Policy Exceptions Management
Policy Exceptions are temporary deviations that are required when following the policy practices might not be possible because it can hinder operational needs.
Policy Exception workflow
Every policy exception request is sent to an admin for review. The admin can either accept or reject the request. If the request gets accepted, the PolicyException resource gets deployed and the user who requested the exception gets notified via email.
Requesting a Policy Exception
Policy Exception Request can be raised directly from the Policy Exceptions page or from the Policy Reports page of a particular namespace of a cluster.
Note: Existing clusters in NPM need to provide extra permissions for Policy Exception expiry feature to work. The extra permission is for the
kverno-cleanup-controller
to delete policy exceptions from the cluster. Check out thenirmata:policyexception-manager
ClusterRoleBinding in Nirmata Kube Controller to see the changes.
To raise a Policy Exception Request:
- Go to Policy -> Policy Exceptions. The page displays the already created Policy Exception Requests that are either approved, denied, or requires approval.
- Click on the
Request Policy Exception
button located on the right hand top corner of the screen. TheRequest Policy Exception
page opens upon filling of which, a Policy Exception Request will be raised. - In the description text box, give a brief description on why the exception is required.
- Next, Select the start date for the exception request to be applied according to the needs or opt for the option
Immediately after approval
to apply the request immediately after approval from the reviewers. - After that, select the time duration for the policy excetion. The available options are
1 day
,1 week
,1 month
, orNever Expires
. - Then, select the namespaces for the policy exception that will define the resources to which the exception will affect.
a. For selecting all namespaces in every cluster, select theAll namespaces I own in all cluster
option.
b. To specify an individual namespace in a cluster or a group of clusters, select theSelected namespaces and clusters
option. The namespace and clusters can be selected from the dropdown. Click on the+
button to add multiple namespaces. - Afterwards, the violations in the namespace has to be specified for which the policy exception will be applied.
a. If the policy exception is to be applied for all the available policy violations in the namespace, select theAll Violations
option.
b. To apply the policy exception for specific violations in the namespace, select theSelected Violations
option. c. Next, click on theAdd Violations
button. This will open a sub-page that lists the available violations in the namespace along with the number of affected resources. d. Then, select the violations from the list accordingly by clicking on the box beside the violations. The violations can be filtered according to its severity and users selecting multiple namespaces can filter the violations by namespaces as well. e. Finally, click onAdd Violations
button on the top right to add the specific violations.
- Lastly, click on the
Request Exception
button to raise the Policy Exception Request. It will send an alert to the admin for a review.
Note: The Policy Exception Request can be raised in the same way through the Policy Reports page. For that, go to the Policy Reports page and view the available namespaces. Click on any of the namespaces that will require a Policy Exception, and raise a Policy exception request by clicking on the
Request Policy Exception
button.
Viewing a Policy Exception Request
To view the raised Policy Exception Requests:
- Go to Policy -> Policy Exceptions. The page displays the list of already created Policy Excepttion Requests. The Policy Exceptions Requests are displayed with the name of the Exception Request, the date of creation of the request, the name of the requestor, the total number of reviewers, the number of approvals given by the reviewers, the approval status, and the deploy status of the request. The requests can be filtered according to the request status and the requestor.
- Click on the box beside
My requests
to filter out the requests created by you. - Click on the Policy Exception Request name to view the created Policy Exception Request in detail. The page will also contain information on the activity of the reviewer under the Reviews and Edits section located at the right hand side of the screen.
Managing Policy Exception Settings
A Nirmata Admin User can manage the approval and review settings of Policy Exception Requests as per requirements.
To manage the Policy Exception settings:
- Go to Settings -> Policy Exceptions. The Settings page for Policy Exceptions opens.
- Manage the approving of Policy Exception Requests by checking the boxes beside the available options.
a. Checking theRequire Two Factor Authentication (2FA) to approve a request
option will require setting up a two-factor authentication and compel user to do the two-factor authentication to approve a exception request.
b. Checking theAutomatically approve requests by Administrators
option will automatically approve policy exception requests that are raised by administrators without going through the approval process.
c. Checking theRevoke all approvals if the requestor changes the resources or policies for the exception
option will revoke any previous approvals given to an exception request, if the user the changes any of the target selectors like cluster, violations, or namespaces for the request. - Next, select the intital reviewers for the Policy Exception Requests under the
Reviewers and required approvals
section by choosing any of the available options.
a. Choosing theAny Administrator or Platform user
option will allow any Admin or Platform user to review the raised exception request.
b. Choosing theSelected Administrators
option will allow only the selected Admin users for the review of the requests. Multiple Admin users can be selected from the available dropdown. An Admin user can also add or remove reviewers on specific requests. - Then, define the number of reviewers required to approve a Policy Exception Request for the exception to be granted by writing the number in the given text box.
- Lastly, click on the Save button to save the changes.