TELCODOCS-2123 ACM PolicyGenerator recommendation

2026-02-05 12:46:18 +01:00 · 2025-05-02 17:07:35 +01:00
parent d8294f3380
commit cd3a6edce0
12 changed files with 67 additions and 41 deletions
--- a/edge_computing/cnf-talm-for-cluster-upgrades.adoc
+++ b/edge_computing/cnf-talm-for-cluster-upgrades.adoc
@@ -3,13 +3,15 @@
 = Updating managed clusters with the {cgu-operator-full}
 include::_attributes/common-attributes.adoc[]
 :context: cnf-topology-aware-lifecycle-manager
+:policy-gen-cr: PolicyGenerator

 toc::[]

 You can use the {cgu-operator-first} to manage the software lifecycle of multiple clusters. {cgu-operator} uses {rh-rhacm-first} policies to perform changes on the target clusters.

-:Featurename: Using PolicyGenerator resources with {ztp}
-include::snippets/technology-preview.adoc[]
+Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters.
+This replaces the use of `PolicyGenTemplate` CRs for this purpose.
+For more information about `{policy-gen-cr}`resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation.

 include::modules/cnf-about-topology-aware-lifecycle-manager-config.adoc[leveloffset=+1]

@@ -55,3 +57,5 @@ include::modules/cnf-topology-aware-lifecycle-manager-troubleshooting.adoc[level
 * xref:../edge_computing/policygenerator_for_ztp/ztp-talm-updating-managed-policies-pg.adoc#ztp-topology-aware-lifecycle-manager[Updating managed policies with {cgu-operator-full}]

 * xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-the-policygentemplate_ztp-configuring-managed-clusters-policygenerator[About the PolicyGenerator CRD]
+
+:!policy-gen-cr:
--- a/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc
+++ b/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc
@@ -7,18 +7,14 @@ include::_attributes/common-attributes.adoc[]
 :policy-prefix: acm-
 :rangen-yaml-path: policies.manifests
 :argocd-folder: out/argocd/example/acmpolicygenerator/
+:path-prefix: acmpolicygenerator

 toc::[]

 You can use `{policy-gen-cr}` CRs to deploy custom functionality in your managed clusters.
-
-:Featurename: Using PolicyGenerator resources with {ztp}
-include::snippets/technology-preview.adoc[]
-
-[NOTE]
-====
-For more information about `PolicyGenerator` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/integrate-policy-generator#policy-generator[Policy Generator] documentation.
-====
+Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters.
+This replaces the use of `PolicyGenTemplate` CRs for this purpose.
+For more information about `{policy-gen-cr}` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation.

 include::modules/ztp-deploying-additional-changes-to-clusters.adoc[leveloffset=+1]

@@ -103,3 +99,4 @@ include::modules/ztp-configuring-pgt-image-registry.adoc[leveloffset=+2]
 :!policy-prefix:
 :!rangen-yaml-path:
 :!argocd-folder:
+:!path-prefix:
--- a/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc
+++ b/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc
@@ -11,15 +11,12 @@ include::_attributes/common-attributes.adoc[]

 toc::[]

-Applied `Policy` custom resources (CRs) configure the managed clusters that you provision. You can customize how {rh-rhacm-first} uses `{policy-gen-cr}` CRs to generate the applied `Policy` CRs.
+You can customize how {rh-rhacm-first} uses `{policy-gen-cr}` CRs to generate `Policy` CRs that configure the managed clusters that you provision.

-:Featurename: Using PolicyGenerator resources with {ztp}
-include::snippets/technology-preview.adoc[]
+Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters.
+This replaces the use of `PolicyGenTemplate` CRs for this purpose.
+For more information about `{policy-gen-cr}` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation.

