# Policy Configurator

The Policy Configurator provides a way to globally set default values for any Policies used by any of the Report Tools in Insights. These settings make it easy to customize Insights for common policy scenarios without having to first write Automation Rules.

The Policy Configurator can be used to:

  • Customize the default Policy Enforcement behavior for CI/CD and Admission Controller contexts: For example, ensure workloads with Privilege escalation should not be allowed are blocked by the Admission Controller at time of deployment, but only warn users through Action Items when they scan their infrastructure-as-code in a repository scan

  • Always guarantee a certain Policy enforcement action (pass or fail) regardless of Action Item severity: For example, enforce Memory requests are set at time of Admission across your organization, while reporting it as a Medium severity Action Item

  • Modify default Severities: Globally modify the default Severity of Action Items to better match your organization's requirements. For example, you may want to increase the severity of Liveness probes are missing to High

Check out the Policies configuration with the CLI for information on how to modify Policies.

# Using Policy Configurator with existing Automation Rules

Automation Rules are still powerful ways to make granular Policy enforcement decisions such as scoping enforcement behavior to specific namespaces or labels. However, common use cases like changing default severity or guaranteeing pass/fail Policy enforcement behavior are all achievable via the Policy Configurator without needing to write custom Automation Rules.

# Available Settings

With the new Policy Configurator, you can now override the default settings of a Policy generated by any of the tools in Insights:

Policy Configurator Setting Default Description
Set the default severity Defaults to the severity used in the original reporting tool This makes it easy to change the default severity of Action Items to better align with your organization's reporting requirements
Blocking override for CI/CD and Admission Controller Based on Action Item severity. High and Critical are blocking For the CI/CD and Admission Controller contexts, you can enforce a "must always fail" or "must always pass" rule regardless of the Action Item's severity