Create Your First Policy

Introduction

To simplify the process of creating policies in Aperture, the built-in blueprint system can be utilized. The Aperture repository contains several blueprints that can generate policies, and Grafana dashboards. These blueprints serve as starting points for creating new policies, or can be used as-is by providing the required parameters or customizations. The use-cases section showcases practical examples of blueprints in action.

To manage blueprints and generate policies, use the aperturectl CLI.

For advanced users interested in designing new policies, explore the example circuit created in the detecting overload use-case. This example serves as a valuable reference for understanding the process of creating custom policies in Aperture.

flowchart TD subgraph generation["Blueprints System"] aperturectl["aperturectl"] repository[("Blueprints")] values[/"value.yaml"/] policies[/"Policies"/] controller["Controller"] repository --> |pull| aperturectl aperturectl --> |values| values values --> |generate| policies policies --> |apply| controller end

Listing Available Blueprints

The following command can be used to list available blueprints:

aperturectl blueprints list --version=v2.16.0

Which will output the following:

auto-scaling/pod-auto-scaler
load-ramping/base
load-scheduling/average-latency
load-scheduling/postgresql
load-scheduling/promql
quota-scheduling/base
rate-limiting/base

Customizing Blueprints

Blueprints use a configuration file to provide required fields and to customize the generated policy and dashboard files.

For example, to generate a policies/rate-limiting policy, you can first generate a values.yaml file using the following command:

aperturectl blueprints values --name=rate-limiting/base --version=v2.16.0 --output-file=values.yaml

You can then edit the values.yaml to provide the required fields (__REQUIRED_FIELD__ placeholder) as follows:

Final/Edited Values

# yaml-language-server: $schema=../../../../../blueprints/rate-limiting/base/gen/definitions.json
# Generated values file for rate-limiting/base blueprint
# Documentation/Reference for objects and parameters can be found at:
# https://docs.fluxninja.com/reference/blueprints/rate-limiting

policy:
  # Name of the policy.
  # Type: string
  # Required: True
  policy_name: rate-limiting
  # List of additional circuit components.
  # Type: []aperture.spec.v1.Component
  components: []
  # Additional resources.
  # Type: aperture.spec.v1.Resources
  resources:
    flow_control:
      classifiers: []
  rate_limiter:
    # Bucket capacity.
    # Type: float64
    # Required: True
    bucket_capacity: 40
    # Leak amount.
    # Type: float64
    # Required: True
    fill_amount: 2
    # Flow selectors to match requests against
    # Type: []aperture.spec.v1.Selector
    selectors:
      - agent_group: default
        service: service1-demo-app.demoapp.svc.cluster.local
        control_point: ingress
    # Parameters.
    # Type: aperture.spec.v1.RateLimiterParameters
    parameters:
      # Flow label to use for rate limiting.
      # Type: string
      # Required: True
      label_key: http.request.header.user_type
      # Leak interval e.g. "1s".
      # Type: string
      # Required: True
      interval: 1s

Placeholder Values

# Generated values file for rate-limiting/base blueprint
# Documentation/Reference for objects and parameters can be found at:
# https://docs.fluxninja.com/reference/blueprints/rate-limiting/base

policy:
  # Name of the policy.
  # Type: string
  # Required: True
  policy_name: __REQUIRED_FIELD__
  rate_limiter:
    # Bucket capacity.
    # Type: float64
    # Required: True
    bucket_capacity: __REQUIRED_FIELD__
    # Fill amount.
    # Type: float64
    # Required: True
    fill_amount: __REQUIRED_FIELD__
    # Parameters.
    # Type: aperture.spec.v1.RateLimiterParameters
    # Required: True
    parameters:
      interval: __REQUIRED_FIELD__
      label_key: ""
    # Flow selectors to match requests against
    # Type: []aperture.spec.v1.Selector
    # Required: True
    selectors:
      - control_point: __REQUIRED_FIELD__
        service: __REQUIRED_FIELD__

Generating Policies and Dashboards

Once the values.yaml file is ready, you can generate the blueprint using the following command:

aperturectl blueprints generate --name=rate-limiting/base --values-file=values.yaml --output-dir=policy-gen --version=v2.16.0

The following directory structure will be generated:

policy-gen
├── dashboards
│   └── rate-limiting.json
├── graphs
│   ├── rate-limiting.dot
│   └── rate-limiting.mmd
└── policies
│   ├── rate-limiting-cr.yaml
│   └── rate-limiting.yaml

Applying Policies

The generated policies can be applied using aperturectl or kubectl.

aperturectl

You can pass the --apply flag with the aperturectl to directly apply the generated policies on a Kubernetes cluster in the namespace where the Aperture Controller is installed.

aperturectl blueprints generate --name=rate-limiting/base --values-file=values.yaml --apply --version=v2.16.0

info

See aperturectl configuration on how to configure what aperturectl should connect to.

kubectl

caution

You can only apply policies with kubectl on Self-Hosted Aperture Controller.

The policy YAML generated (Kubernetes Custom Resource) using the above example can also be applied using kubectl.

kubectl apply -f policy-gen/configuration/rate-limiting-cr.yaml -n aperture-controller

Run the following command to check if the policy was created.

aperturectl

aperturectl policies

kubectl

kubectl get policies.fluxninja.com -n aperture-controller

The policy runtime can be visualized in Aperture Cloud, Grafana or any other Prometheus compatible analytics tool. Refer to the Prometheus compatible metrics available from the controller and agent. Some policy blueprints come with recommended Grafana dashboards.

Deleting Policies

Run the following command to delete the above policy:

aperturectl

aperturectl delete policy --policy=rate-limiting

kubectl

kubectl delete policies.fluxninja.com rate-limiting -n aperture-controller