-[NOTE]
-====
-For more information about `PolicyGenerator` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html-single/governance/index#integrate-policy-generator[Integrating Policy Generator] documentation.
-====

 include::modules/ztp-comparing-pgt-and-rhacm-pg-patching-strategies.adoc[leveloffset=+1]

--- a/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc
+++ b/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc
@@ -7,10 +7,17 @@ include::_attributes/common-attributes.adoc[]
 :policy-prefix:
 :rangen-yaml-path: spec.sourceFiles
 :argocd-folder: out/argocd/example/policygentemplates/
+:path-prefix: policygentemplates

 toc::[]

 You can use `{policy-gen-cr}` CRs to deploy custom functionality in your managed clusters.
+[IMPORTANT]
+====
+Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters.
+This replaces the use of `PolicyGenTemplate` CRs for this purpose.
+For more information about `{policy-gen-cr}` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation.
+====

 include::snippets/pgt-deprecation-notice.adoc[]

@@ -101,3 +108,4 @@ include::modules/ztp-configuring-pgt-image-registry.adoc[leveloffset=+2]
 :!policy-prefix:
 :!rangen-yaml-path:
 :!argocd-folder:
+:!path-prefix:
--- a/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc
+++ b/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc
@@ -14,6 +14,11 @@ Supported use cases include the following:
 * Manual user creation of policy CRs
 * Automatically generated policies from the `PolicyGenerator` or `PolicyGentemplate` custom resource definition (CRD)

+[NOTE]
+====
+Using the `PolicyGentemplate` CRD is the recommended method for automatic policy generation.
+====
+
 For policies that update an Operator subscription with manual approval, {cgu-operator} provides additional functionality that approves the installation of the updated Operator.

 For more information about managed policies, see link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html-single/governance/index#policy-overview[Policy Overview] in the {rh-rhacm} documentation.
--- a/modules/cnf-topology-aware-lifecycle-manager-about-subscription-crs.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-about-subscription-crs.adoc
@@ -23,9 +23,9 @@ metadata:
  annotations:
    ran.openshift.io/ztp-deploy-wave: "2"
 spec:
-  channel: "stable"
+  channel: "stable-6.2"
  name: cluster-logging
-  source: redhat-operators
+  source: redhat-operators-disconnected
  sourceNamespace: openshift-marketplace
  installPlanApproval: Manual
 status:
--- a/modules/cnf-topology-aware-lifecycle-manager-apply-policies.adoc
+++ b/modules/cnf-topology-aware-lifecycle-manager-apply-policies.adoc
@@ -370,5 +370,5 @@ $ oc get csv -n <operator_namespace>
 [source,terminal]
 ----
 NAME                    DISPLAY                     VERSION   REPLACES   PHASE
-cluster-logging.5.4.2   Red Hat OpenShift Logging   5.4.2                Succeeded
+cluster-logging.v6.2.1  Red Hat OpenShift Logging   6.2.1                Succeeded
 ----
--- a/modules/ztp-configuring-cluster-policies.adoc
+++ b/modules/ztp-configuring-cluster-policies.adoc
@@ -4,11 +4,11 @@

 :_mod-docs-content-type: CONCEPT
 [id="ztp-configuring-cluster-policies_{context}"]
-= Configuring managed clusters with policies and PolicyGenTemplate resources
+= Configuring managed clusters with policies and {policy-gen-cr} resources

 {ztp-first} uses {rh-rhacm-first} to configure clusters by using a policy-based governance approach to applying the configuration.

-The policy generator or `PolicyGen` is a plugin for the GitOps Operator that enables the creation of {rh-rhacm} policies from a concise template. The tool can combine multiple CRs into a single policy, and you can generate multiple policies that apply to various subsets of clusters in your fleet.
+The policy generator is a plugin for the GitOps Operator that enables the creation of {rh-rhacm} policies from a concise template. The tool can combine multiple CRs into a single policy, and you can generate multiple policies that apply to various subsets of clusters in your fleet.

 [NOTE]
 ====
@@ -35,7 +35,7 @@ The following recommended structuring of policies combines configuration CRs to

 * Support flexibility in common configurations for cluster variants.

-.Recommended PolicyGenTemplate policy categories
+.Recommended {policy-gen-cr} policy categories
 [cols="1,5", width="100%", options="header"]
 |====
 |Policy category
--- a/modules/ztp-enabling-workload-partitioning-sno.adoc
+++ b/modules/ztp-enabling-workload-partitioning-sno.adoc
@@ -18,6 +18,7 @@ Both of these steps happen at different points during cluster provisioning.
 Configuring workload partitioning by using the `cpuPartitioningMode` field in the `SiteConfig` CR is a Tech Preview feature in {product-title} 4.13.

