README
¶
Deprecated -- This repository is deprecated. If you want to integrate your policy engine with the governance policy framework, see the governance-policy-framework repository.
Table of Contents
Policy Controller
What is Policy Controller
The policy controllers are Kubernetes CustomResourceDefinition (CRD) instance that can integrate with Governance Risk and Compliance (GRC) framework on Red Hat Advanced Cluster Management for Kubernetes. Policy controller can monitor and report whether the Kubernetes cluster is compliant with the policy. It can also enforce the policy to bring the cluster state to compliance. This repo includes the policy controller framework with a sample policy controller.
Securing the Policy Controller
The policy controller needs to interact with the Kubernetes API server to (1) get updates on the policy CR creation/deletion/update and (2) analyze the existing Kubernetes cluster config (in this sample controller we analyze RBAC role/clusterrole bindings).
The policy controller is authenticated/authorized by the Kubernetes API based on the information defined in the service-account it uses. The default service account in the namespace is used by the controller when it is deployed as a pod (unless the spec.serviceAccountName specifies otherwise). For finer-grain control, we create a dedicated service-account for the controller and start the pod with the dedicated service-account.
It is important the limit the privileges on the controller using the principle of least privilege, in this context it means to limit (1) the access of the controller to only the resources (e.g. its CR instances) it needs to know about and (2)limit the actions to only the ones needed by the controller (e.g. read-only for certain resources).
The controller priveledges are bounded using (1) an RBAC role that only grants the service account of the controller the minimum needed permissions to perform its functionality, and (2) an RBAC rolebinding that binds the RBAC role to the controller's service account.
Community, discussion, contribution, and support
Check the CONTRIBUTING Doc for how to contribute to the repo.
You can reach the maintainers of this project at:
Getting Started
Prerequisites
Check the Development doc for how to contribute to the repo.
Trouble shooting
Please refer to Trouble shooting documentation for further information.
Developing your policy controller
Please refer to Adoption guide for further information.
References
If you have any further question about the policy controller, please refer to help documentation for further information.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
pkg
|
|
|
apis/policies
Package policies contains policies API versions.
|
Package policies contains policies API versions. |
|
apis/policies/v1
Package v1 contains API Schema definitions for the policies v1 API group +k8s:deepcopy-gen=package,register +groupName=policy.open-cluster-management.io Package v1 contains API Schema definitions for the policies v1 API group +k8s:deepcopy-gen=package,register +groupName=policy.open-cluster-management.io
|
Package v1 contains API Schema definitions for the policies v1 API group +k8s:deepcopy-gen=package,register +groupName=policy.open-cluster-management.io Package v1 contains API Schema definitions for the policies v1 API group +k8s:deepcopy-gen=package,register +groupName=policy.open-cluster-management.io |