From caf813f818e1c3b30d8184024d8a333e918341b4 Mon Sep 17 00:00:00 2001 From: Torin Sandall Date: Tue, 13 Jun 2017 08:06:03 -0700 Subject: [PATCH 1/5] Add task for setting up placement policies --- _data/tasks.yml | 1 + .../federation/Policy-Engine-Deployment.yaml | 34 ++++ .../federation/Policy-Engine-Service.yaml | 14 ++ docs/tasks/federation/Policy.rego | 32 ++++ .../federation/ReplicaSet-Example-Policy.yaml | 21 +++ .../Scheduling-Policy-Admission.yaml | 29 ++++ .../set-up-placement-policies-federation.md | 160 ++++++++++++++++++ 7 files changed, 291 insertions(+) create mode 100644 docs/tasks/federation/Policy-Engine-Deployment.yaml create mode 100644 docs/tasks/federation/Policy-Engine-Service.yaml create mode 100644 docs/tasks/federation/Policy.rego create mode 100644 docs/tasks/federation/ReplicaSet-Example-Policy.yaml create mode 100644 docs/tasks/federation/Scheduling-Policy-Admission.yaml create mode 100644 docs/tasks/federation/set-up-placement-policies-federation.md diff --git a/_data/tasks.yml b/_data/tasks.yml index 46b84cb140640..32b9be06babef 100644 --- a/_data/tasks.yml +++ b/_data/tasks.yml @@ -135,6 +135,7 @@ toc: - docs/tasks/federation/federation-service-discovery.md - docs/tasks/federation/set-up-cluster-federation-kubefed.md - docs/tasks/federation/set-up-coredns-provider-federation.md + - docs/tasks/federation/set-up-placement-policies-federation.md - docs/tasks/administer-federation/cluster.md - docs/tasks/administer-federation/configmap.md - docs/tasks/administer-federation/daemonset.md diff --git a/docs/tasks/federation/Policy-Engine-Deployment.yaml b/docs/tasks/federation/Policy-Engine-Deployment.yaml new file mode 100644 index 0000000000000..d6cb50c50d01f --- /dev/null +++ b/docs/tasks/federation/Policy-Engine-Deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: opa + name: opa + namespace: federation-system +spec: + replicas: 1 + template: + metadata: + labels: + app: opa + name: opa + spec: + containers: + - name: opa + image: openpolicyagent/opa:0.4.10 + args: + - "run" + - "--server" + - name: kube-mgmt + image: openpolicyagent/kube-mgmt:0.1 + args: + - "-kubeconfig=/srv/kubernetes/kubeconfig" + - "-cluster=federation/v1beta1/clusters" + volumeMounts: + - name: federation-kubeconfig + mountPath: /srv/kubernetes + readOnly: true + volumes: + - name: federation-kubeconfig + secret: + secretName: federation-controller-manager-kubeconfig diff --git a/docs/tasks/federation/Policy-Engine-Service.yaml b/docs/tasks/federation/Policy-Engine-Service.yaml new file mode 100644 index 0000000000000..30d550ebf4e0f --- /dev/null +++ b/docs/tasks/federation/Policy-Engine-Service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + name: opa + namespace: federation-system +spec: + selector: + app: opa + ports: + - name: http + protocol: TCP + port: 8181 + targetPort: 8181 + type: LoadBalancer diff --git a/docs/tasks/federation/Policy.rego b/docs/tasks/federation/Policy.rego new file mode 100644 index 0000000000000..9838bbf05e7f4 --- /dev/null +++ b/docs/tasks/federation/Policy.rego @@ -0,0 +1,32 @@ +package kubernetes.placement + +import data.kubernetes.clusters + +annotations["federation.kubernetes.io/replica-set-preferences"] = preferences { + input.kind = "ReplicaSet" + preferences = replica_set_preferences +} + +replica_set_clusters[cluster_name] { + clusters[cluster_name] + not insufficient_pci[cluster_name] +} + +insufficient_pci[cluster_name] { + clusters[cluster_name] + input.metadata.annotations["requires-pci"] = "true" + not pci_clusters[cluster_name] +} + +pci_clusters[cluster_name] { + clusters[cluster_name].metadata.annotations["pci-certified"] = "true" +} + +replica_set_preferences = serialized { + value = {"clusters": cluster_map, "rebalance": true} + json.marshal(value, serialized) +} + +cluster_map[cluster_name] = {"weight": 1} { + replica_set_clusters[cluster_name] +} diff --git a/docs/tasks/federation/ReplicaSet-Example-Policy.yaml b/docs/tasks/federation/ReplicaSet-Example-Policy.yaml new file mode 100644 index 0000000000000..03b09d73f5cf8 --- /dev/null +++ b/docs/tasks/federation/ReplicaSet-Example-Policy.yaml @@ -0,0 +1,21 @@ +apiVersion: extensions/v1beta1 +kind: ReplicaSet +metadata: + labels: + app: nginx-pci + name: nginx-pci + annotations: + requires-pci: "true" +spec: + replicas: 3 + selector: + matchLabels: + app: nginx-pci + template: + metadata: + labels: + app: nginx-pci + spec: + containers: + - image: nginx + name: nginx-pci diff --git a/docs/tasks/federation/Scheduling-Policy-Admission.yaml b/docs/tasks/federation/Scheduling-Policy-Admission.yaml new file mode 100644 index 0000000000000..a164722425555 --- /dev/null +++ b/docs/tasks/federation/Scheduling-Policy-Admission.