You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-arc/kubernetes/use-azure-policy-flux-2.md
+19-19Lines changed: 19 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,29 +16,31 @@ To use Azure Policy, select a built-in policy definition and create a policy ass
16
16
17
17
Once the assignment is created, the Azure Policy engine identifies all Azure Arc-enabled Kubernetes clusters located within the scope and applies the GitOps configuration to each cluster.
18
18
19
-
To enable separation of concerns, you can create multiple policy assignments, each with a different Flux v2 configuration pointing to a different source. For example, one Git repository may be used by cluster admins and other repositories may be used by application teams.
19
+
To enable separation of concerns, you can create multiple policy assignments, each with a different Flux v2 configuration pointing to a different source. For example, one Git repository can be used by cluster admins while other repositories can be used by application teams.
20
20
21
21
## Built-in policy definitions
22
22
23
23
The following [built-in policy definitions](policy-reference.md) provide support for these scenarios:
24
24
25
-
* Flux extension install (required for all scenarios): `Configure installation of Flux extension on Kubernetes cluster`
26
-
* Flux configuration using public Git repository (generally a test scenario): `Configure Kubernetes clusters with Flux v2 configuration using public Git repository`
27
-
* Flux configuration using private Git repository with SSH auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets`
28
-
* Flux configuration using private Git repository with HTTPS auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets`
29
-
* Flux configuration using private Git repository with HTTPS CA cert auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate`
30
-
* Flux configuration using private Git repository with local K8s secret: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets`
31
-
* Flux configuration using private Bucket source and KeyVault secrets: `Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault`
32
-
* Flux configuration using private Bucket source and local K8s secret: `Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets`
25
+
|Description |Policy |
26
+
|---------|---------|
27
+
|Flux extension install (required for all scenarios) |`Configure installation of Flux extension on Kubernetes cluster`|
28
+
|Flux configuration using public Git repository (generally a test scenario) |`Configure Kubernetes clusters with Flux v2 configuration using public Git repository`|
29
+
|Flux configuration using private Git repository with SSH auth |`Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets`|
30
+
|Flux configuration using private Git repository with HTTPS auth |`Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets`|
31
+
|Flux configuration using private Git repository with HTTPS CA cert auth |`Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate`|
32
+
|Flux configuration using private Git repository with local K8s secret |`Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets`|
33
+
|Flux configuration using private Bucket source and KeyVault secrets |`Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault`|
34
+
|Flux configuration using private Bucket source and local K8s secret |`Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets`|
33
35
34
-
To find all of the Flux v2 policy definitions, search for **flux**.
36
+
To find all of the Flux v2 policy definitions, search for **flux**. For more information, see [Azure policy built-in definitions for Azure Arc-enabled Kubernetes](policy-reference.md).
35
37
36
38
## Prerequisites
37
39
38
40
* One or more Arc-enabled Kubernetes clusters and/or AKS clusters.
39
41
*`Microsoft.Authorization/policyAssignments/write` permissions on the scope (subscription or resource group) where you'll create the policy assignments.
40
42
41
-
## Create a policy assignment to install the Flux exension
43
+
## Create a policy assignment to install the Flux extension
42
44
43
45
In order for a policy to apply Flux v2 configurations to a cluster, the Flux extension must first be installed on the cluster. To ensure that the extension is installed to each of your clusters, assign the **Configure installation of Flux extension on Kubernetes cluster** policy definition to the desired scope.
44
46
@@ -57,26 +59,24 @@ In order for a policy to apply Flux v2 configurations to a cluster, the Flux ext
57
59
Next, return to the **Definitions** list (in the **Authoring** section of **Policy**) to apply the configuration policy definition to the same scope.
58
60
59
61
1. In the "Kubernetes" category, select the **Configure Kubernetes clusters with Flux v2 configuration using public Git repository**
60
-
built-in policy definition, or another policy definition from the list above.
62
+
built-in policy definition, or one of the other policy definitions to apply Flux configurations.
61
63
1. Select **Assign**.
62
64
1. Set the **Scope** to the same scope that you selected when assigning the first policy, including any exclusions.
63
65
1. Give the policy assignment an easily identifiable **Assignment name** and **Description**.
64
66
1. Ensure **Policy enforcement** is set to **Enabled**.
65
67
1. Select **Next**, then select **Next** again to open the **Parameters** tab.
66
68
1. Set the parameter values to be used.
67
69
* For more information about parameters, see the [tutorial on deploying Flux v2 configurations](./tutorial-use-gitops-flux2.md).
68
-
* When creating Flux configurations you must provide a value for one (and only one) of these parameters: `repositoryRefBranch`, `repositoryRefTag`, `repositoryRefSemver`, `repositoryRefCommit`.
70
+
* When creating Flux configurations, you must provide a value for one (and only one) of these parameters: `repositoryRefBranch`, `repositoryRefTag`, `repositoryRefSemver`, `repositoryRefCommit`.
69
71
1. Select **Next** to open the **Remediation** task.
70
72
1. Enable **Create a remediation task**.
71
-
1. Verify that **Create a Managed Identity** is checked, and that the identity will have **Contributor** permissions.
72
-
73
-
For more information, see [Quickstart: Create a policy assignment to identify non-compliant resources](../../governance/policy/assign-policy-portal.md) and [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md).
73
+
1. Verify that **Create a Managed Identity** is checked, and that the identity has **Contributor** permissions. For more information, see [Quickstart: Create a policy assignment to identify non-compliant resources](../../governance/policy/assign-policy-portal.md) and [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md).
74
74
75
75
1. Select **Review + create**, then select **Create**.
76
76
77
-
After creating the policy assignments, the configuration is applied to new Azure Arc-enabled Kubernetes or AKS clusters created within the scope of policy assignment.
77
+
The configuration is then applied to new Azure Arc-enabled Kubernetes or AKS clusters created within the scope of policy assignment.
78
78
79
-
For existing clusters, you may need to manually run a remediation task. This task typically takes 10 to 20 minutes for the policy assignment to take effect.
79
+
For existing clusters, you might need to manually run a remediation task. This task typically takes 10 to 20 minutes for the policy assignment to take effect.
80
80
81
81
## Verify the policy assignment
82
82
@@ -91,7 +91,7 @@ For existing clusters, you may need to manually run a remediation task. This tas
91
91
92
92
## Customize a policy
93
93
94
-
The built-in policies cover the main scenarios for using GitOps with Flux v2 in your Kubernetes clusters. However, due to limitations on the number of parameters allowed in Azure Policy assignments (max of 20), not all parameters are present in the built-in policies. Also, to fit within the 20-parameter limit, only a single Kustomization can be created with the built-in policies.
94
+
The built-in policies cover the main scenarios for using GitOps with Flux v2 in your Kubernetes clusters. However, due to limitations on the number of parameters allowed in Azure Policy assignments (max of 20), not all parameters are present in the built-in policies. Also, to fit within the 20-parameter limit, only a single kustomization can be created with the built-in policies.
95
95
96
96
If you have a scenario that differs from the built-in policies, you can overcome the limitations by creating [custom policies](../../governance/policy/tutorials/create-custom-policy-definition.md) using the built-in policies as templates. You can create custom policies that contain only the parameters you need, and hard-code the rest, therefore working around the 20-parameter limit.
0 commit comments