3621ce1142
* Moves the remaining guides from the Draft folder * Removes already rewritten articles (Murano TroubleShooting and Debug Tips) * Restructures the main page * Fixes build errors * Adds minor editorial changes to some sections Change-Id: I1aa961f34860b22241b69d41045da445d223be06 Partial-Bug: #1603950
1.8 KiB
Policy enforcement
Policies are defined and evaluated in the Congress project. The policy language for Congress is Datalog. The congress policy consists of the Datalog rules and facts.
Examples of policies are as follows:
- Minimum 2 GB of RAM for all VM instances.
- A certified version for all Apache server instances.
- Data placement policy: all database instances must be deployed at a given geographic location enforcing some law restriction on data placement.
These policies are evaluated over data in the form of tables (Congress data structures). A deployed Murano environment must be decomposed to the Congress data structures. The decomposed environment is sent to Congress for simulation. Congress simulates whether the resulting state violates any defined policy: deployment is aborted in case of policy violation.
Murano uses two predefined policies in Congress:
murano_systemcontains rules and facts of policies defined by the cloud administrator.muranocontains only facts/records reflecting the resulting state after the deployment of an environment.
Records in the murano policy are queried by rules from
the murano_system policy. The Congress simulation does not
create any records in the murano policy, and only provides
the feedback on whether the resulting state violates the policy or
not.
As a part of the policy guided fulfillment, you need to enforce policies on a murano environment deployment. If the policy enforcement fails, the deployment fails as well.
This section contains the following subsections:
policy_enforcement/policy_enf_setup policy_enforcement/policy_enf_rules policy_enforcement/policy_enf_dev policy_enforcement/policy_enf_modify