VM resource policy controllers
The VM resource policy controller can be used to receive notifications about noncompliant virtual machines.
The VM resource policy controller checks for compliance that is based primarily on the resources that are allocated to, and used by, virtual machines. The policy can monitor memory and CPU allocation, storage, package version verification, and init process status.
- VM resource policy description
- VM resource policy scenarios
- VM resource policy elements
- Creating a VM resource policy
- Viewing a VM resource policy
- VM resource policy risk score
VM resource policy description
The VM resource policy controller watches policies of kind: VMResourcePolicy and updates the status of the policy by checking whether the managed virtual machine (VM) is compliant or not. The policy itself includes a set of conditions that are used to compare the resource values declared in the policy with the actual conditions of the VM. A VM is considered compliant if all conditions declared in the policy are true.
The controller interacts with the IBM Cloud Pak® for Multicloud Management – Infrastructure Management server that is associated with the IBM Cloud Pak® for Multicloud Management deployment to check compliance on the VMs that are identified by the policy.
The following example is a sample VM resource policy definition:
apiVersion: policies.ibm.com/v1alpha1
kind: VMResourcePolicy
metadata:
name: vm-size-sample
namespace: default
spec:
vmSelector:
tags:
- Environment: Development
conditions:
- condition: # Allocated CPU count is within the specified range
- expression:
type: "field"
field: "Vm-num_cpu"
operator: ">="
value: "2"
- expression:
type: "field"
field: "Vm-num_cpu"
operator: "<="
value: "8"
- condition: # Allocated memory size (in MB) is within the specified range
- expression:
type: "field"
field: "Vm-mem_cpu"
operator: ">="
value: "4096"
- expression:
type: "field"
field: "Vm-mem_cpu"
operator: "<="
value: "16384"
remediationAction: inform
risk: low
VM resource policy scenarios
IBM Cloud Pak for Multicloud Management provides sample policies for the following scenarios. Conditions and expressions can be added, removed, and altered according to your needs.
Resource Allocation Sizes
For this scenario, the sample policy declares a set of fixed values for each of the CPU count, memory, and disk size allocations for a VM. VMs with undefined allocations within this policy are considered noncompliant.
Over Utilized
For this scenario, the sample policy defines usage rate thresholds for a VM's CPU and memory resources. If the actual usage exceeds the defined thresholds, the VM might be considered overutilized and noncompliant.
Package Version Installed
For this scenario, the sample policy declares that a particular package, of a minimum version, is installed on the VM.
For this policy to be effective, you must configure Infrastructure management to periodically run a SmartState Analysis on the VM. For more information about activating a SmartState Analysis action, see Actions in the Infrastructure management Policies and Profiles Guide.
Init Process Enabled
For this scenario, the sample policy declares that a particular init process is enabled on the VM.
For this policy to be effective, you must configure Infrastructure management to periodically run a SmartState Analysis on the VM. For more information about activating a SmartState Analysis action, see Actions in the Infrastructure management Policies and Profiles Guide.
VM resource policy elements
vmSelector
A list of tags that are associated with one or more VMs that the policy applies to. Tags are specified in the format within Infrastructure management of: Category: Value. Tags can be added manually in the YAML file, or selected from
the console.
condition
A condition consists of one or more expressions. If multiple expressions are declared within a condition, they are joined by the Boolean AND operator. For a VM to be compliant, all conditions must evaluate to true.
For more information about conditions, see Conditions in the Infrastructure management Policies and Profiles Guide.
expression
An expression declares a value that gets compared with a VM field to determine compliance.
type: The type of expression. Supported values include:fieldandfind.field: The name of the VM field to be checked.operator: A comparison operator that is used to evaluate expressions. For more information about supported operator values, see Table 1.value: A value expected for the expression to be true. The value can be a number or text, depending on the field used in the expression.values: An alternative tovalue,valuesdeclares a list of values (for example,[“2”, “4”, “6”]). When you use thevaluesexpression, use theinoperator. The expression evaluates to true if any one of the contained values matches.unit: An optional expression that indicates a unit of measure. Supported unit values include:- Bytes
- Kilobytes
- Megabytes
- Gigabytes
- Terabytes
| General operators | Text operators | Timestamp operators |
|---|---|---|
| = | CONTAINS |
IS |
| < | STARTS WITH |
BEFORE |
| <= | ENDS WITH |
AFTER |
| != | INCLUDES |
FROM |
| > | IS NULL |
|
| >= | IS NOT NULL |
|
IS EMPTY |
||
in(Used with list of values) |
IS NOT EMPTYREGULAR EXPRESSION MATCHESREGULAR EXPRESSION DOES NOT MATCH |
remediationAction
The only available remediation action is to inform whether a VM is compliant with a policy. There is no associated action that attempts to correct the noncompliance.
