Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Integrating Policy Generator

By integrating the Policy Generator, you can use it to automatically build Red Hat Advanced Cluster Management for Kubernetes policies. To integrate the Policy Generator, see Policy Generator.

For an example of what you can do with the Policy Generator, see Generating a policy that installs the Compliance Operator.

4.1. Policy Generator
Copy link

The Policy Generator is a part of the Red Hat Advanced Cluster Management for Kubernetes application lifecycle subscription Red Hat OpenShift GitOps workflow that generates Red Hat Advanced Cluster Management policies using Kustomize. The Policy Generator builds Red Hat Advanced Cluster Management policies from Kubernetes manifest YAML files, which are provided through a PolicyGenerator manifest YAML file that is used to configure it. The Policy Generator is implemented as a Kustomize generator plug-in. For more information on Kustomize, read the Kustomize documentation.

View the following sections for more information:

4.1.1. Policy Generator capabilities
Copy link

The integration of the Policy Generator with the Red Hat Advanced Cluster Management application lifecycle subscription OpenShift GitOps workflow simplifies the distribution of Kubernetes resource objects to managed OpenShift Container Platform clusters, and Kubernetes clusters through Red Hat Advanced Cluster Management policies.

Use the Policy Generator to complete the following actions:

  • Convert any Kubernetes manifest files to Red Hat Advanced Cluster Management configuration policies, including manifests that are created from a Kustomize directory.
  • Patch the input Kubernetes manifests before they are inserted into a generated Red Hat Advanced Cluster Management policy.
  • Generate additional configuration policies so you can report on Gatekeeper policy violations through Red Hat Advanced Cluster Management for Kubernetes.
  • Generate policy sets on the hub cluster.

4.1.2. Policy Generator configuration structure
Copy link

The Policy Generator is a Kustomize generator plug-in that is configured with a manifest of the PolicyGenerator kind and policy.open-cluster-management.io/v1 API version. Continue reading to learn about the configuration structure:

  • To use the plug-in, add a generators section in a kustomization.yaml file. View the following example: 

    generators:
  - policy-generator-config.yaml
    1
    Copy to Clipboard Toggle word wrap
    1
    The policy-generator-config.yaml file that is referenced in the previous example is a YAML file with the instructions of the policies to generate.

  • A simple PolicyGenerator configuration file might resemble the following example: 

    apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
  name: config-data-policies
policyDefaults:
  namespace: policies
  policySets: []
policies:
  - name: config-data
    manifests:
      - path: configmap.yaml
    1
    Copy to Clipboard Toggle word wrap
    1
    The configmap.yaml represents a Kubernetes manifest YAML file to be included in the policy. Alternatively, you can set the path to a Kustomize directory, or a directory with multiple Kubernetes manifest YAML files. View the following example: 
    apiVersion: v1
kind: ConfigMap
metadata:
  name: my-config
  namespace: default
data:
  key1: value1
  key2: value2
    Copy to Clipboard Toggle word wrap

  • Use the object-templates-raw manifest to automatically generate a ConfigurationPolicy resource with the content you add. See the following examples:

    • For example, create a manifest file with the following syntax: 

      object-templates-raw: |
  {{- range (lookup "v1" "ConfigMap" "my-namespace" "").items }}
  - complianceType: musthave
    objectDefinition:
      kind: ConfigMap
      apiVersion: v1
      metadata:
        name: {{ .metadata.name }}
        namespace: {{ .metadata.namespace }}
        labels:
          i-am-from: template
  {{- end }}
      Copy to Clipboard Toggle word wrap
    • Then create a PolicyGenerator configuration file similar to the following YAML: 
    apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
  name: config-data-policies
policyDefaults:
  namespace: policies
  policySets: []
policies:
  - name: config-data
    manifests:
      - path: manifest.yaml
    1
    Copy to Clipboard Toggle word wrap
    1
    Path to your manifest.yaml file.

