Skip to content

GitOps Workflow for Policy Template

Alt

Objective

The main goal is to setup end to end GitOps workflow with few steps for applying policies on instances in an automated way. The policies that are promoted here are from the open source kubearmor's policy-template repository.

To know more about policty tempates. Visit the official site


Step 1: Generate Script

What is the policy-template CLI?

Policy-template is a command-line utility that lets the user generate the necessary policies and provides the automation scripts in order to set up a pipeline in Jenkins.

Download policy-template CLI utility

Run the following command to download the policy-template GitOps CLI utility.

sudo curl -o policy-template https://storage.googleapis.com/policy-gitops/latest/policy-template && sudo chmod a+x policy-template | sudo mv policy-template /usr/bin

Generate policy-template

Run the below command to generate desire policy template.

sudo policy-template generate <template-name>
Example

The below command generates a policy template with the directory name sample.

sudo policy-template generate sample

Alt

gke:
    projectId: ""
    cluster: 
        name: ""
        location: ""
    auth:
        serviceAccountId: ""
delete: false | true    
Attribute Description
gke.projectId GCP project id
gke.cluster.name GKE cluster name
gke.cluster.location GKE cluster location
gke.auth.serviceAccountId Jenkins credential Id in which the GCP service account key is stored as a secret file
delete Applied polices on instance gets deleted if it is true

To setup service account id in Jenkins credential

Alt

eks:
    cluster: 
        name: ""
        location: ""
    auth:
        accessKeyId: ""
        secretAccessKey: "" 
    delete: true | false    
Attribute Description
eks.cluster.name EKS cluster name
gke.cluster.location EKS cluster location
eks.auth.accessKeyId AWS access key jenkins credential ID
eks.auth.secretAccessKey AWS secret access key jenkins credential ID
delete Applied polices on instance gets deleted if it is true

To setup access key and secret access key in Jenkins credential

Jenkinsfile with automation script is auto generated and reads the value provided in the apply.yaml

To update the exsisting template

The below command will let the user to add or update the policies in the existing template.

sudo policy-template update <template-name>

Example

sudo policy-template update sample

To delete the applied policies

The below command will let the user to delete the policies in the existing template by Jenkins pipeline, once it is pushed to the remote SCM.

sudo policy-template delete <template-name>

Example

sudo policy-template delete sample
Once it is pushed to SCM, Jenkins will delete the policies. Alt


Step 2: Push to remote SCM

Run the below command to initiate and push the changes to GitHub.

sudo policy-template init github

Alt Alt


Step 3: Integrate with Automation tool

Below steps are the instruction to create a pipelien in Jenkins

Create an item as a multi-branch pipeline and provide the job name.

Alt

Integrate the remote SCM in it.

Alt

The branch with the Jenkinsfile in the template appears in the job list.

Alt

Click Build Now or Configure webhook for auto-trigger. This applies the policies on the configured instance in apply.yaml file.

Alt

Back to top