Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Policy Center/ Example: Using Policy Center for Kubernetes Resource Compliance Governance
Updated on 2024-06-17 GMT+08:00

Example: Using Policy Center for Kubernetes Resource Compliance Governance

Assume that you are a platform engineer of a large enterprise. You are responsible for configuring and managing security policies for the entire infrastructure to ensure compliance of the cluster resources. With the UCS Policy Center, you can:

  • Create a unified policy instance that contains the security and compliance regulations that all teams need to comply with. In this way, you can ensure that all teams follow the same standards when using cluster resources.
  • Deploy policies automatically as the system automatically applies these policies to clusters, improving efficiency and accuracy.
  • Monitor policy implementation and quickly detect and solve problems during policy implementation.

This section describes how to use Policy Center to implement compliance governance for Kubernetes resources. The process is as follows:

Enabling the Policy Center

  1. Log in to the UCS console. In the navigation pane, choose Policy Center.
  2. Click Enable. The Enable Policy Management dialog box is displayed.
  3. Select a fleet or cluster from the drop-down list and click OK to return to the policy center.

    You will see that policy management is being enabled. Wait for about 3 minutes.

Creating a Policy Instance

  1. Log in to the UCS console. In the navigation pane, choose Policy Center.
  2. In the list, find the fleet or cluster for which the policy center function has been enabled and click Create Policy Instance.
  3. Set the following parameters:

    Figure 1 Creating a policy instance
    • Policy Definition: Select one from the 33 built-in policy definitions. This section uses k8srequiredlabels as an example. This policy definition requires resources to contain specified labels, with values matching the provided regular expressions. In this example, the label key is set to owner, and the regular expression is ^[a-zA-Z]+.agilebank.demo$.
    • Policy Execution Mode: Interception and Alarm are supported. Interception indicates that resources that do not comply with the policy cannot be created. Alarm indicates that resources that do not comply with the policy can still be created. This section uses Interception as an example.
    • Policy Type: Select the namespace where the policy takes effect. This section uses default as an example.

  4. Click Create. After the policy is created, the system automatically distributes the policy. If the distribution is successful, the policy instance takes effect in the cluster.

Verifying the Policy Instance

After the policy instance is successfully distributed, the action that complies with the policy instance can be executed in the cluster. If the action that does not comply with the policy instance is executed in the cluster, the action will be rejected (depending on the configured policy execution mode).

Create a pod in the cluster and define the label as owner: user.agilebank.demo. The pod complies with the policy instance can be created.

If the label defined in the policy instance is not included during pod creation, the pod fails to be created, and the corresponding record is generated on the Non-Compliant Resources tab page.