Manage Policies
aperturectl
is a powerful CLI that complements the Aperture Cloud UI. With
aperturectl, you can also manage blueprints and generate policies, dashboards,
and graphs. In this overview, you'll explore the various commands available in
aperturectl for managing and creating policies using blueprints.
Listing Available Blueprints
The following command can be used to list available blueprints:
aperturectl blueprints list --version=v2.32.2
Which will output the following:
auto-scaling/pod-auto-scaler
load-ramping/base
load-scheduling/average-latency
load-scheduling/postgresql
load-scheduling/promql
quota-scheduling/base
rate-limiting/base
Customizing Blueprints
Blueprints use a configuration file to provide required fields and to customize the generated policy and dashboard files.
For example, to generate a policies/rate-limiting
policy, you can first
generate a values.yaml
file using the following command:
aperturectl blueprints values --name=rate-limiting/base --version=v2.32.2 --output-file=values.yaml
You can then edit the values.yaml
to provide the required fields
(__REQUIRED_FIELD__
placeholder) as follows:
- Final/Edited Values
- Placeholder Values
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxninja/aperture/latest/blueprints/rate-limiting/base/gen/definitions.json
# Generated values file for rate-limiting/base blueprint
# Documentation/Reference for objects and parameters can be found at:
# https://docs.fluxninja.com/reference/blueprints/rate-limiting/base
blueprint: rate-limiting/base
policy:
# Name of the policy.
# Type: string
# Required: True
policy_name: rate-limiting
rate_limiter:
# Bucket capacity.
# Type: float64
# Required: True
bucket_capacity: 40
# Fill amount.
# Type: float64
# Required: True
fill_amount: 2
# Parameters.
# Type: aperture.spec.v1.RateLimiterParameters
# Required: True
parameters:
interval: 1s
limit_by_label_key: "http.request.header.user_type"
# Flow selectors to match requests against
# Type: []aperture.spec.v1.Selector
# Required: True
selectors:
- agent_group: default
service: service1-demo-app.demoapp.svc.cluster.local
control_point: ingress
# Generated values file for rate-limiting/base blueprint
# Documentation/Reference for objects and parameters can be found at:
# https://docs.fluxninja.com/reference/blueprints/rate-limiting/base
blueprint: rate-limiting/base
policy:
# List of additional circuit components.
# Type: []aperture.spec.v1.Component
components: []
# Name of the policy.
# Type: string
# Required: True
policy_name: __REQUIRED_FIELD__
# Additional resources.
# Type: aperture.spec.v1.Resources
resources:
flow_control:
classifiers: []
rate_limiter:
# Alerter.
# Type: aperture.spec.v1.AlerterParameters
alerter:
alert_name: "More than 90% of requests are being rate limited"
# Bucket capacity.
# Type: float64
# Required: True
bucket_capacity: __REQUIRED_FIELD__
# Fill amount.
# Type: float64
# Required: True
fill_amount: __REQUIRED_FIELD__
# Parameters.
# Type: aperture.spec.v1.RateLimiterParameters
# Required: True
parameters:
interval: __REQUIRED_FIELD__
# Request Parameters.
# Type: aperture.spec.v1.RateLimiterRequestParameters
request_parameters: {}
# Flow selectors to match requests against
# Type: []aperture.spec.v1.Selector
# Required: True
selectors:
- control_point: __REQUIRED_FIELD__
Generating Policies and Dashboards
Once the values.yaml
file is ready, you can generate the blueprint using the
following command:
aperturectl blueprints generate --values-file=values.yaml --output-dir=policy-gen
aperturectl dashboard --policy-file=policy-gen/policies/rate-limiting-cr.yaml --output-dir=policy-gen
The following directory structure will be generated:
policy-gen
├── dashboards
│ └── rate-limiting.json
├── graphs
│ ├── rate-limiting.dot
│ └── rate-limiting.mmd
└── policies
│ ├── rate-limiting-cr.yaml
│ └── rate-limiting.yaml
Applying Policies
The generated policies can be applied using aperturectl
or kubectl
.
- Aperture Cloud
- Self Hosting
You can pass the --apply
flag with the aperturectl cloud
to directly apply
the generated policies on the Aperture Cloud Controller.
See Set up CLI (aperturectl) for more information on how to configure what aperturectl should connect to.
aperturectl cloud policy apply --file policy-gen/policies/rate-limiting.yaml
Run the following command to check if the policy was created.
aperturectl cloud policies
- Kubernetes Operator
- Kubernetes Namespace-scoped
- Docker
If the Aperture Controller is deployed on Kubernetes using Operator, you can apply the policy using the following command:
kubectl apply -f policy-gen/configuration/rate-limiting-cr.yaml -n aperture-controller
Run the following command to check if the policy was created.
kubectl get policies.fluxninja.com -n aperture-controller
If the Aperture Controller is deployed on Kubernetes using Namespace-scoped, you can apply the policy using the following command:
aperturectl policy apply --file policy-gen/policies/rate-limiting.yaml --kube --controller-ns aperture-controller
Run the following command to check if the policy was created.
aperturectl policies --controller-ns aperture-controller
If the Aperture Controller is deployed on Docker, you can apply the policy using the following command:
aperturectl policy apply --file policy-gen/policies/rate-limiting.yaml --controller localhost:8080 --insecure
Run the following command to check if the policy was created.
aperturectl policies --controller localhost:8080 --insecure
The policy runtime can be visualized in Aperture Cloud, Grafana or any other Prometheus compatible analytics tool. Refer to the Prometheus compatible metrics available from the controller and agent.
Deleting Policies
Run the following command to delete the above policy:
- aperturectl
- kubectl
aperturectl policy delete --policy=rate-limiting
kubectl delete policies.fluxninja.com rate-limiting -n aperture-controller