Enabling API governance on Kubernetes

You can optionally configure API governance in API Connect on a Kubernetes, OpenShift, or IBM® Cloud Pak for Integration deployment by enabling the governance microservice.

About this task

API governance is an optional add-on to IBM API Connect that can be used to validate and enforce organizational governance policies and best practices to your API development process.

Note:

These instructions apply only to Kubernetes, OpenShift, and IBM Cloud Pak for Integration installations. For VMware installations, see Enabling API governance on VMware.
API governance rulesets cannot be added to your deployment until the governance microservice is enabled.

To enable or disable the governance microservice, you must configure the Management subsystem custom resource (CR) file. See the following instructions:

Enabling the governance microservice as part of a new deployment
Enabling the governance microservice as part of an existing deployment
Disabling the governance microservice

After the governance microservice is enabled, API governance resources can be created. For more information, see Configuring API governance in the Cloud Manager, and Configuring API governance in the API Manager.

Procedure

Enabling the governance microservice as part of a new deployment
Edit the CR file for the Management subsystem and add the settings for the governance microservice.
1. Edit the ManagementCluster CR and add the following definition for the governance microservice. Append the governance definition to the end of the spec: section, making sure to adhere to the spacing used in the file.
```
spec:
  ...
  governance:
    enabled: true
```
2. Apply the updated CR by running the following command as part of the standard Management subsystem installation (see Installing the Management subsystem for details):
```
kubectl apply -f management_cr.yaml -n <management_namespace>
```
  Where management_namespace is the name of the target installation namespace in the Kubernetes cluster.
  The governance microservice will be enabled with the Management subsystem.
3. You can monitor your Kubernetes deployments by running the following command:
```
kubectl get deployments -n <management_namespace>
```
  The installation is complete when the management-compliance pods are shown in the list of returned values.
Enabling the governance microservice as part of an existing deployment
Edit the deployed CR for the Management subsystem and add the settings for the governance microservice.
1. Retrieve the name of the deployed CR for the Management subsystem by running the following command:
```
kubectl get managementcluster -n <management_namespace>
```
  Where management_namespace is the name of the target installation namespace in the Kubernetes cluster.
2. Edit the deployed CR by running the following command:
```
kubectl edit managementcluster <management-cr-name> -n <management_namespace>
```
  Where:
  - management-cr-name is the name of the deployed CR for the Management subsystem.
  - management_namespace is the name of the target installation namespace in the Kubernetes cluster.
3. In the editor, append the governance definition to the end of the spec: section, making sure to adhere to the spacing used in the file.
```
spec:
  ...
  governance:
    enabled: true
```
4. Save the update.
  The governance microservice is enabled in the Management subsystem.
5. You can monitor your Kubernetes deployments by running the following command:
```
kubectl get deployments -n <management_namespace>
```
  The installation is complete when the management-compliance pods are shown in the list of returned values.
Disabling the governance microservice
Edit the deployed CR for the Management subsystem and update the settings for the governance microservice.
1. Retrieve the name of the deployed CR for the Management subsystem by running the following command:
```
kubectl get managementcluster -n <management_namespace>
```
  Where management_namespace is the name of the target installation namespace in the Kubernetes cluster.
2. Edit the deployed CR by running the following command:
```
kubectl edit managementcluster <management-cr-name> -n <management_namespace>
```
  Where:
  - management-cr-name is the name of the deployed CR for the Management subsystem.
  - management_namespace is the name of the target installation namespace in the Kubernetes cluster.
3. In the editor, change the governance definition to enabled: false.
```
spec:
  ...
  governance:
    enabled: false
```
4. Save the update.
  The governance microservice is disabled in the Management subsystem.

Results

Note that when the governance microservice is enabled, there are a number of new deployments, jobs, and pods in the ManagementCluster namespace. These Kubernetes governance resources have names containing either compliance-service or compliance-ui. For example:

kubectl get pods -n apic | grep compliance
management-compliance-service-f6cdf95fc-t4qkx                     1/1     Running     0          127m
management-compliance-ui-59897fcc4-zm25v                          1/1     Running     0          126m
management-up-compliance-service-data-populate-0-to-1-t2f4d       0/1     Completed   1          132m
management-up-compliance-service-schema-0-to-1-2lkqq              0/1     Completed   0