Skip to content
This repository has been archived by the owner on Oct 27, 2022. It is now read-only.


Governance Policy Spec Sync KinD testsLicense

Deprecation Notice

The standalone version of the controller has been removed in versions newer than v0.8.x. This controller is now part of governance-policy-framework-addon.


The governance policy spec sync is a controller that runs on managed clusters, updating local Policy specs to match Policies in the cluster's namespace on the hub cluster. This controller is a part of the governance-policy-framework.

The operator watches for changes to Policies in the cluster's namespace on the hub cluster to trigger a reconcile. Every reconcile creates/updates/deletes replicated policies on the managed cluster to match the spec from the hub cluster.

Geting started

Go to the Contributing guide to learn how to get involved.

Check the Security guide if you need to report a security issue.

Build and deploy locally

You will need kind installed.

make kind-bootstrap-cluster-dev
make build-images
make kind-deploy-controller-dev

Running tests

make test-dependencies
make test

make e2e-dependencies
make e2e-test

Clean up

make kind-delete-cluster


The deploy/operator.yaml file is generated via Kustomize. The deploy/rbac directory of Kustomize files is managed by the operator-sdk and Kubebuilder using markers. After updating the markers or any of the Kustomize files, you may regenerate deploy/operator.yaml by running make generate-operator-yaml.

The secret-sync controller requires access to get, create, update, and delete Secret objects in the managed cluster namespace. Since the managed cluster namespace is not known at build time, the configuration in deploy/operator.yaml grants this access cluster wide. In a production environment, limit this to just the managed cluster namespace.


  • The governance-policy-spec-sync is part of the open-cluster-management community. For more information, visit: