Policy Groups are a collection of individual policies that allow a set of configuration standards to be applied to various objects within the Kubernetes clusters. These policies can address areas of security, configuration control, monitoring, etc. Policy groups are enabled by default with the NPMK product or added as a Kyverno Add-On to the cluster within the Nirmata Full Edition.
Within the NPMK, Policy Groups are accessed within the Main Menu. However, for the Nirmata Full Edition, Policy Groups can be accessed within the main navigation menu (the three horizontal dashes to the left of the Nirmata logo), then clicking on Policies and lastly Policy Groups. Any existing Policy Group will be displayed within the main work pane.
Nirmata establishes three default Policy Groups. They are Best Practices, Multi Tenancy and Pod Security. These are created by default whenever a new tenant is created. These specific Policy Groups can NOT be modified being they are using the Nirmata git repository.
Details of an existing Policy Group can be accessed simply by clicking on the desired item. This will display each individual policy associated with this Policy Group. Each policy is hypertext linked and one can view the details by simply clicking the link. With the details page, it will include information such as a brief description for the objective of the policy, category this is associated with, who created it and when. One can view the details of the yaml by clicking the applicable link in the top right corner.
To create a new Policy Group, from the Policy Group page, click the Add Policy Group button in the upper right corner. This will display a form to provide the Policy Group details. Information to be supplied include name of the new Policy Group, git credentials, repository to source policy yaml information, specific branch, and directory list. Further within the form, one can select whether to enable Kustomize. If this option is selected, further configuration is required to determine whether this is a Fixed Kustomize or Target-Based, and finally what yaml file to work from.
At the bottom of the screen one can click the pull-down for Cluster Selector to provide information related to Matching Labels or Matching Expressions to identify specific targets this will be applied to.