The governance policy propagator is a controller that watches Policies, PlacementBindings, and PlacementRules. It manages replicated Policies in cluster namespaces based on the PlacementBindings and PlacementRules, and it updates the status on Policies to show aggregated cluster compliance results. This controller is a part of the governance-policy-framework.

The operator watches for changes to trigger a reconcile:

1. Changes to Policies in non-cluster namespaces trigger a self reconcile.
2. Changes to Policies in cluster namespaces trigger a root Policy reconcile.
3. Changes to PlacementBindings trigger reconciles on the subject Policies.
4. Changes to PlacementRules trigger reconciles on subject Policies.

Every reconcile does the following:

1. Creates/updates/deletes replicated policies in cluster namespaces based on PlacementBinding/PlacementRule results.
2. Creates/updates/deletes the policy status to show aggregated cluster compliance results.

Go to the Contributing guide to learn how to get involved.

Check the Security guide if you need to report a security issue.

The YAML files in the deploy directory are autogenerated by Kubebuilder and Kustomize. After code changes that affect the YAML files, the YAML files can be regenerated with make generate-operator-yaml.

You will need kind installed.

1. Create the Kind cluster

   make kind-bootstrap-cluster-dev

2. Start the propagator:
   • Run in a pod on the cluster:

     make build-images
     make kind-deploy-controller-dev

   • Run locally:

     make run

make test-dependencies
make test

make e2e-dependencies
make e2e-test

make kind-delete-cluster

Some of the deployment resources are generated by kubebuilder - the crds are generated into ./deploy/crds and the rbac details from kubebuilder comments are compiled into ./deploy/rbac/role.yaml. Other details are managed independently - in particular, the details in ./deploy/manager/manager.yaml. When any of those details need to be changed, the main deployment yaml ./deploy/operator.yaml must be regenerated through the make generate-operator-yaml target. The ./deploy/operator.yaml SHOULD NOT be manually updated.

The following environment variables can be set to configure the controller:

• CONTROLLER_CONFIG_CONCURRENCY_PER_POLICY - The maximum number of placement decisions that can be processed concurrently per policy. This defaults to 5.
• CONTROLLER_CONFIG_REQUEUE_ERROR_DELAY - The number of minutes to delay before retrying to process a reconcile event after one or more placement decisions failed to be processed. This is not a blocking delay. This defaults to 5.
• CONTROLLER_CONFIG_RETRY_ATTEMPTS - The number of times to retry a failed Kubernetes API call when processing a placement decision. This defaults to 3.

• The governance-policy-propagator is part of the open-cluster-management community. For more information, visit: open-cluster-management.io.