Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-8836

Split policy generator manifests per policy by group or configurable constant

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Critical Critical
    • Future
    • None
    • GRC
    • False
    • None
    • False
    • Not Selected

      Feature Overview

      The policy generator can accept remote Kustomize manifests, which can generate a Policy larger than Kubernetes can handle. While detecting the size of a manifest may be unnecessarily complex, implementing a feature to split these manifests by API group or a configurable integer value representing the number of policies to generate for a particular policy would be a beneficial enhancement to enable these large manifests to be deployed via policy. Additionally, a new error could be thrown from the generator for policies that are definitely too large (this error may not be necessary if the message from Kustomize/ArgoCD/AppSub is clear as to the name of the policy and the fact it's too large when the manifest is applied, though having our configurations supplied to the user could be beneficial regardless).

      Goals

      • Allow users to split up large manifests into multiple policies to permit deployment through the policy generator without having to manually split them up.

      Requirements

      Requirement Notes isMvp?
      CI - MUST be running successfully with test automation This is a
      requirement for ALL features.      		 YES
      Release Technical Enablement Provide necessary release enablement details
      and documents.      		 YES

      Background, and strategic fit

      Policy generator repo: https://github.com/open-cluster-management-io/policy-generator-plugin

      This new configuration might look something like:

      apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
policyDefaults: 
  policiesSplitByApiGroup: false
  numPoliciesPerInput: 1
policies: 
  - name: ...
    policiesSplitByApiGroup: false
    numPoliciesPerInput: 1
    manifests: 
    - ...

      And, if these configurations aren't used, an error like this could be thrown for a generated policy that's too large (this error may not be necessary if the message from Kustomize/ArgoCD/AppSub is clear as to the name of the policy and the fact it's too large when the manifest is applied, though having our configurations supplied to the user could be beneficial regardless):

      policy %s exceeds the maximum size for a Kubernetes object. Split up the manifests, or use policiesSplitByApiGroup or numPoliciesPerInput to split it into multiple policies.

      Documentation Considerations

      Both the in-repo documentation and the product documentation would need to be updated with the new generator configuration values.

              showeimer Sho Weimer
              dhaiduce Dale Haiducek
              Derek Ho Derek Ho
              Sho Weimer Sho Weimer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: