GitOps Workflow for Policy Template¶
Objective¶
The main goal is to setup end to end GitOps workflow with few steps for applying policies on instances in an automated way. The policies that are promoted here are from the open source kubearmor's policy-template repository.
To know more about policty tempates. Visit the official site
Step 1: Generate Script¶
What is the policy-template CLI?
Policy-template is a command-line utility that lets the user generate the necessary policies and provides the automation scripts in order to set up a pipeline in Jenkins.
Download policy-template CLI utility
Run the following command to download the policy-template GitOps CLI utility.
sudo curl -o policy-template https://storage.googleapis.com/policy-gitops/latest/policy-template && sudo chmod a+x policy-template | sudo mv policy-template /usr/bin
Generate policy-template
Run the below command to generate desire policy template.
sudo policy-template generate <template-name>
Example
The below command generates a policy template with the directory name sample.
sudo policy-template generate sample
gke:
projectId: ""
cluster:
name: ""
location: ""
auth:
serviceAccountId: ""
delete: false | true
| Attribute | Description |
|---|---|
| gke.projectId | GCP project id |
| gke.cluster.name | GKE cluster name |
| gke.cluster.location | GKE cluster location |
| gke.auth.serviceAccountId | Jenkins credential Id in which the GCP service account key is stored as a secret file |
| delete | Applied polices on instance gets deleted if it is true |
eks:
cluster:
name: ""
location: ""
auth:
accessKeyId: ""
secretAccessKey: ""
delete: true | false
| Attribute | Description |
|---|---|
| eks.cluster.name | EKS cluster name |
| gke.cluster.location | EKS cluster location |
| eks.auth.accessKeyId | AWS access key jenkins credential ID |
| eks.auth.secretAccessKey | AWS secret access key jenkins credential ID |
| delete | Applied polices on instance gets deleted if it is true |
To setup access key and secret access key in Jenkins credential
Jenkinsfile with automation script is auto generated and reads the value provided in the apply.yaml
To update the exsisting template
The below command will let the user to add or update the policies in the existing template.
sudo policy-template update <template-name>
Example
sudo policy-template update sample
To delete the applied policies
The below command will let the user to delete the policies in the existing template by Jenkins pipeline, once it is pushed to the remote SCM.
sudo policy-template delete <template-name>
Example
sudo policy-template delete sample
Step 2: Push to remote SCM¶
Run the below command to initiate and push the changes to GitHub.
sudo policy-template init github
Step 3: Integrate with Automation tool¶
Below steps are the instruction to create a pipelien in Jenkins
Create an item as a multi-branch pipeline and provide the job name.
Integrate the remote SCM in it.
The branch with the Jenkinsfile in the template appears in the job list.
Click Build Now or Configure webhook for auto-trigger. This applies the policies on the configured instance in apply.yaml file.
