Enabling governance on Kubernetes

You can optionally configure governance in IBM® API Connect on a Kubernetes, OpenShift, or IBM Cloud Pak for Integration deployment by enabling the governance service.

About this task

The governance service is an optional add-on to API Connect that can be used to validate and enforce organizational governance policies and best practices to your API development process.

Note:

These instructions apply only to Kubernetes, OpenShift, and IBM Cloud Pak for Integration installations.
Governance rulesets cannot be added to your deployment until the governance service is enabled.
If you're using a two data center disaster recovery (2DCDR) deployment, the governance service must be enabled on both the active and warm-standby centers. Enable the service on the warm-standby data center first, and then the active center.

To enable or disable the governance service, you must configure the Management subsystem custom resource (CR) file. See the following instructions:

Enabling the governance service as part of a new deployment
Enabling the governance service as part of an existing deployment
Disabling the governance service

After the governance service is enabled, governance resources can be created. For more information, see Configuring governance in the Cloud Manager, and Configuring governance in the API Manager.

Procedure

Enabling the governance service as part of a new deployment
Edit the CR file for the Management subsystem and add the settings for the governance service.
1. Edit the ManagementCluster CR and add the following definition for the governance service. Append the governance definition to the end of the spec: section, making sure to adhere to the spacing used in the file.
```
spec:
  ...
  governance:
    enabled: true
```
2. Apply the updated CR by running the following command as part of the standard Management subsystem installation (see Installing the management subsystem for details):
```
kubectl apply -f management_cr.yaml -n <management_namespace>
```
  Where management_namespace is the name of the target installation namespace in the Kubernetes cluster.
  The governance service will be enabled with the Management subsystem.
3. You can monitor your Kubernetes deployments by running the following command:
```
kubectl get deployments -n <management_namespace>
```
  The installation is complete when the management-compliance pods are shown in the list of returned values.
Enabling the governance service as part of an existing deployment
Edit the deployed CR for the Management subsystem and add the settings for the governance service.
Note: When you enable governance in the existing deployment, the UI requires approximately 15 minutes to restart the pod and display the new feature. There will be an outage in the UI during this period.
1. Retrieve the name of the deployed CR for the Management subsystem by running the following command:
```
kubectl get managementcluster -n <management_namespace>
```
  Where management_namespace is the name of the target installation namespace in the Kubernetes cluster.
2. Edit the deployed CR by running the following command:
```
kubectl edit managementcluster <management-cr-name> -n <management_namespace>
```
  Where:
  - management-cr-name is the name of the deployed CR for the Management subsystem.
  - management_namespace is the name of the target installation namespace in the Kubernetes cluster.
3. In the editor, append the governance definition to the end of the spec: section, making sure to adhere to the spacing used in the file.
```
spec:
  ...
  governance:
    enabled: true
```
4. Save the update.
  The governance service is enabled in the Management subsystem.
5. You can monitor your Kubernetes deployments by running the following command:
```
kubectl get deployments -n <management_namespace>
```
  The installation is complete when the management-compliance pods are shown in the list of returned values.
Disabling the governance service
Edit the deployed CR for the Management subsystem and update the settings for the governance service.
1. Retrieve the name of the deployed CR for the Management subsystem by running the following command:
```
kubectl get managementcluster -n <management_namespace>
```
  Where management_namespace is the name of the target installation namespace in the Kubernetes cluster.
2. Edit the deployed CR by running the following command:
```
kubectl edit managementcluster <management-cr-name> -n <management_namespace>
```
  Where:
  - management-cr-name is the name of the deployed CR for the Management subsystem.
  - management_namespace is the name of the target installation namespace in the Kubernetes cluster.
3. In the editor, change the governance definition to enabled: false.
```
spec:
  ...
  governance:
    enabled: false
```
4. Save the update.
  The governance service is disabled in the Management subsystem.

Results

Note that when the governance service is enabled, there are a number of new deployments, jobs, and pods in the ManagementCluster namespace. These Kubernetes governance resources have names containing either compliance-service or compliance-ui. For example:

kubectl get pods -n apic | grep compliance
management-compliance-service-f6cdf95fc-t4qkx                     1/1     Running     0          127m
management-compliance-ui-59897fcc4-zm25v                          1/1     Running     0          126m
management-up-compliance-service-data-populate-0-to-1-t2f4d       0/1     Completed   1          132m
management-up-compliance-service-schema-0-to-1-2lkqq              0/1     Completed   0