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: admission + namespace: federation-system +data: + config.yml: | + apiVersion: apiserver.k8s.io/v1alpha1 + kind: AdmissionConfiguration + plugins: + - name: SchedulingPolicy + path: /etc/kubernetes/admission/scheduling-policy-config.yml + scheduling-policy-config.yml: | + kubeconfig: /etc/kubernetes/admission/opa-kubeconfig + opa-kubeconfig: | + clusters: + - name: opa-api + cluster: + server: http://opa.federation-system.svc.cluster.local:8181/v0/data/kubernetes/placement + users: + - name: scheduling-policy + user: + token: deadbeefsecret + contexts: + - name: default + context: + cluster: opa-api + user: scheduling-policy + current-context: default diff --git a/docs/tasks/federation/set-up-placement-policies-federation.md b/docs/tasks/federation/set-up-placement-policies-federation.md new file mode 100644 index 0000000000000..48c1857c09b49 --- /dev/null +++ b/docs/tasks/federation/set-up-placement-policies-federation.md @@ -0,0 +1,160 @@ +--- +title: Set up placement policies in Federation +redirect_from: +- "/docs/tutorials/federation/set-up-placement-policies-federation/" +- "/docs/tutorials/federation/set-up-placement-policies-federation.html" +--- + +{% capture overview %} + +This page shows you can enforce policy-based placement decisions over Federated +resources using an external policy engine. + +{% endcapture %} + + +{% capture objectives %} + +* Deploying Federation and configuring an exteranl policy engine +* Deploying an external policy engine +* Configuring placement policies with ConfigMaps +* Testing placement policies + +{% endcapture %} + + +{% capture prerequisites %} + +You need to have a running Kubernetes cluster (which is referenced as host +cluster). Please see one of the [getting started](/docs/getting-started-guides/) +guides for installation instructions for your platform. + +{% endcapture %} + + +{% capture lessoncontent %} + +## Deploying Federation and configuring an external policy engine + +The Federation control plane can be deployed using `kubefed init`. + +After deploying the Federation control plane, you must configure an Admission +Controller in the Federation API server that enforces placement decisions +received from the external policy engine. + + kubectl create -f Scheduling-Policy-Admission.yaml + +Shown below is an example ConfigMap for the Admission Controller: + +{% include code.html language="yaml" file="Scheduling-Policy-Admission.yaml" +ghlink="/docs/tutorials/federation/Scheduling-Policy-Admission.yaml" %} + +The ConfigMap contains three files: + +* `config.yml` specifies the location of the `SchedulingPolicy` Admission + Controller config file. +* `scheduling-policy-config.yml` specifies the location of the kubeconfig file + required to contact the external policy engine. This file can also include a + `retryBackoff` value that controls the initial retry backoff delay in + milliseconds. +* `opa-kubeconfig` is a standard kubeconfig containing the URL and credentials + needed to contact the external policy engine. + +Edit the Federation API server deployment to enable the `SchedulingPolicy` +Admission Controller. + + kubectl -n federation-system edit deployment federation-apiserver + +Update the Federation API server command line arguments to enable the Admission +Controller and mount the ConfigMap into the container. If there's an existing +`--admission-control` flag, append `,SchedulingPolicy` instead of adding +another line. + + --admission-control=SchedulingPolicy + --admission-control-config-file=/etc/kubernetes/admission/config.yml + +Add the following volume to the Federation API server pod: + + - name: admission-config + configMap: + name: admission + +Add