set-enforcement-action

KRM function for set-enforcement-action

set-enforcement-action #

Overview #

Applies the supplied enforcement action on policy constraints within a package.

Policy Controller allows users to define constraints to enforce policies for your Kubernetes clusters. This function provides a quick way for users to set the spec.enforcementAction attribute to:

  1. dryrun for auditing the cluster for policy violations or
  2. warn for letting non-compliant resources be applied to the cluster with warnings or
  3. deny for enforcing the constraints and denying the resource application altogether

Usage #

The function will execute as follows:

  1. Searches for resources with apiVersion: constraints.gatekeeper.sh/v1beta1
  2. Applies the enforement action value provided in KptFile to following element: spec.enforcementAction

set-enforcement-action function can be executed imperatively as follows:

$ kpt fn eval -i gcr.io/kpt-fn/set-enforcement-action:v0.1.0 -- enforcementAction=deny

To execute set-enforcement-action declaratively include the function in kpt package pipeline as follows:

...
pipeline:
  mutators:
    - image: gcr.io/kpt-fn/set-enforcement-action:v0.1.0
      configMap:
        enforcementAction: deny
...
Last modified October 9, 2025: Moving the documentation to Hugo (#1177) (a7f5458)