  • The generated Policy resource, along with the generated Placement and PlacementBinding might resemble the following example: 

    apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: placement-config-data
  namespace: policies
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions: []
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-config-data
  namespace: policies
placementRef:
  apiGroup: cluster.open-cluster-management.io
  kind: Placement
  name: placement-config-data
subjects:
- apiGroup: policy.open-cluster-management.io
  kind: Policy
  name: config-data
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/description:
  name: config-data
  namespace: policies
spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: config-data
      spec:
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: v1
            data:
              key1: value1
              key2: value2
            kind: ConfigMap
            metadata:
              name: my-config
              namespace: default
        remediationAction: inform
        severity: low
    Copy to Clipboard Toggle word wrap

All the fields in the policyDefaults section except for namespace can be overridden for each policy, and all the fields in the policySetDefaults section can be overridden for each policy set.

Expand
Table 4.1. Parameter table
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to PolicyGenerator to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

placementBindingDefaults.name

Optional

If multiple policies use the same placement, this name is used to generate a unique name for the resulting PlacementBinding, binding the placement with the array of policies that reference it.

policyDefaults

Required

Any default value listed here is overridden by an entry in the policies array except for namespace.

policyDefaults.namespace

Required

The namespace of all the policies.

policyDefaults.complianceType

Optional

Determines the policy controller behavior when comparing the manifest to objects on the cluster. The values that you can use are musthave, mustonlyhave, or mustnothave. The default value is musthave.

policyDefaults.metadataComplianceType

Optional

Overrides complianceType when comparing the manifest metadata section to objects on the cluster. The values that you can use are musthave, and mustonlyhave. The default value is empty ({}) to avoid overriding the complianceType for metadata.

policyDefaults.categories

Optional

Array of categories to be used in the policy.open-cluster-management.io/categories annotation. The default value is CM Configuration Management.

policyDefaults.controls

Optional

Array of controls to be used in the policy.open-cluster-management.io/controls annotation. The default value is CM-2 Baseline Configuration.

policyDefaults.standards

Optional

An array of standards to be used in the policy.open-cluster-management.io/standards annotation. The default value is NIST SP 800-53.

policyDefaults.policyAnnotations

Optional

Annotations that the policy includes in the metadata.annotations section. It is applied for all policies unless specified in the policy. The default value is empty ({}).

policyDefaults.configurationPolicyAnnotations

Optional

Key-value pairs of annotations to set on generated configuration policies. For example, you can disable policy templates by defining the following parameter: {"policy.open-cluster-management.io/disable-templates": "true"}. The default value is empty ({}).

policyDefaults.copyPolicyMetadata

Optional

Copies the labels and annotations for all policies and adds them to a replica policy. Set to true by default. If set to false, only the policy framework specific policy labels and annotations are copied to the replicated policy.

policyDefaults.severity

Optional

The severity of the policy violation. The default value is low.

policyDefaults.disabled

Optional

Whether the policy is disabled, meaning it is not propagated and no status as a result. The default value is false to enable the policy.

policyDefaults.remediationAction

Optional

The remediation mechanism of your policy. The parameter values are enforce and inform. The default value is inform.

policyDefaults.namespaceSelector

Required for namespaced objects that do not have a namespace specified

Determines namespaces in the managed cluster that the object is applied to. The include and exclude parameters accept file path expressions to include and exclude namespaces by name. The matchExpressions and matchLabels parameters specify namespaces to include by label. Read the Kubernetes labels and selectors documentation. The resulting list is compiled by using the intersection of results from all parameters.

policyDefaults.evaluationInterval

Optional

Use the parameters compliant and noncompliant to specify the frequency for a policy to be evaluated when in a particular compliance state. When managed clusters have low CPU resources, the evaluation interval can be increased to reduce CPU usage on the Kubernetes API. These are in the format of durations. For example, "1h25m3s" represents 1 hour, 25 minutes, and 3 seconds. These can also be set to "never" to avoid evaluating the policy after it has become a particular compliance state.

policyDefaults.pruneObjectBehavior

Optional

Determines whether objects created or monitored by the policy should be deleted when the policy is deleted. Pruning only takes place if the remediation action of the policy has been set to enforce. Example values are DeleteIfCreated, DeleteAll, or None. The default value is None.

policyDefaults.recreateOption

Optional

Describes whether to delete and recreate an object when an update is required. The IfRequired value recreates the object when you update an immutable field. Without dry run update support, the IfRequired has no effect on clusters. The Always value always recreate the object if a mismatch is detected.

