Creating a Cluster Policy Using Legacy Policy Method

Create Policy enables the Infosec teams / PKI administrators to create, define, and enforce policies for one more cluster managed in the inventory.

Note: The certificate automations (creation, renewal, etc.) initiated from a specific cluster must adhere to the policy parameters outlined in this policy inventory. Any cluster that is not a part of or does not align with the Cluster Policy will be denied certificate automations.

Related Information

Modifying Cluster Policy

Prerequisites

Ensure CA integration is completed.
Ensure you configured organization PKI standards as CA Policy.
Ensure the Group is created.

Creating a Legacy Cluster Policy

Go to menu > KUBE > GROUPS & POLICIES > Cluster Policy
The Cluster Policy page is displayed. This page is a holistic inventory of all the cluster policies created.
Click +Create Policy in the command bar.
The Cluster Policy popup window opens.
Under the Legacy Policy section, click +Create Policy.

Enter/select the Policy Details.

Table 1. Policy Details - Field and Description Table
Field	Description
Policy Name*	Enter a unique policy name to be associated with one or more clusters.
Policy Scope*	From the dropdown list, from the following enforcement scope options, select the cluster policy type: Cluster Wide A cluster-wide policy applies to everything in the cluster, across all namespaces. Namespace Specific A namespace-specific policy applies only to a particular namespace (a logical partition within the cluster).
Description	Enter [optional] additional details related to the policy for clarity and reference.
*: Mandatory fields

To configure the CA Issuer that will be used for certificate issuance for the cluster, enter the corresponding CA Details to create a CA setting.

To do this:

From the CA Details section, click +Add.
The Add CA Setting dialog box is displayed.

Enter/Select the General Information for the CA setting.


Field	Description
CA Setting Name*	Enter a user-friendly name for identifying the CA setting.
Certificate Group*	From the dropdown list, select the certificate group under which the certificates issued using this cluster policy will be organized and managed.
Associate CA Policy*	This field is auto-populated with CA policy options based on the certificate group selected. From the dropdown list, select the CA policy depending on your certificate issuance requirements (such as validity, key size, and so on).
*: Mandatory fields

Enter/Select the Certificate Authority Setting.


Field	Description
Certificate Authority	From the dropdown list, select the Certificate Authority (CA) that will issue certificates.
CA Account*	From the dropdown list, select the CA account that will be used to interact with the selected Certificate Authority.
Connector Name	Enter the name of the connector that will be used for communication between the platform and the Certificate Authority.
Category*	From the dropdown list, from the following options, select a category for the CA setting: Server Client
*: Mandatory fields

Click Add.
The configured CA setting and its details are listed in the table in the CA Details section.
To search for a specific CA setting, use the Search field.
To edit/delete a CA setting:
1. Select the checkbox corresponding to the required CA setting.
2. Click Edit/Delete, as required.

To exclude namespaces from the cluster policy, under Discovery Settings, from the Namespace Exclusion dropdown list, select the name/regex for the required namespaces.
The selected namespaces will be excluded from certificate discovery. The server certificate inventory will also not display any certificates discovered from the excluded namespaces.
Once the discovery settings for a cluster policy have been configured, you can choose how you want to map this policy to clusters/namespaces. There are two ways to do this mapping: manual and automatic.
To automatically map this cluster policy to specific clusters/namespaces, proceed to the next step, in which you can configure the automatic policy assignment rules.
To manually map cluster policies to clusters/namespaces, skip the automated assignment rules configuration, save the policy configured, and for further instructions, see Manually Mapping Cluster Policies to Clusters/Namespaces.

To automatically map this cluster policy to specific clusters/namespaces, configure the Automated Assignment Rules for this cluster policy.

From the Automated Assignment Rules section, click Add Rule.
The Add Rule dialog box is displayed.

Configure the automated assignment rule.


Field	Description
Cluster Pattern (Regex)	This field is mandatory if Policy Scope = Cluster Wide. To map this policy to an entire cluster, enter the regex for the cluster name.
Namespace Pattern (Regex)	This field is mandatory if Policy Scope = Namespace Specific. To map this policy to a namespace, enter the regex for the namespace.
*: Mandatory fields

Click Add.

When an automated assignment rule is configured, this cluster policy will be automatically assigned to the existing clusters/namespaces that match the defined patterns. That is, the existingYAML configuration will be automatically pushed to those clusters.

If a cluster/namespace with a matching pattern is created after the automated assignment rule is created, the rule still applies and the YAML configuration of the cluster policy will be automatically pushed to the new cluster/namespace.

Note: The cluster policy mapping rules have been migrated from the Rules module in KUBE to the Cluster Policy module to enable creating rules for automatically mapping cluster policies to clusters/namespaces at the time of policy creation.

Click Save.
The cluster policy is added to the Cluster Policy inventory.

Manually Mapping Cluster Policies to Clusters/Namespaces

In the

From the Cluster Policy inventory, for the policy that has to be mapped, select the corresponding checkbox.

Note: Only one policy can be mapped at a time.
Click .
The Add Endpoints dialog box is displayed, with the Policy Name and Policy Type auto-populated based on the policy selected in the previous step.
In the Add Endpoints dialog box:
1. The CA Setting Templates dropdown list is populated with the CA settings added for this policy here.
  From the dropdown list, select the CA setting that will be used for the mapping.
2. The Cluster Name dropdown list is populated with the list of clusters existing in the cluster inventory.
  From the dropdown list, select the cluster that this policy will be mapped to.
  
  The Policy Scope field is auto-populated.
3. The Namespaces dropdown list is displayed if the scope of your cluster policy is Namespace Wide.
  From the dropdown list, select the namespace, from within the selected cluster, that you want to map the policy to.
Click Add.
For the cluster policy you want to map, from the Manage and Deploy field in the cluster inventory, click .
The Cluster Policy > Cluster Policy Manage and Deploy page is displayed.
Select the checkbox corresponding to the policy and click .
The Cluster Push Policy dialog box is displayed.
In the Cluster Push Policy dialog box, enter a comment related to the policy mapping and click Push.
The cluster policy will be mapped to the selected cluster/namespace.

Automatically Mapping Cluster Policies to Clusters/Namespaces

To enable automatic mapping of a cluster policy to a specific cluster/namespace, configure the Automated Assignment Rules for policy mapping, as explained here.