Skip to content

Golden Blueprint

"Golden Cluster Blueprints" capability is an extension of Default (System) Blueprints and can be used to create/enforce a baseline set of add-ons/policies. Users can use it as a base blueprint for any new custom blueprint/versions or deploy Golden Blueprints to clusters.

Golden Blueprints offers the following benefits:

  • Makes it easier to create and manage Custom BPs (Ex: Removes the need for Org/Infra Admins to create a net new custom BP from the scratch with a default BP as the base in cases where a specific add-on or two need to be included additionally for certain projects)
  • Ensure that certain baseline applications are deployed and policies applied at all times for clusters to stay in compliance

Important

Custom Blueprints cannot override configurations specified in the Golden blueprint


Scoping

Other than the default cluster blueprints, which is common across all projects, all golden blueprints are scoped to a Project. If required, blueprints can be shared with selected or all projects.


Step 1: Create Golden Blueprint

As an Admin in the Web Console,

  • Navigate to the Project and click on Blueprints under Infrastructure
  • Click on New blueprint
  • Provide a name and description
  • Select the Type Golden Blueprint and click Save

New Blueprint

All golden blueprints are version-controlled so that the lifecycle can be properly managed. In this example, the admin has not yet configured anything. So, no versions are available yet.

New Blueprint


Step 2: New Version

  • Click on New Version and use the wizard to provide details
  • Provide a version number/name
  • Select the required Base Blueprint (System Blueprints) and its version from the drop-down

New Blueprint

Optionally,

  • Select a drift detection policy

Drift Detection

Important

In alignment with the end of support for PSPs in Kubernetes, turnkey support for PSPs has been deprecated. New Blueprints will no longer support the use of PSP. Existing PSP configurations configured through Blueprints will be maintained but cannot be updated. PSP addons are therefore marked as ready instantly on any Blueprint updates

Optionally,

  • Enable Namespace sync under Namespace configuration

Namespace sync

Optionally,

  • Enable Enable OPA Gatekeeper for this Blueprint and select a policy from the list to enforce on the required cluster
  • Enable Network Visibility and Policy and add one or more Cluster-wide Network policies

Policies

Optionally,

  • Select custom addons and version of the addons

Create Blueprint

Optionally,

  • enable/disable addons from the default blueprint (i.e. Ingress Controller)
  • select the required Kube API Proxy Network from the Private KubeAPI Proxy drop-down
  • Click Save Changes

Create Blueprint

Below is an example of a golden blueprint called "demo-golden-blueprint"

New Version


View Versions

The entire history of blueprint versions is maintained on the Controller. Admins can view details about the versions of cluster blueprints using the eye icon

Use the enable/disable icon to turn on the required golden blueprint version(s) to list out during the cluster provisioning. This option helps to disallow the users from using blueprint versions that might contain vulnerable/deprecated Add-On versions

View All Versions

Disabling affects the clusters using this specific blueprint version. Click Yes to proceed

View All Versions

Once a version is disabled, the cluster deployed with that specific BP version is highlighted in red with an Update button. Use this button to update with the required blueprint and version

View All Versions


View All Cluster Blueprints

Admins can view all custom cluster blueprints.

  • Navigate to the Project
  • Click on Blueprints under Infrastructure

This will display both the "default blueprints" and any custom/golden cluster blueprints that have been created.

Below is an illustrative example of custom and golden blueprint(s). The Type column shows the type of the custom BP, either custom (or) golden

View Cluster Blueprints


Apply Custom/Golden Blueprint

Once a golden cluster blueprint has been created and published, it can either be used as the base blueprint for Custom BPs or applied directly during the initial provisioning of clusters or to existing clusters.

New Clusters

While creating a new cluster, select the golden blueprint from the dropdown. An illustrative example is shown below.

Blueprint for New Cluster


Existing Clusters

  • Click on options (gear icon on the far right) for an existing cluster
  • Select "Update Blueprint" from the options
  • Select the "blueprint" and "version" from the dropdown
  • Click Save and Publish

Blueprint for Existing Cluster

This will update the cluster blueprint on the target cluster. Once all the required resources are operational on the cluster, the blueprint update/sync will be complete.


Nodes Architecture

To use the golden blueprint on ARM64 based clusters, the below criteria must be met:

  1. Uncheck the managed addons that are selected by default on creating a golden blueprint with a minimal blueprint as base
  2. When creating a custom blueprint with a golden blueprint as base, create a golden blueprint as mentioned in point 1 and uncheck the managed addons selected by default for custom blueprint

Customizations are not allowed. Provisioning fails if you enable any customizations or deploy other blueprints (other than minimal) on ARM64 based clusters

Below is an illustrative example of a failed scenario

Blueprint for Existing Cluster