When the remediationAction parameter is set to inform the RecreateOption value has no effect. The default value is None.

policyDefaults.recordDiff

Optional

Specifies if and where to log the difference between the object on the cluster and the objectDefinition in the policy. Set to Log to log the difference in the controller logs or None to not log the difference. By default, this parameter is empty to not log the difference.

policyDefaults.dependencies

Optional

A list of objects that must be in specific compliance states before this policy is applied. Cannot be specified when policyDefaults.orderPolicies is set to true.

policyDefaults.dependencies[].name

Required

The name of the object being depended on.

policyDefaults.dependencies[].namespace

Optional

The namespace of the object being depended on. The default is the namespace of policies set for the Policy Generator.

policyDefaults.dependencies[].compliance

Optional

The compliance state the object needs to be in. The default value is Compliant.

policyDefaults.dependencies[].kind

Optional

The kind of the object. By default, the kind is set to Policy, but can also be other kinds that have compliance state, such as ConfigurationPolicy.

policyDefaults.dependencies[].apiVersion

Optional

The API version of the object. The default value is policy.open-cluster-management.io/v1.

policyDefaults.description

Optional

The description of the policy you want to create.

policyDefaults.extraDependencies

Optional

A list of objects that must be in specific compliance states before this policy is applied. The dependencies that you define are added to each policy template (for example, ConfigurationPolicy) separately from the dependencies list. Cannot be specified when policyDefaults.orderManifests is set to true.

policyDefaults.extraDependencies[].name

Required

The name of the object being depended on.

policyDefaults.extraDependencies[].namespace

Optional

The namespace of the object being depended on. By default, the value is set to the namespace of policies set for the Policy Generator.

policyDefaults.extraDependencies[].compliance

Optional

The compliance state the object needs to be in. The default value is Compliant.

policyDefaults.extraDependencies[].kind

Optional

The kind of the object. The default value is to Policy, but can also be other kinds that have a compliance state, such as ConfigurationPolicy.

policyDefaults.extraDependencies[].apiVersion

Optional

The API version of the object. The default value is policy.open-cluster-management.io/v1.

policyDefaults.ignorePending

Optional

Bypass compliance status checks when the Policy Generator is waiting for its dependencies to reach their desired states. The default value is false.

policyDefaults.orderPolicies

Optional

Automatically generate dependencies on the policies so they are applied in the order you defined in the policies list. By default, the value is set to false. Cannot be specified at the same time as policyDefaults.dependencies.

policyDefaults.orderManifests

Optional

Automatically generate extraDependencies on policy templates so that they are applied in the order you defined in the manifests list for that policy. Cannot be specified when policyDefaults.consolidateManifests is set to true. Cannot be specified at the same time as policyDefaults.extraDependencies.

policyDefaults.consolidateManifests

Optional

This determines if a single configuration policy is generated for all the manifests being wrapped in the policy. If set to false, a configuration policy per manifest is generated. The default value is true.

policyDefaults.informGatekeeperPolicies (Deprecated)

Optional

Set informGatekeeperPolicies to false to use Gatekeeper manifests directly without defining it in a configuration policy. When the policy references a violated Gatekeeper policy manifest, an additional configuration policy is generated in order to receive policy violations in Red Hat Advanced Cluster Management. The default value is true.

policyDefaults.informKyvernoPolicies

Optional

When the policy references a Kyverno policy manifest, this determines if an additional configuration policy is generated to receive policy violations in Red Hat Advanced Cluster Management, when the Kyverno policy is violated. The default value is true.

policyDefaults.policyLabels

Optional

Labels that the policy includes in its metadata.labels section. The policyLabels parameter is applied for all policies unless specified in the policy.

policyDefaults.policySets

Optional

Array of policy sets that the policy joins. Policy set details can be defined in the policySets section. When a policy is part of a policy set, a placement binding is not generated for the policy since one is generated for the set. Set policies[].generatePlacementWhenInSet or policyDefaults.generatePlacementWhenInSet to override policyDefaults.policySets.

