There is only one default compliance package currently shipped with Kore. Additional compliance packages will be added to Kore in future releases.
Compliance packages address two main concerns:
- The raw functionality of Kore's policy engine is powerful but comes with a learning curve. As a team administrator, you shouldn't have to make complex decisions about how to implement secure policies. Instead, best practice should be provided by default.
- Compliance packages can bundle a host of additional features such as OPA policies around in-cluster resources, team behaviour, and roles.
A compliance package encompasses a collection of resources:
- One or more team roles—an opinionated categorization of how team roles (developers, QA, viewers, etc.) should be laid out
- A collection of policy plans (roles) that provide templates of policies to be assigned or assumed (see What are policy plans?)
- A collection of direct policies allowing, for example, team members who have certain team roles to
be able to assume certain assumable Policy Plans by default - such as allowing
namespace.adminon development clusters for their team's namespaces
The policies and policy plans can provide permissions to Kore itself or to the Kore-managed clusters the team owns.
To view the currently installed packages:
kore get compliance.
If no additional packages were installed, you should only see the default and system embedded ones:$ kore get complianceTYPE PACKAGE NAME ENABLED AGEPolicyPlan default cluster.admin true 12hPolicyPlan default clusters.defaults true 12hPolicyPlan default kore.admin true 12hPolicyPlan default kore.build true 12hPolicyPlan default kore.deployment true 12hPolicyPlan default kore.viewer true 12hPolicyPlan default member.defaults true 12hPolicyPlan default namespace.admin true 12hPolicyPlan default robot.defaults true 12hPolicyPlan default robots.network true 12hPolicy default assignment.members true 12hPolicy system assume.admin true 12hPolicy default assume.members true 12h