/integration/policy-controllers/configuration-policy.md index e30eb552c..6d54b9e63 100644 --- a/content/en/docs/getting-started/integration/policy-controllers/configuration-policy.md +++ b/content/en/docs/getting-started/integration/policy-controllers/configuration-policy.md @@ -7,7 +7,9 @@ hide_summary: true The `ConfigurationPolicy` defines Kubernetes manifests to compare with objects that currently exist on the cluster. The Configuration policy controller is provided by Open Cluster Management and runs on managed clusters. - +View the [Policy API concepts]({{< ref +"docs/getting-started/integration/policy-controllers/policy#managed-cluster-policy-controllers" >}}) page to learn more +about the `ConfigurationPolicy` API. ## Prerequisites diff --git a/content/en/docs/getting-started/integration/policy-controllers/gatekeeper.md b/content/en/docs/getting-started/integration/policy-controllers/gatekeeper.md index cea803897..a76b27608 100644 --- a/content/en/docs/getting-started/integration/policy-controllers/gatekeeper.md +++ b/content/en/docs/getting-started/integration/policy-controllers/gatekeeper.md @@ -9,8 +9,6 @@ that can enforce custom resource definition-based policies that are run with the constraints can be used to evaluate Kubernetes resource compliance. You can leverage OPA as the policy engine, and use Rego as the policy language. - - ## Installing Gatekeeper See the [Gatekeeper documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/install) to install the diff --git a/content/en/docs/getting-started/integration/policy-controllers/policy-framework.md b/content/en/docs/getting-started/integration/policy-controllers/policy-framework.md index 925871742..2f82bc189 100644 --- a/content/en/docs/getting-started/integration/policy-controllers/policy-framework.md +++ b/content/en/docs/getting-started/integration/policy-controllers/policy-framework.md @@ -1,6 +1,7 @@ --- title: Policy framework -weight: 2 +weight: 1 +hide_summary: true aliases: - /getting-started/integration/policy-framework/ --- @@ -8,8 +9,6 @@ aliases: The policy framework provides governance capabilities to OCM managed Kubernetes clusters. Policies provide visibility and drive remediation for various security and configuration aspects to help IT administrators meet their requirements. - - ## API Concepts View the [Policy API]({{< ref "docs/getting-started/integration/policy-controllers/policy" >}}) page for additional details about the Policy API managed by the Policy Framework diff --git a/content/en/docs/getting-started/integration/policy-controllers/policy.md b/content/en/docs/getting-started/integration/policy-controllers/policy.md index 178088bf8..62c68ca3b 100644 --- a/content/en/docs/getting-started/integration/policy-controllers/policy.md +++ b/content/en/docs/getting-started/integration/policy-controllers/policy.md @@ -1,24 +1,17 @@ --- -title: Policy -weight: 1 +title: Policy API concepts +weight: 2 +hide_summary: true aliases: - /concepts/policy/ - /docs/concepts/policy/ --- - - ## Overview -Note: this is also covered in the -[Open Cluster Management - Configuring Your Kubernetes Fleet With the Policy Addon](https://www.youtube.com/watch?v=ZZH654t5YpI) -video. - -[![Open Cluster Management - Configuring Your Kubernetes Fleet With the Policy Addon](https://img.youtube.com/vi/ZZH654t5YpI/0.jpg)](https://www.youtube.com/watch?v=ZZH654t5YpI) - The policy framework has the following API concepts: -- [_Policy Templates_](#managed-cluster-policy-controllers) are the policies that perform a desired check or action. For +- [_Policy Templates_](#managed-cluster-policy-controllers) are the policies that perform a desired check or action on a managed cluster. For example, [ConfigurationPolicy]( {{< ref "docs/getting-started/integration/policy-controllers#install-the-configuration-policy-controller" >}}) objects are embedded in `Policy` objects under the `policy-templates` array. @@ -30,9 +23,10 @@ The policy framework has the following API concepts: [Placement]({{< ref "docs/concepts/content-placement/placement" >}}). - A [`PlacementBinding`](#placementbinding) binds a [Placement]({{< ref "docs/concepts/content-placement/placement" >}}) to a `Policy` or `PolicySet`. -The second half of the -[KubeCon NA 2022 - OCM Multicluster App & Config Management](/kubecon-na-2022-ocm-multicluster-app-and-config-management.pdf) -also covers an overview of the Policy addon. +**Additional resources:** +- View the following resources to learn more about the Policy Addon: + - Video: [Open Cluster Management - Configuring Your Kubernetes Fleet With the Policy Addon](https://www.youtube.com/watch?v=ZZH654t5YpI) + - Slides: [KubeCon NA 2022 - OCM Multicluster App & Config Management](/kubecon-na-2022-ocm-multicluster-app-and-config-management.pdf) ## Policy