policyDefaults.generatePolicyPlacement

Optional

Generate placement manifests for policies. Set to true by default. When set to false, the placement manifest generation is skipped, even if a placement is specified.

policyDefaults.generatePlacementWhenInSet

Optional

When a policy is part of a policy set, by default, the generator does not generate the placement for this policy since a placement is generated for the policy set. Set generatePlacementWhenInSet to true to deploy the policy with both policy placement and policy set placement. The default value is false.

policyDefaults.placement

Optional

The placement configuration for the policies. This defaults to a placement configuration that matches all clusters.

policyDefaults.placement.name

Optional

Specifying a name to consolidate placements that contain the same cluster label selectors.

policyDefaults.placement.labelSelector

Optional

Specify a placement by defining a cluster label selector using either key:value, or providing a matchExpressions, matchLabels, or both, with appropriate values. See placementPath to specify an existing file.

policyDefaults.placement.placementName

Optional

Define this parameter to use a placement that already exists on the cluster. A Placement is not created, but a PlacementBinding binds the policy to this Placement.

policyDefaults.placement.placementPath

Optional

To reuse an existing placement, specify the path relative to the location of the kustomization.yaml file. If provided, this placement is used by all policies by default. See labelSelector to generate a new Placement.

policyDefaults.placement.clusterSelector (Deprecated)

Optional

PlacementRule is deprecated. Use labelSelector instead to generate a placement. Specify a placement rule by defining a cluster selector using either key:value or by providing matchExpressions, matchLabels, or both, with appropriate values. See placementRulePath to specify an existing file.

policyDefaults.placement.placementRuleName (Deprecated)

Optional

PlacementRule is deprecated. Alternatively, use placementName to specify a placement. To use an existing placement rule on the cluster, specify the name for this parameter. A PlacementRule is not created, but a PlacementBinding binds the policy to the existing PlacementRule.

policyDefaults.placement.placementRulePath (Deprecated)

Optional

PlacementRule is deprecated. Alternatively, use placementPath to specify a placement. To reuse an existing placement rule, specify the path relative to the location of the kustomization.yaml file. If provided, this placement rule is used by all policies by default. See clusterSelector to generate a new PlacementRule.

policySetDefaults

Optional

Default values for policy sets. Any default value listed for this parameter is overridden by an entry in the policySets array.

policySetDefaults.placement

Optional

The placement configuration for the policies. This defaults to a placement configuration that matches all clusters. See policyDefaults.placement for description of this field.

policySetDefaults.generatePolicySetPlacement

Optional

Generate placement manifests for policy sets. Set to true by default. When set to false the placement manifest generation is skipped, even if a placement is specified.

policies

Required

The list of policies to create along with overrides to either the default values, or the values that are set in policyDefaults. See policyDefaults for additional fields and descriptions.

policies.description

Optional

The description of the policy you want to create.

policies[].name

Required

The name of the policy to create.

policies[].manifests

Required

The list of Kubernetes object manifests to include in the policy, along with overrides to either the default values, the values set in this policies item, or the values set in policyDefaults. See policyDefaults for additional fields and descriptions. When consolidateManifests is set to true, only complianceType, metadataComplianceType, and recordDiff can be overridden at the policies[].manifests level.

policies[].manifests[].path

Required

Path to a single file, a flat directory of files, or a Kustomize directory relative to the kustomization.yaml file. If the directory is a Kustomize directory, the generator runs Kustomize against the directory before generating the policies. If there is a requirement to process Helm charts for the Kustomize directory, set POLICY_GEN_ENABLE_HELM to true in the environment where the policy generator is running to enable Helm for the Policy Generator.

