openshift
diff --git a/‎modules/ztp-applying-source-custom-resource-policies.adoc‎
Lines changed: 159 additions & 0 deletions b/‎modules/ztp-applying-source-custom-resource-policies.adoc‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎modules/ztp-applying-the-ran-policies-for-monitoring-cluster-activity.adoc‎
Lines changed: 22 additions & 0 deletions b/‎modules/ztp-applying-the-ran-policies-for-monitoring-cluster-activity.adoc‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎modules/ztp-generating-ran-policies.adoc‎
Lines changed: 108 additions & 0 deletions b/‎modules/ztp-generating-ran-policies.adoc‎
Lines changed: 108 additions & 0 deletions
@@ -0,0 +1,159 @@
+// Module included in the following assemblies:
+//
+// scalability_and_performance/ztp-deploying-disconnected.adoc
+
+[id="ztp-applying-source-custom-resource-policies_{context}"]
+= Applying source custom resource policies
+
+Source custom resource policies include the following:
+
+* SR-IOV policies
+* PTP policies
+* Performance Add-on Operator policies
+* MachineConfigPool policies
+* SCTP policies
+
+You need to define the source custom resource that generates the ACM policy with consideration of possible overlay to its metadata or spec/data.
+For example, a `common-namespace-policy` contains a `Namespace` definition that exists in all managed clusters.
+This `namespace` is placed under the Common category and there are no changes for its spec or data across all clusters.
+
+.Namespace policy example
+
+The following example shows the source custom resource for this namespace:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: openshift-sriov-network-operator
+ labels:
+   openshift.io/run-level: "1"
+----
+
+.Example output
+
+The generated policy that applies this `namespace` includes the `namespace` as it is defined above without any change, as shown in this example:
+
+[source,yaml]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+   name: common-sriov-sub-ns-policy
+   namespace: common-sub
+   annotations:
+       policy.open-cluster-management.io/categories: CM Configuration Management
+       policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+       policy.open-cluster-management.io/standards: NIST SP 800-53
+spec:
+   remediationAction: enforce
+   disabled: false
+   policy-templates:
+       - objectDefinition:
+           apiVersion: policy.open-cluster-management.io/v1
+           kind: ConfigurationPolicy
+           metadata:
+               name: common-sriov-sub-ns-policy-config
+           spec:
+               remediationAction: enforce
+               severity: low
+               namespaceselector:
+                   exclude:
+                       - kube-*
+                   include:
+                       - '*'
+               object-templates:
+                   - complianceType: musthave
+                     objectDefinition:
+                       apiVersion: v1
+                       kind: Namespace
+                       metadata:
+                           labels:
+                               openshift.io/run-level: "1"
+                           name: openshift-sriov-network-operator
+----
+
+.SRIOV policy example
+
+The following example shows a `SriovNetworkNodePolicy` definition that exists in different clusters with a different specification for each cluster.
+The example also shows the source custom resource for the `SriovNetworkNodePolicy`:
+
+[source,yaml]
+----
+apiVersion: sriovnetwork.openshift.io/v1
+kind: SriovNetworkNodePolicy
+metadata:
+  name: sriov-nnp
+  namespace: openshift-sriov-network-operator
+spec:
+  # The $ tells the policy generator to overlay/remove the spec.item in the generated policy.
+  deviceType: $deviceType
+  isRdma: false
+  nicSelector:
+    pfNames: [$pfNames]
+  nodeSelector:
+    node-role.kubernetes.io/worker: ""
+  numVfs: $numVfs
+  priority: $priority
+  resourceName: $resourceName
+----
+
+.Example output
+
+The `SriovNetworkNodePolicy` name and `namespace` are the same for all clusters, so both are defined in the source `SriovNetworkNodePolicy`.
+However, the generated policy requires the `$deviceType`, `$numVfs`, as input parameters in order to adjust the policy for each cluster.
+The generated policy is shown in this example:
+
+[source,yaml]
+----
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    name: site-du-sno-1-sriov-nnp-mh-policy
+    namespace: sites-sub
+    annotations:
+        policy.open-cluster-management.io/categories: CM Configuration Management
+        policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+        policy.open-cluster-management.io/standards: NIST SP 800-53
+spec:
+    remediationAction: enforce
+    disabled: false
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: ConfigurationPolicy
+            metadata:
+                name: site-du-sno-1-sriov-nnp-mh-policy-config
+            spec:
+                remediationAction: enforce
+                severity: low
+                namespaceselector:
+                    exclude:
+                        - kube-*
+                    include:
+                        - '*'
+                object-templates:
+                    - complianceType: musthave
+                      objectDefinition:
+                        apiVersion: sriovnetwork.openshift.io/v1
+                        kind: SriovNetworkNodePolicy
+                        metadata:
+                            name: sriov-nnp-du-mh
+                            namespace: openshift-sriov-network-operator
+                        spec:
+                            deviceType: vfio-pci
+                            isRdma: false
+                            nicSelector:
+                                pfNames:
+                                    - ens7f0
+                            nodeSelector:
+                                node-role.kubernetes.io/worker: ""
+                            numVfs: 8
+                            resourceName: du_mh
+----
+
+[NOTE]
+====
+Defining the required input parameters as `$value`, for example `$deviceType`, is not mandatory. The `$` tells the policy generator to overlay or remove the item from the generated policy. Otherwise, the value does not change.
