-
Task
-
Resolution: Done
-
Undefined
-
None
-
False
-
None
-
False
-
-
-
None
The GRC squad dropped the ball on updating the Policy Generator documentation. Here is a proposed Git diff of the new fields:
diff --git a/governance/policy_generator.adoc b/governance/policy_generator.adoc index c378de536..f921d6160 100644 --- a/governance/policy_generator.adoc +++ b/governance/policy_generator.adoc @@ -213,6 +213,10 @@ Note that all the fields in the `policyDefaults` section except for `namespace` | Optional | Copies the labels and annotations for all policies and adds them to a replica policy. Set to `true` by default. If set to `false`, only the policy framework specific policy labels and annotations are copied to the replicated policy. +| `policyDefaults.customMessage` +| Optional +| Configures the compliance messages emitted by the configuration policy to use one of the specified Go templates based on the current compliance. See the ConfigurationPolicy API documentation for more details. + | `policyDefaults.severity` | Optional | The severity of the policy violation. The default value is `low`. @@ -231,12 +235,17 @@ Note that all the fields in the `policyDefaults` section except for `namespace` | `policyDefaults.evaluationInterval` | Optional -| Use the parameters `compliant` and `noncompliant` to specify the frequency for a policy to be evaluated when in a particular compliance state. When managed clusters have low CPU resources, the evaluation interval can be increased to reduce CPU usage on the Kubernetes API. These are in the format of durations. For example, `"1h25m3s"` represents 1 hour, 25 minutes, and 3 seconds. These can also be set to "never" to avoid evaluating the policy after it has become a particular compliance state. +| Use the parameters `compliant` and `noncompliant` to specify the frequency for a policy to be evaluated when in a particular compliance state. The default value is + "watch" to leverage Kubernetes API watches instead of polling the Kubernetes API server. When managed clusters have low resources, the evaluation interval can be set to long polling intervals to reduce CPU and memory usage on the Kubernetes API and policy controller. These are in the format of durations. For example, `"1h25m3s"` represents 1 hour, 25 minutes, and 3 seconds. These can also be set to "never" to avoid evaluating the policy after it has become a particular compliance state. | `policyDefaults.pruneObjectBehavior` | Optional | Determines whether objects created or monitored by the policy should be deleted when the policy is deleted. Pruning only takes place if the remediation action of the policy has been set to `enforce`. Example values are `DeleteIfCreated`, `DeleteAll`, or `None`. The default value is `None`. +| `policyDefaults.recreateOption` +| Optional +| Describes whether to delete and recreate an object when an update is required. `IfRequired` will recreate the object when updating an immutable field. `Always` will always recreate the object if a mismatch is detected. `RecreateOption` has no effect when the `remediationAction` is `inform`. `IfRequired` has no effect on clusters without dry run update support. The default value is `None`. + | `policyDefaults.recordDiff` | Optional | Specifies if and where to log the difference between the object on the cluster and the `objectDefinition` in the policy. Set to `Log` to log the difference in the controller logs or `None` to not log the difference. By default, this parameter is empty to not log the difference. @@ -321,6 +330,10 @@ Note that all the fields in the `policyDefaults` section except for `namespace` | Optional | Labels that the policy includes in its `metadata.labels` section. The `policyLabels` parameter is applied for all policies unless specified in the policy. +| `policyDefaults.gatekeeperEnforcementAction` +| Optional +| Overrides the spec.enforcementAction field of a Gatekeeper constraint. This only applies to Gatekeeper constraints and is ignored by other manifests. If not set, the spec.enforcementAction field is not changed. + | `policyDefaults.policySets` | Optional | Array of policy sets that the policy joins. Policy set details can be defined in the `policySets` section. When a policy is part of a policy set, a placement binding is not generated for the policy since one is generated for the set. Set `policies[].generatePlacementWhenInSet` or `policyDefaults.generatePlacementWhenInSet` to override `policyDefaults.policySets`. @@ -395,7 +408,15 @@ Note that all the fields in the `policyDefaults` section except for `namespace` | `policies[].manifests[].path` | Required -| Path to a single file, a flat directory of files, or a Kustomize directory relative to the `kustomization.yaml` file. If the directory is a Kustomize directory, the generator runs Kustomize against the directory before generating the policies. If there is a requirement to process Helm charts for the Kustomize directory, set `POLICY_GEN_ENABLE_HELM` to `"true"` in the environment where the policy generator is running to enable Helm for the policy generator. +a| Path to a single file, a flat directory of files, or a Kustomize directory relative to the `kustomization.yaml` file. If the directory is a Kustomize directory, the generator runs Kustomize against the directory before generating the policies. If there is a requirement to process Helm charts for the Kustomize directory, set `POLICY_GEN_ENABLE_HELM` to `"true"` in the environment where the policy generator is running to enable Helm for the policy generator. Supported manifests include: + +1. Non-root policy type manifests such as IamPolicy, CertificatePolicy, and ConfigurationPolicy that have a "Policy" suffix. These are not modified except for patches and are directly added as a Policy's policy-templates entry. +2. Manifests containing only an `object-templates-raw` key. The corresponding value will be used directly in a generated ConfigurationPolicy without modification, which will then be added as a Policy's policy-templates entry. +3. For everything else, ConfigurationPolicy objects are generated to wrap these manifests. The resulting ConfigurationPolicy is added as a Policy's policy-templates entry. + +| `policies[].manifests[].name` +| Optional +| This name is used when ConsolidateManifests is set to false and will serve as the ConfigurationPolicy name. If multiple manifests are present in the path, an index number will be appended. If multiple manifests are present and their names are provided, with `consolidateManifests` set to true, the name of the first manifest will be used for all manifest paths. | `policies[].manifests[].patches` | Optional
Note: Doc team updates the current version of the documentation and the
two previous versions (n-2), but we address *only high-priority, or
customer-reported issues* for -2 releases in support.
Describe the changes in the doc and link to your dev story:
1. - [x] Mandatory: Add the required version to the Fix version/s field.
2. - [ ] Mandatory: Choose the type of documentation change or review.
- [x] We need to update to an existing topic
- [ ] We need to add a new document to an existing section
- [ ] We need a whole new section; this is a function not
documented before and doesn't belong in any current section
- [ ] We need an Operator Advisory review and approval
- [ ] We need a z-Stream (Errata) Advisory and Release note
for MCE and/or ACM
3. - [x] *Mandatory: *Use the following link to open the doc and find where the
documentation update should go. Note: As the feature and doc is
understood and developed, this placement decision may change:
- governance/policy_generator.adoc
4. - [x] Mandatory for GA content:
- [x] Add steps, the diff, known issue, and/or other important
conceptual information in the following space:
- [ ] *Add Required access level *(example, *Cluster
Administrator*) for the user to complete the task:
- [ ] Add verification at the end of the task, how does the user
verify success (a command to run or a result to see?)
- [ ] Add link to dev story here:
5. - [ ] Mandatory for bugs: What is the diff? Clearly define what the
problem is, what the change is, and link to the current documentation. Only
use this for a documentation bug.