Add policies repo structure

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
controlplaneio-fluxcd · Jun 29, 2024 · 1e88740 · 1e88740
1 parent a634814
commit 1e88740
Showing 1 changed file with 44 additions and 12 deletions.
diff --git a/docs/guides/flux-policies.md b/docs/guides/flux-policies.md
@@ -41,7 +41,7 @@ data:
 ```
 
 The `sources` list contains the allowed URL prefixes separated by a new line for
-tenant-owned Flux sources e.g. `GitRepository`, `OCIRepository` and `HelmRepository`. 
+tenant-owned Flux sources e.g. `GitRepository`, `OCIRepository` and `HelmRepository`.
 
 ### Define the Admission Policy
 
@@ -107,31 +107,62 @@ spec:
 With the above policy in place, any tenant trying to create or update a Flux source that is not
 listed in the allow list will receive a validation error and the operation will be denied.
 
+### Applying the Policies
+
+The cluster admins can apply the policies using a dedicated Flux `Kustomization` that gets reconciled
+before the tenant's resources.
+
+Repository structure:
+
+```text
+├── clusters
+│   └── production
+│       ├── policies.yaml
+│       └── tenants.yaml
+├── policies
+│   ├── allowlist.yaml
+│   └── policies.yaml
+└── tenants
+    ├── team1
+    └── team2
+```
+
+The tenant Flux `Kustomization` depend on the policies:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: tenants
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: policies
+```
+
 ### Testing the Policy
 
-If a tenant adds an `OCIRepository` manifest to their repository that tries to
+If a tenant adds an `HelmRepository` manifest to their repository that tries to
 pull Helm charts from a registry that is not in the allow list, for example:
 
 ```yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
 metadata:
   name: podinfo
   namespace: apps
 spec:
-  interval: 10m
-  url: oci://ghcr.io/stefanprodan/charts/podinfo
-  ref:
-    tag: 6.x
+  type: oci
+  url: oci://ghcr.io/stefanprodan/charts/
 ```
 
-The admission controller will deny the creation of the `OCIRepository` and the tenant will receive
+The admission controller will deny the creation of the `HelmRepository` and the tenant will receive
 an alert from Flux about the policy violation:
 
 ```
-The ocirepositories "podinfo" is invalid:
+The helmrepository "podinfo" is invalid:
 ValidatingAdmissionPolicy 'source.policy.fluxcd.controlplane.io' with binding 'tenant-sources' denied request:
-Source oci://ghcr.io/stefanprodan/charts/podinfo is not allowed, must be one of oci://ghcr.io/controlplaneio-fluxcd/charts/, https://github.com/controlplaneio-fluxcd/, ssh://git@github.com/controlplaneio-fluxcd/
+Source oci://ghcr.io/stefanprodan/charts/ is not allowed, must be one of oci://ghcr.io/controlplaneio-fluxcd/charts/, https://github.com/controlplaneio-fluxcd/, ssh://git@github.com/controlplaneio-fluxcd/
 ```
 
 ## Restricting Access to Container Registries
@@ -153,7 +184,8 @@ data:
   registries: >-
     ghcr.io/controlplaneio-fluxcd/
     709825985650.dkr.ecr.us-east-1.amazonaws.com/controlplane/
-  sources: "omitted for brevity"
+  sources: >-
+    omitted for brevity
 ```
 
 Next, the cluster admins need to define a `ValidatingAdmissionPolicy` resource that