the following volume mount the Federation API server `apiserver` container: + + volumeMounts: + - name: admission-config + mountPath: /etc/kubernetes/admission + +## Deploying an external policy engine + +The [Open Policy Agent (OPA)](http://openpolicyagent.org) is an open source, +general-purpose policy engine that you can use to enforce policy-based placement +decisions in the Federation control plane. + +Create a Service in the host cluster to contact the external policy engine: + + kubectl create -f Policy-Engine-Service.yaml + +Shown below is an example Service for OPA. + +{% include code.html language="yaml" file="Policy-Engine-Service.yaml" +ghlink="/docs/tutorials/federation/Policy-Engine-Service.yaml" %} + +Create a Deployment in the host cluster with the Federation control plane: + + kubectl create -f Policy-Engine-Deployment.yaml + +Shown below is an example Deployment for OPA. + +{% include code.html language="yaml" file="Policy-Engine-Deployment.yaml" +ghlink="/docs/tutorials/federation/Policy-Engine-Deployment.yaml" %} + +## Configuring placement policies via ConfigMaps + +The external policy engine will discover placement policies created in the +`kube-federation-scheduling-policy` namespace in the Federation API server. + +Create the namespace if it does not already exist: + + kubectl --context=federation create namespace kube-federation-scheduling-policy + +Configure a sample policy to test the external policy engine: + +{% include code.html language="yaml" file="Policy.rego" +ghlink="/docs/tutorials/federation/Policy.rego" %} + +Shown below is the command to create the sample policy: + + kubectl --context=federation -n kube-federation-scheduling-policy create configmap scheduling-policy --from-file=Policy.rego + +This sample policy illustrates a few key ideas: + +* Placement policies can refer to any field in Federated resources. +* Placement policies can leverage external context (for example, Cluster + metadata) to make decisions. +* Administrative policy can be managed centrally. +* Policies can define simple interfaces (such as the `requires-pci` annotation) to + avoid duplicating logic in manifests. + +## Testing placement policies + +Annotate one of the clusters to indicate that it is PCI certified. + + kubectl --context=federation annotate clusters cluster-name-1 pci-certified=true + +Deploy a Federated ReplicaSet to test the placement policy. + +{% include code.html language="yaml" file="ReplicaSet-Example-Policy.yaml" +ghlink="/docs/tutorials/federation/ReplicaSet-Example-Policy.yaml" %} + +Shown below is the command to deploy a ReplicaSet that *does* match the policy. + + kubectl --context=federation create -f ReplicaSet-Example-Policy.yaml + +Inspect the ReplicaSet to confirm the appropriate annotations have been applied: + + kubectl --context=federation get rs nginx-pci -o jsonpath='{.metadata.annotations}' + +{% endcapture %} + +{% include templates/tutorial.md %} From c1007246e6235a3f1737a0b12f4749fce851490a Mon Sep 17 00:00:00 2001 From: Torin Sandall Date: Wed, 14 Jun 2017 11:58:07 -0700 Subject: [PATCH 2/5] Update version of management sidecar in policy engine deployment --- docs/tasks/federation/Policy-Engine-Deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tasks/federation/Policy-Engine-Deployment.yaml b/docs/tasks/federation/Policy-Engine-Deployment.yaml index d6cb50c50d01f..a08dd79d8139a 100644 --- a/docs/tasks/federation/Policy-Engine-Deployment.yaml +++ b/docs/tasks/federation/Policy-Engine-Deployment.yaml @@ -20,7 +20,7 @@ spec: - "run" - "--server" - name: kube-mgmt - image: openpolicyagent/kube-mgmt:0.1 + image: openpolicyagent/kube-mgmt:0.2 args: - "-kubeconfig=/srv/kubernetes/kubeconfig" - "-cluster=federation/v1beta1/clusters" From 55cab44f8360e126c83596a2614c79f7d68edf95 Mon Sep 17 00:00:00 2001 From: Torin Sandall Date: Thu, 15 Jun 2017 08:08:44 -0700 Subject: [PATCH 3/5] Address @nikhiljindal's comments - Lower case filenames - Comments in policy - Typo fixes - Removed type LoadBalancer from OPA Service --- docs/tasks/federation/Policy.rego | 32 ---------- ...ent.yaml => policy-engine-deployment.yaml} | 0 ...ervice.yaml => policy-engine-service.yaml} | 3 +- docs/tasks/federation/policy.rego | 58 +++++++++++++++++++ ...cy.yaml => replicaset-example-policy.yaml} | 0 ....yaml => scheduling-policy-admission.yaml} | 0 .../set-up-placement-policies-federation.md | 32 +++++----- 7 files changed, 75 insertions(+), 50 deletions(-) delete mode 100644 docs/tasks/federation/Policy.rego rename docs/tasks/federation/{Policy-Engine-Deployment.yaml => policy-engine-deployment.yaml} (100%) rename docs/tasks/federation/{Policy-Engine-Service.yaml => policy-engine-service.yaml} (80%) create mode 100644 docs/tasks/federation/policy.rego rename docs/tasks/federation/{ReplicaSet-Example-Policy.yaml => replicaset-example-policy.yaml} (100%) rename docs/tasks/federation/{Scheduling-Policy-Admission.yaml => scheduling-policy-admission.yaml} (100%) diff --git a/docs/tasks/federation/Policy.rego b/docs/tasks/federation/Policy.rego deleted file mode 100644 index 9838bbf05e7f4..0000000000000 --- a/docs/tasks/federation/Policy.rego +++ /dev/null @@ -1,32 +0,0 @@ -package kubernetes.placement - -import data.kubernetes.clusters - -annotations["federation.kubernetes.io/replica-set-preferences"] = preferences { - input.kind = "ReplicaSet" - preferences = replica_set_preferences -} - -replica_set_clusters[cluster_name] { - clusters[cluster_name] - not insufficient_pci[cluster_name] -} - -insufficient_pci[cluster_name] { - clusters[cluster_name] - input.metadata.annotations["requires-pci"] = "true" - not pci_clusters[cluster_name] -} - -pci_clusters[cluster_name] { - clusters[cluster_name].metadata.annotations["pci-certified"] = "true" -} - -replica_set_preferences = serialized { - value = {"clusters": cluster_map, "rebalance": true} - json.marshal(value, serialized) -} - -cluster_map[cluster_name] = {"weight": 1} { - replica_set_clusters[cluster_name] -} diff --git a/docs/tasks/federation/Policy-Engine-Deployment.yaml b/docs/tasks/federation/policy-engine-deployment.yaml similarity index 100% rename from docs/tasks/federation/Policy-Engine-Deployment.yaml rename to docs/tasks/federation/policy-engine-deployment.yaml diff --git a/docs/tasks/federation/Policy-Engine-Service.yaml b/docs/tasks/federation/policy-engine-service.yaml similarity index 80% rename from docs/tasks/federation/Policy-Engine-Service.yaml rename to docs/tasks/federation/policy-engine-service.yaml index 30d550ebf4e0f..287a972d64ee8 100644 --- a/docs/tasks/federation/Policy-Engine-Service.yaml +++ b/docs/tasks/federation/policy-engine-service.yaml @@ -10,5 +10,4 @@ spec: - name: http protocol: TCP port: 8181 - targetPort: 8181 - type: LoadBalancer + targetPort: 8181 \ No newline at end of file diff --git a/docs/tasks/federation/policy.rego b/docs/tasks/federation/policy.rego new file mode 100644 index 0000000000000..88e56d625a308 --- /dev/null +++ b/docs/tasks/federation/policy.rego @@ -0,0 +1,58 @@ +# OPA supports a high-level declarative language named Rego for authoring and +# enforcing policies. For more infomration on Rego, visit +# http://openpolicyagent.org. + +# Rego policies are namespaced by the "package" directive. +package kubernetes.placement + +# Imports provide aliases for data inside the policy engine. In this case, the +# policy simply refers to "clusters" below. +import data.kubernetes.clusters + +# The "annotations" rule generates a JSON object containing the key +# "federation.kubernetes.io/replica-set-preferences" mapped to . +# The preferences values is generated dynamically by OPA when it evaluates the +# rule. +# +# The SchedulingPolicy Admission Controller running inside the Federation API +# server will merge these annotatiosn into incoming Federated resources. By +# setting replica-set-preferences, we can control the placement of Federated +# ReplicaSets. +# +# Rules are defined to generate JSON values (booleans, strings, objects, etc.) +# When OPA evaluates a rule, it generates a value IF all of the expressions in +# the body evaluate successfully. All rules can be understood intuitively as +# if where is true if AND AND ... +# is true (for some set of data.) +annotations["federation.kubernetes.io/replica-set-preferences"] = preferences { + input.kind = "ReplicaSet" + value = {"clusters": cluster_map, "rebalance": true} + json.marshal(value, preferences) +} + +# Generates