Merge pull request #208923 from csand-msft/main

BCS2022 · web-flow · commit 657c649cbdad · 2022-08-24T07:56:11.000-07:00
New doc for Flux v2 policy
diff --git a/articles/azure-arc/kubernetes/toc.yml b/articles/azure-arc/kubernetes/toc.yml
@@ -79,11 +79,15 @@
     href: azure-rbac.md
   - name: Deploy applications to cluster
     items:
+      - name: GitOps (Flux v2)
+        items:
+        - name: At-scale deployment of Flux v2 configurations using Azure Policy
+          href: use-azure-policy-flux-2.md
       - name: GitOps (Flux v1)
         items:
         - name: Deploy Helm charts using GitOps (Flux v1)
           href: use-gitops-with-helm.md
-        - name: At-scale deployment of configurations using Azure Policy (Flux v1)
+        - name: At-scale deployment of Flux v1 configurations using Azure Policy
           href: use-azure-policy.md
   - name: Manage your cluster
     items:
diff --git a/articles/azure-arc/kubernetes/use-azure-policy-flux-2.md b/articles/azure-arc/kubernetes/use-azure-policy-flux-2.md
@@ -0,0 +1,72 @@
+---
+title: "Apply Flux v2 configurations at-scale using Azure Policy"
+services: azure-arc, container-service
+ms.date: 8/23/2022
+ms.topic: how-to
+description: "Apply Flux v2 configurations at-scale using Azure Policy"
+keywords: "Kubernetes, K8s, Arc, AKS, Azure, containers, GitOps, Flux v2, policy"
+---
+
+# Apply Flux v2 configurations at-scale using Azure Policy
+
+You can use Azure Policy to apply Flux v2 configurations (`Microsoft.KubernetesConfiguration/fluxConfigurations` resource type) at scale on Azure Arc-enabled Kubernetes (`Microsoft.Kubernetes/connectedClusters`) or AKS (`Microsoft.ContainerService/managedClusters`) clusters.
+
+To use Azure Policy, select a built-in policy definition and create a policy assignment. You can search for **flux** to find all of the Flux v2 policy definitions. When creating the policy assignment:
+1. Set the scope for the assignment.
+    * The scope will be all resource groups in a subscription or management group or specific resource groups.
+2. Set the parameters for the Flux v2 configuration that will be created. 
+
+Once the assignment is created, the Azure Policy engine identifies all Azure Arc-enabled Kubernetes clusters located within the scope and applies the GitOps configuration to each cluster.
+
+To enable separation of concerns, you can create multiple policy assignments, each with a different Flux v2 configuration pointing to a different source. For example, one git repository may be used by cluster admins and other repositories may be used by application teams.
+
+> [!TIP]
+> There are built-in policy definitions for these scenarios:
+> * Flux extension install (required for all scenarios): `Configure installation of Flux extension on Kubernetes cluster`
+> * Flux configuration using public Git repository (generally a test scenario): `Configure Kubernetes clusters with Flux v2 configuration using public Git repository`
+> * Flux configuration using private Git repository with SSH auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets`
+> * Flux configuration using private Git repository with HTTPS auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets`
+> * Flux configuration using private Git repository with HTTPS CA cert auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate`
+> * Flux configuration using private Git repository with local K8s secret: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets`
+> * Flux configuration using private Bucket source and KeyVault secrets: `Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault`
+> * Flux configuration using private Bucket source and local K8s secret: `Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets`
+
+## Prerequisite
+
+Verify you have `Microsoft.Authorization/policyAssignments/write` permissions on the scope (subscription or resource group) where you'll create this policy assignment.
+
+## Create a policy assignment
+
+1. In the Azure portal, navigate to **Policy**.
+1. In the **Authoring** section of the sidebar, select **Definitions**.
+1. In the "Kubernetes" category, choose the "Configure Kubernetes clusters with specified GitOps configuration using no secrets" built-in policy definition. 
+1. Select **Assign**.
+1. Set the **Scope** to the management group, subscription, or resource group to which the policy assignment will apply.
+    * If you want to exclude any resources from the policy assignment scope, set **Exclusions**.
+1. Give the policy assignment an easily identifiable **Name** and **Description**.
+1. Ensure **Policy enforcement** is set to **Enabled**.
+1. Select **Next**.
+1. Set the parameter values to be used while creating the `fluxConfigurations` resource.
+    * For more information about parameters, see the [tutorial on deploying Flux v2 configurations](./tutorial-use-gitops-flux2.md).
+1. Select **Next**.
+1. Enable **Create a remediation task**.
+1. Verify **Create a managed identity** is checked, and that the identity will have **Contributor** permissions. 
+    * For more information, see the [Create a policy assignment quickstart](../../governance/policy/assign-policy-portal.md) and the [Remediate non-compliant resources with Azure Policy article](../../governance/policy/how-to/remediate-resources.md).
+1. Select **Review + create**.
+
+After creating the policy assignment, the configuration is applied to new Azure Arc-enabled Kubernetes or AKS clusters created within the scope of policy assignment.
+
+For existing clusters, you may need to manually run a remediation task. This task typically takes 10 to 20 minutes for the policy assignment to take effect.
+
+## Verify a policy assignment
+
+1. In the Azure portal, navigate to one of your Azure Arc-enabled Kubernetes or AKS clusters.
+1. In the **Settings** section of the sidebar, select **GitOps**.
+    * In the configurations list, you should see the configuration created by the policy assignment.
+1. In the **Kubernetes resources** section of the sidebar, select **Namespaces** and **Workloads**.
+    * You should see the namespace and artifacts that were created by the Flux configuration.
+    * You should see the objects described by the manifests in the Git repo deployed on the cluster.
+
+## Next steps
+
+[Set up Azure Monitor for Containers with Azure Arc-enabled Kubernetes clusters](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md).
diff --git a/articles/azure-arc/kubernetes/use-azure-policy.md b/articles/azure-arc/kubernetes/use-azure-policy.md
@@ -1,20 +1,20 @@
 ---
-title: "Apply configurations at-scale using Azure Policy"
+title: "Apply Flux v1 configurations at-scale using Azure Policy"
 services: azure-arc
 ms.service: azure-arc
 #ms.subservice: azure-arc-kubernetes coming soon
-ms.date: 11/23/2021
+ms.date: 8/23/2022
 ms.topic: how-to
-description: "Apply configurations at-scale using Azure Policy"
-keywords: "Kubernetes, Arc, Azure, K8s, containers"
+description: "Apply Flux v1 configurations at-scale using Azure Policy"
+keywords: "Kubernetes, Arc, Azure, K8s, containers, GitOps, Flux v1, policy"
 ---
 
