You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* <<raw-object-template-processing,Processing raw templates in configuration policies>>
14
+
* <<resolve-hub-templates, Resolving hub templates after defining configuration policies >>
14
15
15
16
[#special-annotation-processing]
16
17
== Special annotation for reprocessing
@@ -166,9 +167,64 @@ spec:
166
167
{{- end }}
167
168
----
168
169
170
+
[#resolve-hub-templates]
171
+
== Resolving hub templates after defining configuration policies
172
+
173
+
By default, if you use the hub templates in the `ConfigurationPolicy` and `OperatorPolicy` resources, you must correspond the `Policy` resources that are defined on the hub cluster with these resources.
174
+
175
+
You can define configuration policies directly on the managed clusters. For example, {gitops-short} is one that you can define configuration policies directly on the managed cluster. To resolve hub templates on the managed cluster in that situation, you can enable the `governance-standalone-hub-templating` add-on.
176
+
177
+
To enable the `governance-standalone-hub-templating` add-on, complete the following steps:
178
+
179
+
. On your hub cluster, go to the managed cluster namespace.
180
+
. Create a `ManagedClusterAddOn` resource with the `governance-standalone-hub-templating` name by using the following YAML sample:
By default, the agent on the managed cluster only has access to the `ManagedCluster` resources on the hub cluster. You can use the `.ManagedClusterLabels` template variable in the hub cluster templates inside the `ConfigurationPolicies` that are deployed directly to the managed cluster.
197
+
198
+
If you want the hub template to access other resources, such as the `lookup` or `fromConfigMap` function calls, you must add those specific permissions to the add-on group. You can add these permissions through resources, such as `Roles`, `ClusterRoles`, `RoleBindings`, and `ClusterRoleBindings`.
199
+
200
+
The name of the add-on group depends on the name of your managed cluster, but it has the following standard form: `system:open-cluster-management:cluster:<cluster name>:addon:governance-standalone-hub-templating`.
201
+
202
+
To allow access to `Configmaps` in your managed cluster namespace on your hub cluster, complete the following steps:
203
+
204
+
. Add the `Role` resource by running the following command:
205
+
206
+
+
207
+
[source,bash]
208
+
----
209
+
oc create role -n <cluster name> cm-reader --verb=get,list,watch --resource=configmaps
210
+
----
211
+
212
+
. Add the `Rolebinding` by running the following command:
. To ensure these resources on the hub cluster get backed up and restored, add the following label to each resource that you create: `cluster.open-cluster-management.io/backup`.
221
+
222
+
After you add these resources, the add-on can resolve the hub templates, and the state of the policy gets saved on a secret on the managed clusters. This secret prevents interruptions if the hub cluster becomes temporarily unavailable to the managed cluster.
223
+
169
224
[#additional-resources-hub-temp]
170
225
== Additional resources
171
226
227
+
* See xref:../business_continuity/backup_restore/backup_arch.adoc#resources-that-are-backed-up[Resources that are backed up] for more details on backing up and restoring resources.
172
228
* See xref:../governance/template_functions.adoc#template-functions[Template functions] for more details.
173
229
* Return to xref:../governance/template_support_intro.adoc#template-processing[Template processing].
174
230
* See xref:../governance/manage_policies.adoc#policy-cli-commands[Policy CLI] for tools to resolve Go templates locally.
Copy file name to clipboardExpand all lines: release_notes/acm_whats_new.adoc
+2
Original file line number
Diff line number
Diff line change
@@ -76,6 +76,8 @@ See link:../observability/observe_environments_intro.adoc#observing-environments
76
76
[#governance-whats-new]
77
77
== Governance
78
78
79
+
* In earlier versions, the policy framework on the hub was required to resolve hub templates. This requirement made you have to put the `ConfigurationPolicy` into a `Policy` on the hub cluster for distribution through the `Placement`. With this update, you can use the `governance-standalone-hub-templating` add-on to resolve hub templates directly on managed clusters, when the `ConfigurationPolicy` is created outside of the policy framework.
80
+
79
81
* `ValidatingAdmissionPolicyBindings` now appear in the `Discovered` policies tab in the Governance console. Additionally, you can also see other policy types that are in your managed clusters. The `ValidatingAdmissionPolicyBindings` details include other resources on the cluster that you can use to configure its behavior.
80
82
81
83
* Gatekeeper Mutation resources now appear in the `Discovered` policies tab in the Governance console. Use the Gatekeeper Mutation resource to view details of your managed clusters, including which resources might have been mutated by these policies.
0 commit comments