+====
@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// scalability_and_performance/ztp-deploying-disconnected.adoc
+
+[id="ztp-applying-the-ran-policies-for-monitoring-cluster-activity_{context}"]
+= Applying the RAN policies for monitoring cluster activity
+
+Zero touch provisioning (ZTP) uses {rh-rhacm-first} as an orchestrator to apply the radio access network (RAN) policies using a policy-based governance approach to automatically monitor cluster activity.
+
+The policy generator (PolicyGen) is a Kustomize plugin that facilitates creating ACM policies from predefined custom resources.
+There are three main items: Policy Categorization, Source CR policy, and PolicyGenTemplate. PolicyGen relies on these to generate the policies and
+their placement bindings and rules.
+
+RAN policies are categorized into three main groups:
+
+Common:: A policy that exists in the `Common` category is applied to all clusters to be represented by the site plan.
+
+Groups:: A policy that exists in the `Groups` category is applied to a group of clusters. Every group of clusters could have their own policies that exist under the
+Groups category. For example, `Groups/group1` could have its own policies that are applied to the clusters belonging to `group1`.
+
+Sites:: A policy that exists in the `Sites` category is applied to a specific cluster. Any cluster could have its own policies that exist in the `Sites` category.
+For example, `Sites/cluster1` will have its own policies applied to `cluster1`.
@@ -0,0 +1,108 @@
+// Module included in the following assemblies:
+//
+// scalability_and_performance/ztp-deploying-disconnected.adoc
+
+[id="ztp-generating-ran-policies_{context}"]
+= Generating RAN policies
+
+.Prerequisites
+
+* Install Kustomize
+* Install golang
+
+.Procedure
+
+. Build the plug-in using the following commands:
++
+[source,terminal]
+----
+$ cd ztp/ztp-policy-generator/kustomize/plugin/policyGenerator/v1/policygenerator/
+----
++
+[source,terminal]
+----
+$ go build -o PolicyGenerator
+----
++
+The `kustomization.yaml` file has a reference to the `policyGenerator.yaml` file. The following example shows the PolicyGenerator definition:
++
+[source,yaml]
+----
+apiVersion: policyGenerator/v1
+kind: PolicyGenerator
+metadata:
+  name: acm-policy
+  namespace: acm-policy-generator
+# The arguments should be given and defined as below with same order --policyGenTempPath= --sourcePath= --outPath= --stdout --customResources
+argsOneLiner: ./ranPolicyGenTempExamples ./sourcePolicies ./out true false
+----
++
+Where:
+
+* `policyGenTempPath` is the path to the `policyGenTemp` files.
+* `sourcePath`: is the path to the source policies.
+* `outPath`: is the path to save the generated ACM policies.
+* `stdout`: If `true`, prints the generated policies to the console.
+* `customResources`: If `true` generates the CRs from the `sourcePolicies` files without ACM policies.
+
+. Test PolicyGen by running the following commands:
++
+[source,terminal]
+----
+$ cd cnf-features-deploy/ztp/ztp-policy-generator/
+----
++
+[source,terminal]
+----
+$ XDG_CONFIG_HOME=./ kustomize build --enable-alpha-plugins
+----
++
+An `out` directory is created with the expected policies, as shown in this example:
++
+[source,terminal]
+----
+out
+├── common
+│   ├── common-log-sub-ns-policy.yaml
+│   ├── common-log-sub-oper-policy.yaml
+│   ├── common-log-sub-policy.yaml
+│   ├── common-pao-sub-catalog-policy.yaml
+│   ├── common-pao-sub-ns-policy.yaml
+│   ├── common-pao-sub-oper-policy.yaml
+│   ├── common-pao-sub-policy.yaml
+│   ├── common-policies-placementbinding.yaml
+│   ├── common-policies-placementrule.yaml
+│   ├── common-ptp-sub-ns-policy.yaml
+│   ├── common-ptp-sub-oper-policy.yaml
+│   ├── common-ptp-sub-policy.yaml
+│   ├── common-sriov-sub-ns-policy.yaml
+│   ├── common-sriov-sub-oper-policy.yaml
+│   └── common-sriov-sub-policy.yaml
+├── groups
+│   ├── group-du
+│   │   ├── group-du-mc-chronyd-policy.yaml
+│   │   ├── group-du-mc-mount-ns-policy.yaml
+│   │   ├── group-du-mcp-du-policy.yaml
+│   │   ├── group-du-mc-sctp-policy.yaml
+│   │   ├── group-du-policies-placementbinding.yaml
+│   │   ├── group-du-policies-placementrule.yaml
+│   │   ├── group-du-ptp-config-policy.yaml
+│   │   └── group-du-sriov-operconfig-policy.yaml
+│   └── group-sno-du
+│       ├── group-du-sno-policies-placementbinding.yaml
+│       ├── group-du-sno-policies-placementrule.yaml
+│       ├── group-sno-du-console-policy.yaml
+│       ├── group-sno-du-log-forwarder-policy.yaml
+│       └── group-sno-du-log-policy.yaml
+└── sites
+    └── site-du-sno-1
+        ├── site-du-sno-1-policies-placementbinding.yaml
+        ├── site-du-sno-1-policies-placementrule.yaml
+        ├── site-du-sno-1-sriov-nn-fh-policy.yaml
+        ├── site-du-sno-1-sriov-nnp-mh-policy.yaml
+        ├── site-du-sno-1-sriov-nw-fh-policy.yaml
+        ├── site-du-sno-1-sriov-nw-mh-policy.yaml
+        └── site-du-sno-1-.yaml
+----
++
+The common policies are flat because they will be applied to all clusters. However, the groups and sites have subdirectories for each group and site as they will be applied to different clusters.