Overview:

The Policy as Code feature is currently only available via `config-controller` and the SecurityPolicy CR. This approach does not work for deployments of central where the end user does not have access to the Kubernetes API hosting central. This applies to hosted environments for example in the ACS Cloud Service.

Design Document for a CS solution

With this design we decided to extend roxctl with commands to reconcile policy data from files against the central API.

Requirements:

• roxctl can reconcile JSON and/or YAML based policy definition files against central's API
• roxctl can pre-validate policy definition files, before applying them or committing them to a git repo
• It should be possible to generate policy definition files from existing policies in central via roxctl
• Additional documentation with at least one example of how to setup a full git based reconciliation flow using roxctl with well-known CI tooling for instance GitHub actions, Tekton Pipelines

Technical Scope:

• The implementation should be extensible, so that future Config as Code like efforts can be implemented as an extension of the existing reconciliation functionality. See Guidelines for Config as Code in ACS

Out of Scope:

• Implementing other Config as Code Objects / Features

Outstanding Questions (Optional):