set-enforcement-action

Set the enforcement action for policy constraints to deny or dryrun

Overview #

Applies the supplied enforcement action on policy constraints within a package.

Policy Controller allows users to define constraints to enforce policies for your Kubernetes clusters. This function provides a quick way for users to set the spec.enforcementAction attribute to:

  1. dryrun for auditing the cluster for policy violations or
  2. warn for letting non-compliant resources be applied to the cluster with warnings or
  3. deny for enforcing the constraints and denying the resource application altogether

Usage #

The function will execute as follows:

  1. Searches for resources with apiVersion: constraints.gatekeeper.sh/v1beta1
  2. Applies the enforement action value provided in KptFile to following element: spec.enforcementAction

set-enforcement-action function can be executed imperatively as follows:

$ kpt fn eval -i ghcr.io/kptdev/krm-functions-catalog/set-enforcement-action:v0.1 -- enforcementAction=deny

To execute set-enforcement-action declaratively include the function in kpt package pipeline as follows:

...
pipeline:
  mutators:
    - image: ghcr.io/kptdev/krm-functions-catalog/set-enforcement-action:v0.1
      configMap:
        enforcementAction: deny
...