The following manifests are supported:

  • Non-root policy type manifests such as CertificatePolicy, ConfigurationPolicy, OperatorPolicy that have a Policy suffix. The previous manifests are not modified except for patches and are directly added as a policy-templates entry of the Policy resource. Gatekeeper constraints are also directly included if informGatekeeperPolicies is set to false.
  • Manifests containing only an object-templates-raw key. The corresponding value is used directly in a generated ConfigurationPolicy resource without modification, which is added as a policy-templates entry of the Policy entry.
  • For everything else, ConfigurationPolicy objects are generated to wrap the previously mentioned manifests. The resulting ConfigurationPolicy manifest is added as a policy-templates entry of the Policy resource.

policies[].manifests[].patches

Optional

A list of Kustomize patches to apply to the manifest at the path. If there are multiple manifests, the patch requires the apiVersion, kind, metadata.name, and metadata.namespace (if applicable) fields to be set so Kustomize can identify the manifest that the patch applies to. If there is a single manifest, the metadata.name and metadata.namespace fields can be patched.

policies.policyLabels

Optional

Labels that the policy includes in its metadata.labels section. The policyLabels parameter is applied for all policies unless specified in the policy.

policySets

Optional

The list of policy sets to create, along with overrides to either the default values or the values that are set in policySetDefaults. To include a policy in a policy set, use policyDefaults.policySets, policies[].policySets, or policySets.policies. See policySetDefaults for additional fields and descriptions.

policySets[].name

Required

The name of the policy set to create.

policySets[].description

Optional

The description of the policy set to create.

policySets[].policies

Optional

The list of policies to be included in the policy set. If policyDefaults.policySets or policies[].policySets is also specified, the lists are merged.

4.1.4. Additional resources
Copy link

Generate a policy that installs the Compliance Operator onto your clusters. For an operator that uses the namespaced installation mode, such as the Compliance Operator, an OperatorGroup manifest is also required.

Complete the following steps:

  1. Create a YAML file with a Namespace, a Subscription, and an OperatorGroup manifest called compliance-operator.yaml. The following example installs these manifests in the compliance-operator namespace: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-compliance
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  targetNamespaces:
    - openshift-compliance
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  channel: release-0.1
  name: compliance-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
    Copy to Clipboard Toggle word wrap

  2. Create a PolicyGenerator configuration file. View the following PolicyGenerator policy example that installs the Compliance Operator on all OpenShift Container Platform managed clusters: 

    apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
  name: install-compliance-operator
policyDefaults:
  namespace: policies
  placement:
    labelSelector:
      matchExpressions:
        - key: vendor
          operator: In
          values:
            - "OpenShift"
policies:
  - name: install-compliance-operator
    manifests:
      - path: compliance-operator.yaml
    Copy to Clipboard Toggle word wrap

  3. Add the policy generator to your kustomization.yaml file. The generators section might resemble the following configuration: 

    generators:
  - policy-generator-config.yaml
    Copy to Clipboard Toggle word wrap

    As a result, the generated policy resembles the following file: 

    apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: placement-install-compliance-operator
  namespace: policies
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions:
        - key: vendor
          operator: In
          values:
          - OpenShift
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-install-compliance-operator
  namespace: policies
placementRef:
  apiGroup: cluster.open-cluster-management.io
  kind: Placement
  name: placement-install-compliance-operator
subjects:
  - apiGroup: policy.open-cluster-management.io
    kind: Policy
    name: install-compliance-operator
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/description:
  name: install-compliance-operator
  namespace: policies
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: install-compliance-operator
        spec:
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: v1
                kind: Namespace
                metadata:
                  name: openshift-compliance
            - complianceType: musthave
              objectDefinition:
                apiVersion: operators.coreos.com/v1alpha1
                kind: Subscription
                metadata:
                  name: compliance-operator
                  namespace: openshift-compliance
                spec:
                  channel: release-0.1
                  name: compliance-operator
                  source: redhat-operators
                  sourceNamespace: openshift-marketplace
            - complianceType: musthave
              objectDefinition:
                apiVersion: operators.coreos.com/v1
                kind: OperatorGroup
                metadata:
                  name: compliance-operator
                  namespace: openshift-compliance
                spec:
                  targetNamespaces:
                    - compliance-operator
          remediationAction: enforce
          severity: low
    Copy to Clipboard Toggle word wrap

As a result, the generated policy is displayed.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat