Skip to content

GitOps Workflow for Policy Template



The main goal is to setup end to end GitOps workflow with few steps for applying policies on instances in an automated way. The policies that are promoted here are from the open source kubearmor's policy-template repository.

To know more about policty tempates. Visit the official site

Step 1: Generate Script

What is the policy-template CLI?

Policy-template is a command-line utility that lets the user generate the necessary policies and provides the automation scripts in order to set up a pipeline in Jenkins.

Download policy-template CLI utility

Run the following command to download the policy-template GitOps CLI utility.

sudo curl -o policy-template && sudo chmod a+x policy-template | sudo mv policy-template /usr/bin

Generate policy-template

Run the below command to generate desire policy template.

sudo policy-template generate <template-name>

The below command generates a policy template with the directory name sample.

sudo policy-template generate sample


    projectId: ""
        name: ""
        location: ""
        serviceAccountId: ""
delete: false | true    
Attribute Description
gke.projectId GCP project id GKE cluster name
gke.cluster.location GKE cluster location
gke.auth.serviceAccountId Jenkins credential Id in which the GCP service account key is stored as a secret file
delete Applied polices on instance gets deleted if it is true

To setup service account id in Jenkins credential


        name: ""
        location: ""
        accessKeyId: ""
        secretAccessKey: "" 
    delete: true | false    
Attribute Description EKS cluster name
gke.cluster.location EKS cluster location
eks.auth.accessKeyId AWS access key jenkins credential ID
eks.auth.secretAccessKey AWS secret access key jenkins credential ID
delete Applied polices on instance gets deleted if it is true

To setup access key and secret access key in Jenkins credential

Jenkinsfile with automation script is auto generated and reads the value provided in the apply.yaml

To update the exsisting template

The below command will let the user to add or update the policies in the existing template.

sudo policy-template update <template-name>


sudo policy-template update sample

To delete the applied policies

The below command will let the user to delete the policies in the existing template by Jenkins pipeline, once it is pushed to the remote SCM.

sudo policy-template delete <template-name>


sudo policy-template delete sample
Once it is pushed to SCM, Jenkins will delete the policies. Alt

Step 2: Push to remote SCM

Run the below command to initiate and push the changes to GitHub.

sudo policy-template init github

Alt Alt

Step 3: Integrate with Automation tool

Below steps are the instruction to create a pipelien in Jenkins

Create an item as a multi-branch pipeline and provide the job name.


Integrate the remote SCM in it.


The branch with the Jenkinsfile in the template appears in the job list.


Click Build Now or Configure webhook for auto-trigger. This applies the policies on the configured instance in apply.yaml file.


Back to top