adoption_guide.md

Table of Contents

• Run sample policy controller locally
• Build a local container image
• Make your own policy controller
  • Change kind
  • Change CRD
  • Change CR
  • Test new CRD and CR
  • Change the logic of the execution
  • Change the test files
  • Do integration testing

Run sample policy controller locally

To build and run it locally, install operator SDK CLI from https://sdk.operatorframework.io/docs/install-operator-sdk/.

Make sure to export GO111MODULE=on as it uses go mod as dependency manager.

export GO111MODULE=on
kubectl apply -f deploy/crds/policy.open-cluster-management.io_samplepolicies_crd.yaml
operator-sdk run --local --verbose

It takes seconds for the sample policy controller to fully start. You will get the message Waiting for policies to be available for processing... once it's fully started and watching for policies.

To test a sample policy, open another command prompt to deploy the sample policy file

kubectl apply -f deploy/crds/policy.open-cluster-management.io_v1_samplepolicy_cr.yaml -n default

The local process outputs the following messages

{"level":"info","ts":1572447165.453119,"logger":"controller_samplepolicy","msg":"Reconciling SamplePolicy","Request.Namespace":"default","Request.Name":"example-samplepolicy"}
Available policies in namespaces:
namespace = kube-public/example-samplepolicy; policy = example-samplepolicy
namespace = default/example-samplepolicy; policy = example-samplepolicy

Check the sample policy resource using kubectl describe SamplePolicy example-samplepolicy -n default. The policy controller checks the cluster and reports the compliancy status in the policy. The status field in the policy is updated with the compliant status, for example-

Status:
  Compliancy Details:
    Example - Samplepolicy:
      Cluster - Wide:
        3 violations detected in namespace `cluster-wide`, there are 0 users violations and 3 groups violations
      Default:
        2 violations detected in namespace `default`, there are 0 users violations and 2 groups violations
      Kube - Public:
        0 violations detected in namespace `kube-public`, there are 0 users violations and 0 groups violations
  Compliant:  NonCompliant

Build a local container image

Using operator-sdk command

operator-sdk build redhat/multicloud-operators-policy-controller:latest

Make your own policy controller

Change kind

# replace `TestPolicy` with the name you want
for file in $(find . -name "*.go" -type f); do  sed -i "" "s/SamplePolicy/TestPolicy/g" $file; done

Change CRD

CRD definition file is located at: deploy/crds/policy.open-cluster-management.io_samplepolicies_crd.yaml

Change below section to match the kind you specified in previous step.

names:
  kind: SamplePolicy
  listKind: SamplePolicyList
  plural: samplepolicies
  singular: samplepolicy

Change CR

A sample CR is located at: deploy/crds/policy.open-cluster-management.io_v1_samplepolicy_cr.yaml

Change below section to match the kind you specified in previous step.

kind: SamplePolicy

Test new CRD and CR

Now you have created a new CRD and CR, you can repeat the step Run sample policy controller locally to see if the controller is now working with the CRD you have defined.

Change the logic of the execution

in samplepolicy_controller.go you need to change the logic in the function PeriodicallyExecSamplePolicies

Update the test files

Update the test files to test against on your new CRD

Test again

Now you should have a custom policy controller which checks policy compliancy using desired logic. You can follow the step Run sample policy controller locally again to make sure if works.