Open lb4368 opened 3 years ago
Notes from 6/15/21 design meeting:
e.g. https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/users/template.yaml e.g. https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/users
manifests/function/gatekeeper/policies/
manifests/function/gatekeeper/policies/<policy-name>
manifests/function/gatekeeper/policies/<policy-name>/
manifests/function/gatekeeper/policies/<policy-name>/kustomization.yaml
manifests/function/gatekeeper/policies/<policy-name>/template.yaml
manifests/function/gatekeeper/policies/instances/
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>/kustomization.yaml
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>/constraint.yaml
manifests/function/gatekeeper/policies/instances/<instance-of-policy-x-name>/replacements/… || TBD if we use catalogue info for defining the constraints
manifests/composite/gatekeeper/<name of policy group>
manifests/composite/gatekeeper/<name of policy group>/kustomization.yaml
… Uses Instance of policy as resources.
manifests/composite/gatekeeper/<name of policy group>/replacements/kustomization.yaml
Will keep this as a TBD, expect we might need to deliver policies in multiple phases, yet to be determined.
Some basic constraint templates that could be included from the Gatekeeper policy library (https://www.github.com/open-policy-agent/gatekeeper-library):
Please assign this issue to me
As per discussion on 11/16/2021, Gatekeeper functionality is not required.
Problem description With the delivery of the Gatekeeper manifest function (#167), we will begin to define policy constraint templates and associated constraint instances for policies to be enforced within treasuremap or for use within downstream sites. Would like to come up with a manifest structure for organizing these separate from the Gatekeeper install function itself and delivering these during site deployment.
Proposed change