-# Apply configurations at-scale using Azure Policy
+# Apply Flux v1 configurations at-scale using Azure Policy
 
-You can use Azure Policy to apply configurations (`Microsoft.KubernetesConfiguration/sourceControlConfigurations` resource type) at scale on Azure Arc-enabled Kubernetes clusters (`Microsoft.Kubernetes/connectedclusters`).
+You can use Azure Policy to apply Flux v1 configurations (`Microsoft.KubernetesConfiguration/sourceControlConfigurations` resource type) at scale on Azure Arc-enabled Kubernetes clusters (`Microsoft.Kubernetes/connectedclusters`).
 
->[!NOTE]
->The built-in policies referenced in this article are for GitOps with Flux v1.
+> [!NOTE]
+> This article is for GitOps with Flux v1.  GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the article for using policy with Flux v2](./use-azure-policy-flux-2.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.
 
 To use Azure Policy, select a built-in GitOps policy definition and create a policy assignment. When creating the policy assignment:
 1. Set the scope for the assignment.
@@ -40,13 +40,13 @@ Verify you have `Microsoft.Authorization/policyAssignments/write` permissions on
 1. In the Azure portal, navigate to **Policy**.
 1. In the **Authoring** section of the sidebar, select **Definitions**.
 1. In the "Kubernetes" category, choose the "Configure Kubernetes clusters with specified GitOps configuration using no secrets" built-in policy definition. 
-1. Click on **Assign**.
+1. Select **Assign**.
 1. Set the **Scope** to the management group, subscription, or resource group to which the policy assignment will apply.
     * If you want to exclude any resources from the policy assignment scope, set **Exclusions**.
 1. Give the policy assignment an easily identifiable **Name** and **Description**.
 1. Ensure **Policy enforcement** is set to **Enabled**.
 1. Select **Next**.
-1. Set the parameter values to be used while creating the `sourceControlConfiguration`.
+1. Set the parameter values to be used while creating the `sourceControlConfigurations` resource.
     * For more information about parameters, see the [tutorial on deploying GitOps configurations](./tutorial-use-gitops-connected-cluster.md).
 1. Select **Next**.
 1. Enable **Create a remediation task**.
@@ -65,9 +65,9 @@ For existing clusters, you may need to manually run a remediation task. This tas
     * In the list, you should see the policy assignment that you created earlier with the **Compliance state** set as *Compliant*.
 1. In the **Settings** section of the sidebar, select **GitOps**.
     * In the configurations list, you should see the configuration created by the policy assignment.
-1. Use `kubectl` to interrogate the cluster. 
-    * You should see the namespace and artifacts that were created by the GitOps configuration.
-    * You should see the objects described by the manifests in the Git repo getting deployed on the cluster.
+1. In the **Kubernetes resources** section of the sidebar, select **Namespaces** and **Workloads**.
+    * You should see the namespace and artifacts that were created by the Flux configuration.
+    * You should see the objects described by the manifests in the Git repo deployed on the cluster.
 
 ## Next steps
 
