Fleet Policy Enforcement
In Development (Q4 2026)
This feature is currently in development. Fleet policy distribution described here is subject to change.
Purpose: For platform engineers and security officers, explains how to enforce consistent security policies across an entire fleet from a central control point.
Policy Distribution Model
The hub cluster maintains a policy library that is distributed to spoke clusters based on group membership:
| Policy Set | Target | Contents |
|---|---|---|
baseline | All clusters | Pod security, image pull policies, resource limits |
production | environment=production | Stricter network policies, no privileged containers |
regulated | blueprint=finance or blueprint=healthcare | Audit logging, encryption enforcement, change controls |
edge | blueprint=edge-iot | Relaxed resource limits, offline-tolerant policies |
How It Works
- Platform team defines policies in fleet GitOps repository
- Fleet controller distributes policies to matching clusters via FleetKustomization
- Spoke clusters apply policies through their local Kyverno instance
- Compliance status reported back to hub dashboard
Policy Compliance Dashboard
The fleet dashboard shows:
- Per-cluster policy compliance percentage
- Violations by severity (critical, high, medium, low)
- Drift from fleet-mandated policy versions
- Historical compliance trends
RBAC Template Distribution
Fleet-level RBAC templates ensure consistent access patterns:
apiVersion: fleet.opencenter.cloud/v1alpha1
kind: FleetRBACTemplate
metadata:
name: platform-admin
spec:
target:
clusterSelector:
matchLabels:
environment: production
template:
clusterRole: platform-admin
subjects:
- kind: Group
name: "platform-team"
apiGroup: rbac.authorization.k8s.io
Exception Handling
Clusters can request policy exceptions via the portal:
- Exception requests are tracked in Git
- Require security team approval
- Time-bounded (auto-expire after defined period)
- Auditable for compliance reporting