 Alternatively, you can specify cluster management CPU resources with the `cpuset` field of the `SiteConfig` custom resource (CR) and the `reserved` field of the group `PolicyGenerator` or `PolicyGentemplate` CR.
+The `{policy-gen-cr}` CR is the recommended approach.
 The {ztp} pipeline uses these values to populate the required fields in the workload partitioning `MachineConfig` CR (`cpuset`) and the `PerformanceProfile` CR (`reserved`) that configure the {sno} cluster.
 This method is a General Availability feature in {product-title} 4.14.
 ====
--- a/modules/ztp-image-based-upgrade-installing-lca.adoc
+++ b/modules/ztp-image-based-upgrade-installing-lca.adoc
@@ -78,25 +78,39 @@ status:
 ----
 --

-. Add the CRs to your common `PolicyGenTemplate`:
+. Add the CRs to your common PolicyGenerator:
 +
 [source,yaml]
 ----
-apiVersion: ran.openshift.io/v1
-kind: PolicyGenTemplate
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
 metadata:
-  name: "example-common-latest"
-  namespace: "ztp-common"
-spec:
-  bindingRules:
-    common: "true"
-    du-profile: "latest"
-  sourceFiles:
-    - fileName: LcaSubscriptionNS.yaml
-      policyName: "subscriptions-policy"
-    - fileName: LcaSubscriptionOperGroup.yaml
-      policyName: "subscriptions-policy"
-    - fileName: LcaSubscription.yaml
-      policyName: "subscriptions-policy"
+  name: common-latest
+placementBindingDefaults:
+  name: common-placement-binding
+policyDefaults:
+  namespace: ztp-common
+  placement:
+    labelSelector:
+      common: "true"
+      du-profile: "latest"
+  remediationAction: inform
+  severity: low
+  namespaceSelector:
+    exclude:
+      - kube-*
+    include:
+      - '*'
+  evaluationInterval:
+    compliant: 10m
+    noncompliant: 10s
+policies:
+- name: common-latest-subscriptions-policy
+  policyAnnotations:
+    ran.openshift.io/ztp-deploy-wave: "2"
+  manifests:
+    - path: source-crs/LcaSubscriptionNS.yaml
+    - path: source-crs/LcaSubscriptionOperGroup.yaml
+    - path: source-crs/LcaSubscription.yaml
 [...]
 ----
--- a/modules/ztp-using-pgt-to-update-source-crs.adoc
+++ b/modules/ztp-using-pgt-to-update-source-crs.adoc
@@ -126,7 +126,7 @@ spec:
 ====
 In the `/source-crs` folder that you extract from the `ztp-site-generate` container,  the `$` syntax is not used for template substitution as implied by the syntax. Rather, if the `policyGen` tool sees the `$` prefix for a string and you do not specify a value for that field in the related `{policy-gen-cr}` CR, the field is omitted from the output CR entirely.

-An exception to this is the `$mcp` variable in `/source-crs` YAML files that is substituted with the specified value for `mcp` from the `{policy-gen-cr}` CR. For example, in `example/policygentemplates/{policy-prefix}group-du-standard-ranGen.yaml`, the value for `mcp` is `worker`:
+An exception to this is the `$mcp` variable in `/source-crs` YAML files that is substituted with the specified value for `mcp` from the `{policy-gen-cr}` CR. For example, in `example/{path-prefix}/{policy-prefix}group-du-standard-ranGen.yaml`, the value for `mcp` is `worker`:

 [source,yaml]
 ----
--- a/snippets/ztp_example-sno.yaml
+++ b/snippets/ztp_example-sno.yaml
@@ -40,7 +40,7 @@ spec:
        # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples
        du-profile: "latest"
        # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples in ../policygentemplates:
-        # ../policygentemplates/common-ranGen.yaml will apply to all clusters with 'common: true'
+        # ../acmpolicygenerator/common-ranGen.yaml will apply to all clusters with 'common: true'
        common: true
        # ../policygentemplates/group-du-sno-ranGen.yaml will apply to all clusters with 'group-du-sno: ""'
        group-du-sno: ""