You can optionally configure API
governance in API Connect on a Kubernetes,
OpenShift, or IBM® Cloud Pak for
Integration
deployment by enabling the governance microservice.
About this task
API
governance is an
optional add-on to IBM API Connect
that can be used to validate and enforce organizational governance policies and best practices to
your API development process.
Note:
- These instructions apply only to Kubernetes, OpenShift, and IBM Cloud Pak for
Integration installations. For VMware
installations, see Enabling API governance on VMware.
- API
governance
rulesets cannot be added to your deployment until the governance microservice is enabled.
To enable or disable the governance microservice, you must configure the Management subsystem
custom resource (CR) file. See the following instructions:
After the governance microservice is enabled, API
governance resources can
be created. For more information, see Configuring API
governance in the Cloud
Manager, and Configuring API
governance in the API Manager.
Procedure
- Enabling the governance microservice as part of a new
deployment
Edit the CR file for the Management subsystem and add the settings for the governance
microservice.
- Edit the
ManagementCluster
CR and add the following definition for the
governance microservice. Append the governance definition to the end of the spec:
section, making sure to adhere to the spacing used in the file.spec:
...
governance:
enabled: true
- Apply the updated CR by running the following command as part of the standard Management
subsystem installation (see Installing the Management subsystem for
details):
kubectl apply -f management_cr.yaml -n <management_namespace>
Where management_namespace is the name of the target installation namespace in
the Kubernetes cluster.The governance microservice will be enabled with the Management subsystem.
- You can monitor your Kubernetes deployments by running the following
command:
kubectl get deployments -n <management_namespace>
The
installation is complete when the management-compliance
pods are shown in the list
of returned values.
- Enabling the governance microservice as part of an existing
deployment
Edit the deployed CR for the Management subsystem and add the settings for the governance
microservice.
- Retrieve the name of the deployed CR for the Management subsystem by running the following
command:
kubectl get managementcluster -n <management_namespace>
Where
management_namespace is the name of the target installation namespace in the
Kubernetes cluster.
- Edit the deployed CR by running the following
command:
kubectl edit managementcluster <management-cr-name> -n <management_namespace>
Where:
- management-cr-name is the name of the deployed CR for the Management
subsystem.
- management_namespace is the name of the target installation namespace in the
Kubernetes cluster.
- In the editor, append the governance definition to the end of the
spec:
section, making sure to adhere to the spacing used in the file.spec:
...
governance:
enabled: true
- Save the update.
The governance microservice is enabled in the Management subsystem.
- You can monitor your Kubernetes deployments by running the following
command:
kubectl get deployments -n <management_namespace>
The
installation is complete when the management-compliance
pods are shown in the list
of returned values.
- Disabling the governance microservice
Edit the deployed CR for the Management subsystem and update the settings for the governance
microservice.
- Retrieve the name of the deployed CR for the Management subsystem by running the following
command:
kubectl get managementcluster -n <management_namespace>
Where
management_namespace is the name of the target installation namespace in the
Kubernetes cluster.
- Edit the deployed CR by running the following
command:
kubectl edit managementcluster <management-cr-name> -n <management_namespace>
Where:
- management-cr-name is the name of the deployed CR for the Management
subsystem.
- management_namespace is the name of the target installation namespace in the
Kubernetes cluster.
- In the editor, change the governance definition to
enabled:
false
.spec:
...
governance:
enabled: false
- Save the update.
The governance microservice is disabled in the Management subsystem.
Results
Note that when the governance microservice is enabled, there are a number of new
deployments, jobs, and pods in the ManagementCluster
namespace. These Kubernetes
governance resources have names containing either compliance-service
or
compliance-ui
. For
example:kubectl get pods -n apic | grep compliance
management-compliance-service-f6cdf95fc-t4qkx 1/1 Running 0 127m
management-compliance-ui-59897fcc4-zm25v 1/1 Running 0 126m
management-up-compliance-service-data-populate-0-to-1-t2f4d 0/1 Completed 1 132m
management-up-compliance-service-schema-0-to-1-2lkqq 0/1 Completed 0