Skip to main content
Version: development

Manage Policies

aperturectl is a powerful CLI that complements the Aperture Cloud UI. With aperturectl, you can also manage blueprints and generate policies, dashboards, and graphs. In this overview, you'll explore the various commands available in aperturectl for managing and creating policies using blueprints.

flowchart TD subgraph generation["Blueprints System"] aperturectl["aperturectl"] repository[("Blueprints")] values[/"value.yaml"/] policies[/"Policies"/] controller["Controller"] repository --> |pull| aperturectl aperturectl --> |values| values values --> |generate| policies policies --> |apply| controller end

Listing Available Blueprints

The following command can be used to list available blueprints:

aperturectl blueprints list --version=main

Which will output the following:

auto-scaling/pod-auto-scaler
load-ramping/base
load-scheduling/average-latency
load-scheduling/postgresql
load-scheduling/promql
quota-scheduling/base
rate-limiting/base

Customizing Blueprints

Blueprints use a configuration file to provide required fields and to customize the generated policy and dashboard files.

For example, to generate a policies/rate-limiting policy, you can first generate a values.yaml file using the following command:

aperturectl blueprints values --name=rate-limiting/base --version=main --output-file=values.yaml

You can then edit the values.yaml to provide the required fields (__REQUIRED_FIELD__ placeholder) as follows:

# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxninja/aperture/latest/blueprints/rate-limiting/base/gen/definitions.json
# Generated values file for rate-limiting/base blueprint
# Documentation/Reference for objects and parameters can be found at:
# https://docs.fluxninja.com/reference/blueprints/rate-limiting/base
blueprint: rate-limiting/base

policy:
  # Name of the policy.
  # Type: string
  # Required: True
  policy_name: rate-limiting
  rate_limiter:
    # Bucket capacity.
    # Type: float64
    # Required: True
    bucket_capacity: 40
    # Fill amount.
    # Type: float64
    # Required: True
    fill_amount: 2
    # Parameters.
    # Type: aperture.spec.v1.RateLimiterParameters
    # Required: True
    parameters:
      interval: 1s
      limit_by_label_key: "http.request.header.user_type"
    # Flow selectors to match requests against
    # Type: []aperture.spec.v1.Selector
    # Required: True
    selectors:
      - agent_group: default
        service: service1-demo-app.demoapp.svc.cluster.local
        control_point: ingress

Generating Policies and Dashboards

Once the values.yaml file is ready, you can generate the blueprint using the following command:

aperturectl blueprints generate --values-file=values.yaml --output-dir=policy-gen
aperturectl dashboard --policy-file=policy-gen/policies/rate-limiting-cr.yaml --output-dir=policy-gen

The following directory structure will be generated:

policy-gen
├── dashboards
│   └── rate-limiting.json
├── graphs
│   ├── rate-limiting.dot
│   └── rate-limiting.mmd
└── policies
│   ├── rate-limiting-cr.yaml
│   └── rate-limiting.yaml

Applying Policies

The generated policies can be applied using aperturectl or kubectl.

You can pass the --apply flag with the aperturectl cloud to directly apply the generated policies on the Aperture Cloud Controller.

info

See Set up CLI (aperturectl) for more information on how to configure what aperturectl should connect to.

aperturectl cloud policy apply --file policy-gen/policies/rate-limiting.yaml

Run the following command to check if the policy was created.

aperturectl cloud policies

The policy runtime can be visualized in Aperture Cloud, Grafana or any other Prometheus compatible analytics tool. Refer to the Prometheus compatible metrics available from the controller and agent.

Deleting Policies

Run the following command to delete the above policy:

aperturectl policy delete --policy=rate-limiting