Policy Sets

Policy Groups

Policy Sets are a collection of individual policies that allow a set of configuration standards to be applied to various objects within the Kubernetes clusters. These policies can address areas of security, configuration control, monitoring, and so on. Policy Sets are enabled by default with the NPMK product or added as a Kyverno Add-On to the cluster within the Nirmata Full Edition.

Within the NPMK, Policy Sets are accessed within the Main Menu. However, for the Nirmata Full Edition, Policy Sets can be accessed within the main navigation menu (the three horizontal dashes to the left of the Nirmata logo), then clicking on Policies and lastly Policy Sets. All existing Policy Sets are displayed within the main work pane.

Nirmata establishes three default Policy Sets. They are Best Practices, Multi Tenancy and Pod Security. These are created by default whenever a new tenant is created. These specific Policy Sets CANNNOT be modified being they are using the Nirmata git repository.

image

Details of an existing Policy Sets can be accessed simply by clicking on the desired item. This will display each individual policy associated with this Policy Set. Each policy is hypertext linked and one can view the details by simply clicking the link. With the details page, it will include information such as a brief description for the objective of the policy, category this is associated with, who created it and when. One can view the details of the YAML by clicking the applicable link in the top right corner.

To create a new Policy Set, from the Policy Sets page, click the Add Policy Set button in the upper right corner. This will display two options:
a) Git - Using this option, you can create a Policy Set from an existing git repository.
b) YAML - Using this option, you can create a Policy Set by uploading YAML files directly.

Choose one of the options. This will display a form to provide the Policy Set details. Information to be supplied include name of the new Policy Set list. Further within the form, one can select whether to enable Kustomize. If this option is selected, further configuration is required to determine whether this is a Fixed Kustomize or Target-Based, and finally what yaml file to work from.

At the bottom of the screen one can click the pull-down for Cluster Selector to provide information related to Matching Labels or Matching Expressions to identify specific targets this will be applied to.