a set of cluster names that satisfy the incoming Federated +# ReplicaSet's requirements. In this case, just PCI compliance. +replica_set_clusters[cluster_name] { + clusters[cluster_name] + not insufficient_pci[cluster_name] +} + +# Generates a set of clusters that must not be used for Federated ReplicaSets +# that request PCI compliance. +insufficient_pci[cluster_name] { + clusters[cluster_name] + input.metadata.annotations["requires-pci"] = "true" + not pci_clusters[cluster_name] +} + +# Generates a set of clusters that are PCI certified. In this case, we assume +# clusters are annotated to indicate if they have passed PCI compliance audits. +pci_clusters[cluster_name] { + clusters[cluster_name].metadata.annotations["pci-certified"] = "true" +} + +# Helper rule to generate a mapping of desired clusters to weights. In this +# case, weights are static. +cluster_map[cluster_name] = {"weight": 1} { + replica_set_clusters[cluster_name] +} diff --git a/docs/tasks/federation/ReplicaSet-Example-Policy.yaml b/docs/tasks/federation/replicaset-example-policy.yaml similarity index 100% rename from docs/tasks/federation/ReplicaSet-Example-Policy.yaml rename to docs/tasks/federation/replicaset-example-policy.yaml diff --git a/docs/tasks/federation/Scheduling-Policy-Admission.yaml b/docs/tasks/federation/scheduling-policy-admission.yaml similarity index 100% rename from docs/tasks/federation/Scheduling-Policy-Admission.yaml rename to docs/tasks/federation/scheduling-policy-admission.yaml diff --git a/docs/tasks/federation/set-up-placement-policies-federation.md b/docs/tasks/federation/set-up-placement-policies-federation.md index 48c1857c09b49..9eca495b405a3 100644 --- a/docs/tasks/federation/set-up-placement-policies-federation.md +++ b/docs/tasks/federation/set-up-placement-policies-federation.md @@ -15,7 +15,7 @@ resources using an external policy engine. {% capture objectives %} -* Deploying Federation and configuring an exteranl policy engine +* Deploying Federation and configuring an external policy engine * Deploying an external policy engine * Configuring placement policies with ConfigMaps * Testing placement policies @@ -42,12 +42,12 @@ After deploying the Federation control plane, you must configure an Admission Controller in the Federation API server that enforces placement decisions received from the external policy engine. - kubectl create -f Scheduling-Policy-Admission.yaml + kubectl create -f scheduling-policy-admission.yaml Shown below is an example ConfigMap for the Admission Controller: -{% include code.html language="yaml" file="Scheduling-Policy-Admission.yaml" -ghlink="/docs/tutorials/federation/Scheduling-Policy-Admission.yaml" %} +{% include code.html language="yaml" file="scheduling-policy-admission.yaml" +ghlink="/docs/tutorials/federation/scheduling-policy-admission.yaml" %} The ConfigMap contains three files: @@ -93,21 +93,21 @@ decisions in the Federation control plane. Create a Service in the host cluster to contact the external policy engine: - kubectl create -f Policy-Engine-Service.yaml + kubectl create -f policy-engine-service.yaml Shown below is an example Service for OPA. -{% include code.html language="yaml" file="Policy-Engine-Service.yaml" -ghlink="/docs/tutorials/federation/Policy-Engine-Service.yaml" %} +{% include code.html language="yaml" file="policy-engine-service.yaml" +ghlink="/docs/tutorials/federation/policy-engine-service.yaml" %} Create a Deployment in the host cluster with the Federation control plane: - kubectl create -f Policy-Engine-Deployment.yaml + kubectl create -f policy-engine-deployment.yaml Shown below is an example Deployment for OPA. -{% include code.html language="yaml" file="Policy-Engine-Deployment.yaml" -ghlink="/docs/tutorials/federation/Policy-Engine-Deployment.yaml" %} +{% include code.html language="yaml" file="policy-engine-deployment.yaml" +ghlink="/docs/tutorials/federation/policy-engine-deployment.yaml" %} ## Configuring placement policies via ConfigMaps @@ -120,12 +120,12 @@ Create the namespace if it does not already exist: Configure a sample policy to test the external policy engine: -{% include code.html language="yaml" file="Policy.rego" -ghlink="/docs/tutorials/federation/Policy.rego" %} +{% include