/kosmos/fleets/permission-access-management/policy-operator/Recent content in Fleets Policy Management onHugo -- gohugo.ioen-US/kosmos/fleets/permission-access-management/policy-operator/discover/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/discover/overview # This page explains what Policy Controller is and how you can use it to help ensure your Kubernetes clusters and workloads are running in a secure and compliant manner. This page is for IT administrators, Operators, and Security specialists who define IT solutions and system architecture in accordance with company strategy, and ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce./kosmos/fleets/permission-access-management/policy-operator/get-started/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/get-started/Install Policy Controller # This page shows you how to install Policy Controller . Policy Controller checks, audits, and enforces your clusters' compliance with policies related to security, regulations, or business rules. This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce. Policy Controller is available if you use KOSMOS./kosmos/fleets/permission-access-management/policy-operator/apply-best-practices-with-policy-bundles/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/apply-best-practices-with-policy-bundles/Apply multiple Policy Controller bundles # This section explains how to enable Policy Controller bundles. For more detailed information about applying and using policy bundles, read the instructions for the bundle that you want to apply using the left navigation menu. For more information about policy bundles, see the Policy Controller bundles overview. If you installed Policy Controller using the KOSMOS console, the Samsung Security Checklist bundle is installed by default, but you can enable more bundles./kosmos/fleets/permission-access-management/policy-operator/apply-policies/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/apply-policies/Auditing using constraints # Policy Controller constraint objects enable you to enforce policies for your Kubernetes clusters. To help test your policies, you can add an enforcement action to your constraints. You can then view violations in constraint objects and logs. This page is for IT administrators and Operators who want to ensure that all resources running within the cloud platform meet organizational compliance requirements by providing and maintaining automation to audit or enforce, and who manage the lifecycle of the underlying tech infrastructure./kosmos/fleets/permission-access-management/policy-operator/maintain/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/maintain/Exclude namespaces from Policy Controller # This page describes how to configure exempt namespaces in Policy Controller. Exempt namespaces remove a namespace from admission webhook enforcement with Policy Controller, but any violations are still reported in audit . If you don’t configure any namespaces, only the kosmos-policysync namespace is pre-configured as exempt from the Policy Controller admission webhook enforcement. Configure exempt namespaces # Configuring an exemptable namespace applies the admission.gatekeeper.sh/ignore label, which exempts the namespace from Policy Controller admission webhook enforcement./kosmos/fleets/permission-access-management/policy-operator/troubleshoot/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/troubleshoot/Troubleshoot Policy Controller # This page shows you how to resolve issues with Policy Controller. Constraint not enforced # The following section provides troubleshooting guidance if you suspect or know your constraints aren’t being enforced. Check if your constraint is enforced # If you’re concerned that your constraint is not enforced, you can check the spec.status of your constraint and the constraint template. To check the status, run the following command:/kosmos/fleets/permission-access-management/policy-operator/reference/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/reference/Constraint match section # All constraints have a match field, which defines the objects a constraint applies to. All conditions specified must be matched before an object is in-scope for a constraint. # excludedNamespaces <array>: ExcludedNamespaces is a list of namespace names. # If defined, a constraint only applies to resources not in a listed namespace. # ExcludedNamespaces also supports a prefix or suffix based glob. For example, # `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, # and `excludedNamespaces: [*-system]` matches both `kube-system` and # `gatekeeper-system`./kosmos/fleets/permission-access-management/policy-operator/test-coverage/Mon, 01 Jan 0001 00:00:00 +0000/kosmos/fleets/permission-access-management/policy-operator/test-coverage/Policy Controller QA Scenarios (Console-Only) # Target: Gatekeeper-based Policy Controller (Enable/Configure/Apply bundles via Console), supports Audit & Mutation Assumptions: Cluster is user-provided. CLI/Terraform not required (some Mutation / custom policy checks may require Kubernetes-side settings). Installation & Initial Settings # 1-1. Install/Enable Policy Controller # The user can enable the feature in the Console to install it on the cluster, and the expected outcomes are as follows. The items to check are as follows.