risk
An element that specifies the risk score that is related to when a VM is found noncompliant. For more information about risk cores, see VM resource policy risk score.
Creating a VM resource policy
You can create a YAML file for your VM resource policy or create a VM resource policy from the console. For more information about creating your VM resource policy, see the appropriate section:
- Creating a YAML file for a VM resource policy
- Creating a VM resource policy from the IBM Cloud Pak for Multicloud Management console
Creating a YAML file for a VM resource policy
Complete the following steps to create a VM resource policy from the command line interface (CLI):
- Create a YAML file for your VM resource policy by declaring a set of conditions for the VMs, identified by tags specified in the
vmSelectorelement. For more information about the YAML file, see VM resource policy description. -
Run the following command to apply the policy:
kubectl apply -f <vmresourcepolicy-file> --namespace=<namespace> -
Run the following command to verify and list the policies:
kubectl get vmresourcepolicy --namespace=<namespace>
Creating a VM resource policy from the IBM Cloud Pak for Multicloud Management console
Complete the following steps to create a VM resource policy from the IBM Cloud Pak for Multicloud Management console:
- Log in to the console.
- From the navigation menu, click Govern risk.
- Click Create.
- Enter the name for the VM resource policy in the Name field. VM resource policy names have a 63 character limit.
-
Select a scenario from the Specifications field that addresses your situation:
- VMResourcePolicy – resource allocation sizes
- VMResourcePolicy – over utilized
- VMResourcePolicy – package version installed
- VMResourcePolicy – init process enabled
For more information about these scenarios, see VM resource policy scenarios.
-
Select tags from the Resource binding field. Selecting tags from this field establishes a connection between your policy and the VM resources that the policy applies to.
Important: Do not select duplicate resource binding keys. The YAML interpreter does not parse duplicated keys for VM policies. As a result, VM policy creation fails.
-
Select appropriate values for the following fields:
- Standards
- Categories
- Controls
- Click Create.
Your policy will be created and start running.
Note: After you create your VM resource policy, you can edit the policy as required. For more information about managing your VM resource policies, see Managing security policies.
Viewing a VM resource policy
Similar to creating VM resource policies, you can also view your VM resource policy either from the CLI, or from the console. For more information about viewing your VM resource policy, see the appropriate section:
- Viewing a VM resource policy from the CLI
- Viewing a VM resource policy from the IBM Cloud Pak for Multicloud Management console
Viewing a VM resource policy from the CLI
You can view details about a specific VM resource policy or a description of your VM resource policy from the CLI.
To view details for a specific VM resource policy, run the following command:
kubectl get vmresourcepolicy <name> -n <namespace> -o yaml
To view a description of your VM resource policy, run the following command:
kubectl describe vmresourcepolicy <name> -n <namespace>
Viewing a VM resource policy from the IBM Cloud Pak for Multicloud Management console
Complete the following steps to view a VM resource policy from the IBM Cloud Pak for Multicloud Management console:
- Log in to the console.
- From the navigation menu, click Govern risk.
-
Click the Policies tab to view a summary of your policies and a table that lists your policies.
You can sort and filter content in the policies table:
- To filter the table, select the All policies tab or the Cluster violations tab.
- To sort the table, click the table headings.
- To select a specific policy, click the name of the policy in the Policy name column.
VM resource policy risk score
When a managed VM is noncompliant, the VM resource policy controller assigns a risk score. Failed conditions result in the declaration of the risk score in the VM resource policy definition, and are assigned to the VM.
Risk scores can be one of the following values:
- Low
- Medium
- High
Note: This risk score is intended for guidance purposes. Individual organizations are responsible for determining VM use and configuration standards.