code.html language="yaml" file="policy.rego" +ghlink="/docs/tutorials/federation/policy.rego" %} Shown below is the command to create the sample policy: - kubectl --context=federation -n kube-federation-scheduling-policy create configmap scheduling-policy --from-file=Policy.rego + kubectl --context=federation -n kube-federation-scheduling-policy create configmap scheduling-policy --from-file=policy.rego This sample policy illustrates a few key ideas: @@ -144,12 +144,12 @@ Annotate one of the clusters to indicate that it is PCI certified. Deploy a Federated ReplicaSet to test the placement policy. -{% include code.html language="yaml" file="ReplicaSet-Example-Policy.yaml" -ghlink="/docs/tutorials/federation/ReplicaSet-Example-Policy.yaml" %} +{% include code.html language="yaml" file="replicaset-example-policy.yaml" +ghlink="/docs/tutorials/federation/replicaset-example-policy.yaml" %} Shown below is the command to deploy a ReplicaSet that *does* match the policy. - kubectl --context=federation create -f ReplicaSet-Example-Policy.yaml + kubectl --context=federation create -f replicaset-example-policy.yaml Inspect the ReplicaSet to confirm the appropriate annotations have been applied: From d966a3090ff8ca294b2fc758fef9729491a9b7d5 Mon Sep 17 00:00:00 2001 From: Torin Sandall Date: Tue, 20 Jun 2017 09:55:36 +0800 Subject: [PATCH 4/5] Add example that sets cluster selector Per-@nikhiljindal's suggestion --- docs/tasks/federation/policy.rego | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/tasks/federation/policy.rego b/docs/tasks/federation/policy.rego index 88e56d625a308..09ff0dc5c4407 100644 --- a/docs/tasks/federation/policy.rego +++ b/docs/tasks/federation/policy.rego @@ -30,6 +30,22 @@ annotations["federation.kubernetes.io/replica-set-preferences"] = preferences { json.marshal(value, preferences) } +# This "annotations" rule generates a value for the "federation.alpha.kubernetes.io/cluster-selector" +# annotation. +# +# In English, the policy asserts that resources in the "production" namespace +# that are not annotated with "criticality=low" MUST be placed on clusters +# labelled with "on-premise=true". +annotations["federation.alpha.kubernetes.io/cluster-selector"] = selector { + input.metadata.namespace = "production" + not input.metadata.annotations.criticality = "low" + json.marshal([{ + "operator": "=", + "key": "on-premise", + "values": "[true]", + }], selector) +} + # Generates a set of cluster names that satisfy the incoming Federated # ReplicaSet's requirements. In this case, just PCI compliance. replica_set_clusters[cluster_name] { From d03e9c196d44dbb3b72d45d25f85a046bf0a537c Mon Sep 17 00:00:00 2001 From: Torin Sandall Date: Fri, 23 Jun 2017 08:55:44 -0700 Subject: [PATCH 5/5] Fix wording and templating per @chenopis --- .../set-up-placement-policies-federation.md | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/docs/tasks/federation/set-up-placement-policies-federation.md b/docs/tasks/federation/set-up-placement-policies-federation.md index 9eca495b405a3..eb69e9f8d3890 100644 --- a/docs/tasks/federation/set-up-placement-policies-federation.md +++ b/docs/tasks/federation/set-up-placement-policies-federation.md @@ -7,22 +7,11 @@ redirect_from: {% capture overview %} -This page shows you can enforce policy-based placement decisions over Federated +This page shows how to policy-based placement decisions over Federated resources using an external policy engine. {% endcapture %} - -{% capture objectives %} - -* Deploying Federation and configuring an external policy engine -* Deploying an external policy engine -* Configuring placement policies with ConfigMaps -* Testing placement policies - -{% endcapture %} - - {% capture prerequisites %} You need to have a running Kubernetes cluster (which is referenced as host @@ -31,8 +20,7 @@ guides for installation instructions for your platform. {% endcapture %} - -{% capture lessoncontent %} +{% capture steps %} ## Deploying Federation and configuring an external policy engine @@ -157,4 +145,4 @@ Inspect the ReplicaSet to confirm the appropriate annotations have been applied: {% endcapture %} -{% include templates/tutorial.md %} +{% include templates/task.md %}