Skip to main content
Version: 0.18.0

Policy Configuration Enterprise

Goal

Users sometimes need to enforce the same policy(s) with different configurations (parameters) for different targets (applications, resources, or namespaces).

Schema

A new PolicyConfig CRD allows using policies with multiple configurations by configuring policy parameters based on a certain match on applications or resources with Schema and match with one of the following

  • Match by namespaces

    apiVersion: pac.weave.works/v2beta2 
    kind: PolicyConfig      # policy config resource kind 
    metadata:       
      name: my-config       # policy config name
    spec:
      match:                # matches (targets of the policy config)
        namespaces:         # add one or more name spaces
        - dev
        - prod
      config:               # config for policies [one or more]
        weave.policies.containers-minimum-replica-count:   
          parameters:
            replica_count: 3

  • Match by apps

    apiVersion: pac.weave.works/v2beta2 
    kind: PolicyConfig   # policy config resource kind 
    metadata:       
      name: my-config    # policy config name
    spec:
      match:             # matches (targets of the policy config)
        apps:            # add one or more apps [HelmRelease, Kustomization]
        - kind: HelmRelease
          name: my-app            # app name
          namespace: flux-system  # app namespace [if empty will match in any namespace]
      config:            # config for policies [one or more]
        weave.policies.containers-minimum-replica-count:   
          parameters:
            replica_count: 3

  • Match by resources

    apiVersion: pac.weave.works/v2beta2 
    kind: PolicyConfig   # policy config resource kind 
    metadata:       
      name: my-config    # policy config name
    spec:
      match:             # matches (targets of the policy config)
        resources:       # add one or more resources [Deployment, ReplicaSet, ..]
        - kind: Deployment          
          name: my-deployment     # resource name
          namespace: default      # resource namespace [if empty will match in any namespace]
      config:            # config for policies [one or more]
        weave.policies.containers-minimum-replica-count:   
          parameters:
            replica_count: 3

Priority of enforcing multiple configs with overlapping targets [from low to high]

  • Policy configs which targets the namespace.
  • Policy config which targets an application in all namespaces.
  • Policy config which targets an application in a certain namespace.
  • Policy config which targets a kubernetes resource in all namespaces.
  • Policy config which targets a kubernetes resource in a specific namespace.

Note:

  • All configs are applied from low priority to high priority as well as common parameters between configs.
  • Each config only affects the parameters defined in it.

Example

We have Kustomization application app-a and deployment deployment-1 part of this application

Expand to see manifests
apiVersion: pac.weave.works/v2beta2
kind: PolicyConfig
metadata:
  name: my-config-1
spec:
  match:
    namespaces:
    - flux-system
  config:
    weave.policies.containers-minimum-replica-count:
      parameters:
        replica_count: 2
        owner: owner-1
---
apiVersion: pac.weave.works/v2beta2
kind: PolicyConfig
metadata:
  name: my-config-2
spec:
  match:
    apps:
    - kind: Kustomization
      name: app-a
  config:
    weave.policies.containers-minimum-replica-count:
      parameters:
        replica_count: 3
---
apiVersion: pac.weave.works/v2beta2
kind: PolicyConfig
metadata:
  name: my-config-3
spec:
  match:
    apps:
    - kind: Kustomization
      name: app-a
      namespace: flux-system
  config:
    weave.policies.containers-minimum-replica-count:
      parameters:
        replica_count: 4
---
apiVersion: pac.weave.works/v2beta2
kind: PolicyConfig
metadata:
  name: my-config-4
spec:
  match:
    resources:
    - kind: Deployment
      name: deployment-1
  config:
    weave.policies.containers-minimum-replica-count:
      parameters:
        replica_count: 5
        owner: owner-4
---

apiVersion: pac.weave.works/v2beta2
kind: PolicyConfig
metadata:
  name: my-config-5
spec:
  match:
    resources:
    - kind: Deployment
      name: deployment-1
      namespace: flux-system
  config:
    weave.policies.containers-minimum-replica-count:
      parameters:
        replica_count: 6

In the above example when you apply the 5 configurations...

  • app-a will be affected by my-config-5. It will be applied on the policies defined in it, which will affect deployment deployment-1 in namespace flux-system as it matches the kind, name and namespace.

    note

    Deploying deployment-1 in another namespace other than flux-system won't be affected by this configuration

    Final config values will be as follows:

      config:
        weave.policies.containers-minimum-replica-count:
          parameters:
            replica_count: 6 # from my-config-5
            owner: owner-4   # from my-config-4
    • Deployment deployment-1 in namespace flux-system, replica_count must be >= 6
    • Also it will be affected by my-config-4 for owner configuration parameter owner: owner-4

In the above example when you apply my-config-1, my-config-2, my-config-3 and my-config-4

  • my-config-4 will be applied on the policies defined in it. which will affect deployment deployment-1 in all namespaces as it matches the kind and name only.

    Final config values will be as follows:

      config:
        weave.policies.containers-minimum-replica-count:
          parameters:
            replica_count: 5  # from my-config-4
            owner: owner-4    # from my-config-4
    • Deployment deployment-1 in all namespaces replica_count must be >= 5
    • Also it will be affected by my-config-4 for owner configuration parameter owner: owner-4

In the previous example when you apply my-config-1, my-config-2 and my-config-3

  • my-config-3 will be applied on the policies defined in it. which will affect application app-a and all the resources in it in namespace flux-system as it matches the kind, name and namespace.

    note

    Deploying app-a in another namespace other than flux-system won't be affected by this configuration

    Final config values will be the follows:

      config:
        weave.policies.containers-minimum-replica-count:
          parameters:
            replica_count: 4    # from my-config-3
            owner: owner-1      # from my-config-1
    • Application app-a and all the resources in it in namespaces flux-system, replica_count must be >= 4
    • Also it will be affected by my-config-1 for owner configuration parameter owner: owner-1

In the above example when you apply my-config-1 and my-config-2

  • my-config-2 will be applied on the policies defined in it. which will affect application app-a and all the resources in it in all namespaces as it matches the kind and name only.

    Final config values will be as follows:

      config:
        weave.policies.containers-minimum-replica-count:
          parameters:
            replica_count: 3   # from my-config-2
            owner: owner-1     # from my-config-1
    • Application app-a and all the resources in all namespaces, replica_count must be >= 3
    • Also it will be affected by my-config-1 for owner configuration parameter owner: owner-1

In the above example when you apply my-config-1

  • my-config-1 will be applied on the policies defined in it. which will affect the namespace flux-system with all applications and resources in it as it matches by namespace only.

    Final config values will be as follows:

      config:
        weave.policies.containers-minimum-replica-count:
          parameters:
            replica_count: 2  # from my-config-1
            owner: owner-1    # from my-config-1

    • Any application or resource in namespace flux-system, replica_count must be >= 2

    • Also it will be affected by my-config-1 for owner configuration parameter owner: owner-1

      note

      You can use one or more policies as the following example:

      Expand to see policy example
      ---
      apiVersion: pac.weave.works/v2beta2
      kind: PolicyConfig
      metadata:
      	name: my-app-config
      spec:
      	match:
      		resources:
      			name: my-deployment
      			kind: Deployment
      	config:
      		weave.policies.policy-1:
      			params:
      				replica_count: 3
      		weave.policies.policy-2:
      			params:
      				run_as_root: true