GitOps Integration
Policy exceptions can be managed and deployed using GitOps, similar to any other resource. Follow the request and approval workflow of NPM for creating and approving exceptions, but the actual deployment of these exceptions will be handled through GitOps processes.
Managing Deployment Settings
An admin user can manage the deployment settings of Policy Exception Requests.
- Go to Settings -> Policy Exceptions and click on the
Deployment
tab. The Settings page for Policy Exceptions deployment opens with the default being set toAutomatic deployment
. - Click on the radio button beside
GitOps deployment
. - Next, enter the Git repository URL under
Git repository for policy exceptions
to provide a path for mapping the available clusters to a repository branch. - Now, map the clusters that are onboarded in NPM to a branch in the Git repository. To do so:
a. Under
Cluster Expression to Branch Mappings
, selectcluster.label
orcluster.name
from the dropdown.
b. If selectedcluster.label
, select the label from the dropdown.
c. Then, select the operator type from the dropdown. The available options arein
,exists
, andcontains
.
d. Select the operator value from the dropdown or enter it manually according to the operator type and enter the branch name of the repository
e. If selectedcluster.name
, choose the operator type from the dropdown. The available options arein
, andcontains
.
f. Select the operator value from the dropdown or enter it manually according to the operator type and enter the branch name of the repository
g. Click on the+
button to add more mappings of clusters.
- Finally, click Save.
GitOps Deployment of Policy Exceptions in Action
nctl
is required for creating Pull Requests for the given Policy Exception Requests. Learn more about installing nctl and its commands from the official documentation.
To deploy Policy Exceptions through GitOps:
- Create a Policy Exception Request by following the steps mentioned here.
- After the request gets approved, the
Need to Deploy
message will be visible under the Deploy Status section in the NPM. - Go to the local terminal and verify the created Policy Exception Request by executing the following command:
nctl get policyexceptionrequest
NOTE: Login using the
nctl login npm
command to fetch policy exception requests from NPM.
- Now, create a pull request to deploy the Policy Exception by executing the following command:
This command will create PRs for all Policy Exception Requests that are in Approved
state.
nctl create pull-request
To create PR for a given Policy Exception Request, use the --per-name
argument.
nctl create pull-request --per-name <per-name>
NOTE: NCTL needs Git Personal Access Token (PAT) to be able to create pull requests on behalf of the user. Use the
nctl login github
command to set the Git login credentials.
NOTE: The Git PAT should have write access to the repository. NCTL creates a temporary branch to commit the PolicyException YAML and then creates a PR to the relevant branch mapped in NPM.
- Once the PR is created, a team member can review and merge it with the repository. Depending on the GitOps/pipeline workflow settings, the Policy Exception will be deployed to the cluster.
- Verify the deployment by going back to the Policy Exceptions in NPM to see the
Create PR Created
message displayed under the Deploy Status section. - In the case of revoking a deployed Policy Exception, after revoking the Policy Exception from the NPM, a PR needs to be created in the same way to revoke the deployed PolicyException from the cluster.