GitOps Integration
Contain steps to deploy policy exceptions through GitOps
Policy Exceptions are temporary deviations that are required when following the policy practices might not be possible because it can hinder operational needs.
Every policy exception request is sent to an admin for review. The admin can either accept or reject the request. If the request gets accepted, the PolicyException resource gets deployed and the user who requested the exception gets notified via email.
Policy Exception Request can be raised directly from the Policy Exceptions page or from the Policy Reports page of a particular namespace of a cluster.
Note: Existing clusters in NPM need to provide extra permissions for Policy Exception expiry feature to work. The extra permission is for the
kverno-cleanup-controller
to delete policy exceptions from the cluster. Check out thenirmata:policyexception-manager
ClusterRoleBinding in Nirmata Kube Controller to see the changes.
To raise a Policy Exception Request:
Request Policy Exception
button located on the right hand top corner of the screen. The Request Policy Exception
page opens upon filling of which, a Policy Exception Request will be raised.Immediately after approval
to apply the request immediately after approval from the reviewers.1 day
, 1 week
, 1 month
, or Never Expires
.All namespaces I own in all cluster
option. Selected namespaces and clusters
option. The namespace and clusters can be selected from the dropdown. Click on the +
button to add multiple namespaces.All Violations
option. Selected Violations
option.
c. Next, click on the Add Violations
button. This will open a sub-page that lists the available violations in the namespace along with the number of affected resources.
d. Then, select the violations from the list accordingly by clicking on the box beside the violations. The violations can be filtered according to its severity and users selecting multiple namespaces can filter the violations by namespaces as well.
e. Finally, click on Add Violations
button on the top right to add the specific violations.Request Exception
button to raise the Policy Exception Request. It will send an alert to the admin for a review.Note: The Policy Exception Request can be raised in the same way through the Policy Reports page. For that, go to the Policy Reports page and view the available namespaces. Click on any of the namespaces that will require a Policy Exception, and raise a Policy exception request by clicking on the
Request Policy Exception
button.
To view the raised Policy Exception Requests:
My requests
to filter out the requests created by you.A Nirmata Admin User can manage the approval and review settings of Policy Exception Requests as per requirements.
To manage the Policy Exception settings:
Require Two Factor Authentication (2FA) to approve a request
option will require setting up a two-factor authentication and compel user to do the two-factor authentication to approve a exception request.Automatically approve requests by Administrators
option will automatically approve policy exception requests that are raised by administrators without going through the approval process.Revoke all approvals if the requestor changes the resources or policies for the exception
option will revoke any previous approvals given to an exception request, if the user the changes any of the target selectors like cluster, violations, or namespaces for the request.Reviewers and required approvals
section by choosing any of the available options.Any Administrator or Platform user
option will allow any Admin or Platform user to review the raised exception request.Selected Administrators
option will allow only the selected Admin users for the review of the requests. Multiple Admin users can be selected from the available dropdown. An Admin user can also add or remove reviewers on specific requests.Contain steps to deploy policy exceptions through GitOps