Skip to main content

Policy Pack Management

note

DEPRECATED: As of v2024.11.1, governance assets are now shipped with the installer. In addition to that, the configuration that loads the assets appropriate to your tenant is embedded in a license field.

Download the Policy Pack Artifact

Download the policy pack to your workstation. The artifact is a zip file.

Construct the Manifest

The manifest is a json file with references to the artifact’s content and location in the s3 object storage. Construct the manifest using your s3 bucket configuration.

# use s3 bucket settings from your self-hosted instance config
S3_BUCKET_POLICY=<bucket-name-set-in-kots-config>
S3_BUCKET_PREFIX_POLICY=<bucket-prefix-set-in-kots-config>/policy

# copy existing manifest to workstation
aws s3 cp \
    s3://$S3_BUCKET_POLICY/$S3_BUCKET_PATH_POLICY/metadata.json \
    metadata_old.json

# inspect existing manifest for version number
# make sure to set a version larger than the existing version
jq '.version' metadata_old.json
POLICY_PACK_VERSION=<increase-version-from-current>

# apply pack Id to local pack artifact
mv artifact.zip bundle.zip

# set the checksum
# make sure no filename is included
ID=$(md5sum bundle.zip)

# construct the json manfest
cat>metadata.json<<EOF
{
  "version": $POLICY_PACK_VERSION,
  "bucket": "$S3_BUCKET_POLICY",
  "path": "$S3_BUCKET_PATH_POLICY/bundle.zip",
  "checksum": "$ID"
}
EOF

Upload the Policy Pack Artifact

Upload the policy pack artifact first.

aws s3 cp \
    s3://$S3_BUCKET_POLICY/$S3_BUCKET_PATH_POLICY/bundle.zip \
    bundle.zip

Upload the Manifest

Then upload the manifest

aws s3 cp \
    s3://$S3_BUCKET_POLICY/$S3_BUCKET_PATH_POLICY/metadata.json \
    metadata.json

Confirm

After the manifests has been uploaded, look at the server logs for messages similar to these:

...
[PolicyCenter] Adding EUAI-IV latest version 2 to ETS Bag
[PolicyCenter] Adding FACE latest version 8 to ETS Bag
[PolicyCenter] Adding HEAD-DET latest version 3 to ETS Bag
[PolicyCenter] Adding NIST-GOV latest version 2 to ETS Bag
[PolicyCenter] Adding NIST-MANAGE latest version 2 to ETS Bag
[PolicyCenter] Adding NIST-MAP latest version 2 to ETS Bag}
...