Help Center> Ubiquitous Cloud Native Service> User Guide> Policy Center> Creating and Managing Policy Instances
Updated on 2024-06-17 GMT+08:00
View PDF

Creating and Managing Policy Instances

A policy instance is an instruction set used to guide the Gatekeeper to execute a specific policy definition and execution mode. They act as a collection of rules to help you enforce security policies and consistency in a Kubernetes cluster. This section describes how to create and manage policy instances.

Prerequisites

The policy center function has been enabled for a fleet or cluster.

Constraints

If you have deleted a policy instance from a cluster by running the kubectl command, you need to delete the policy instance on the console and create a policy instance again. In this way, the system delivers the new policy instance to the cluster.

Creating a Policy Instance

  1. Log in to the UCS console. In the navigation pane, choose Policy Center.
  2. In the list, find the fleet or cluster for which the policy center function has been enabled and click Create Policy Instance.
  3. Set the following parameters:

    Figure 1 Creating a policy instance
    • Policy Definition: Select one from the 33 built-in policy definitions to configure resource audit rules for your clusters or fleets. Although custom policy definitions are not supported currently, these predefined policy definitions can basically meet your compliance and security requirements. For details about policy definition, see Overview.
    • Policy Execution Mode: Interception and Alarm are supported. Interception indicates that resources that do not comply with the policy cannot be created. Alarm indicates that resources that do not comply with the policy can still be created.
    • Policy Type: Select the namespace where the policy takes effect.

  4. Click Create. After the policy is created, the system automatically distributes the policy. If the distribution is successful, the policy instance takes effect in the cluster.

    After the policy instance is successfully distributed, the action that complies with the policy instance can be executed in the cluster. If the action that does not comply with the policy instance is executed in the cluster, the action is rejected or an alarm event is reported.

Modifying or Deleting a Policy Instance

As a platform engineer, you usually need to periodically review and update policy instances, or delete policy instances that are no longer used. To perform these operations, perform the following steps:

  1. Log in to the UCS console. In the navigation pane, choose Policy Center.
  2. In the list, click the name of the fleet or cluster for which the policy center function has been enabled. The details page is displayed.
  3. In the Policy Implementation Details area, click the Policy Instances tab.
  4. Locate the target policy instance and click Edit or Delete in the Operation column to modify related parameters or delete the policy instance.

Viewing the Policy Implementation Status

On the policy details page of a fleet or cluster, you can view the policy implementation details and status, as well as non-compliant resources, alarm events, and forcible interception events. You can evaluate cluster compliance based on the data and take measures in a timely manner.

Figure 2 Policy implementation details
  • Currently, it takes about 15 to 30 minutes to report non-compliant resource statistics.
  • If non-compliant resources are not blocked or alarms are not generated after a policy instance is delivered, check whether the feature gate ValidatingAdmissionPolicy is enabled and whether the admission controllers ValidatingAdmissionWebhook and MutatingAdmissionWebhook are enabled. For details, see What does each admission controller do?
Parent topic: Policy Center