RELEASE-NOTES-POLICY-ENGINE.mdβ’6.01 kB
# π Policy Validation Engine - Now Available!
## π What's New
The **ARC Policy Engine** has been integrated into the MCP server with the new `arc_validate_policies` tool! This enterprise-grade policy validation system was fully implemented but had no user-facing tool to access it - until now.
## β¨ Key Features
### π Comprehensive Policy Coverage
- **20+ Built-in Policy Rules** across 5 categories
- **Security Policies (6 rules)**: Privileged containers, security contexts, secrets management
- **Compliance Policies (3 rules)**: Repository scoping, runner groups, labeling
- **Performance Policies (3 rules)**: Resource limits, CPU/memory quotas
- **Cost Policies (2 rules)**: Autoscaling, resource optimization
- **Operations Policies (2 rules)**: Runner images, operational best practices
### π― Multiple Operation Modes
1. **`validate`** - Check specific RunnerScaleSet against all policies
2. **`report`** - Generate comprehensive compliance reports (cluster or namespace)
3. **`list_rules`** - View all available policy rules and configuration
4. **`list_violations`** - List current violations with filtering by severity/category
5. **`auto_fix`** - Automatically remediate violations (preview mode)
### π Intelligent Compliance Scoring
- **Compliance Score**: Percentage of passed rules (0-100%)
- **Severity Levels**: Critical, High, Medium, Low
- **Category Grouping**: Security, Compliance, Performance, Cost, Operations
- **SOC2/ISO27001 Mapping**: Compliance framework alignment
### π§ Auto-Fix Capabilities
The policy engine identifies violations that can be automatically remediated:
- Adding security contexts
- Setting resource limits
- Removing privileged flags
- Adding required labels
- Configuring autoscaling
## π Usage Examples
### Natural Language
```text
"Validate my runners for security compliance"
"Check if our ARC setup meets SOC2 requirements"
"Show me all critical policy violations"
"Generate a compliance report for production"
```
### Direct Tool Invocation
**Validate Specific RunnerScaleSet:**
```bash
arc_validate_policies \
--operation validate \
--namespace arc-systems \
--runnerScaleSetName production-runners
```
**Generate Compliance Report:**
```bash
arc_validate_policies \
--operation report \
--namespace arc-systems
```
**List Security Policies:**
```bash
arc_validate_policies \
--operation list_rules \
--category security
```
**Show Critical Violations:**
```bash
arc_validate_policies \
--operation list_violations \
--severity critical
```
**Auto-Fix Violations (Preview):**
```bash
arc_validate_policies \
--operation auto_fix \
--namespace arc-systems
```
## π¨ Custom Policy Configuration
Create custom policy configurations with:
- Organization-specific rules
- Custom severity levels
- Enforcement modes (strict, advisory, disabled)
- Category-specific settings
- Rule overrides
Example custom configuration:
```json
{
"organization": {
"name": "my-company",
"environment": "production",
"compliance": ["SOC2", "ISO27001"]
},
"global": {
"enforcement": "strict",
"autoFix": false
},
"customRules": [
{
"id": "custom-001",
"name": "Require Company Registry",
"severity": "high",
"category": "security",
"enabled": true,
"scope": "runnerscaleset",
"conditions": [...],
"actions": [...]
}
]
}
```
## π Documentation
Comprehensive documentation has been added:
1. **[Policy Validation Guide](docs/POLICY_VALIDATION.md)** - Complete guide with:
- All 20+ policy rules documented
- Custom configuration examples
- CI/CD integration patterns
- Best practices and troubleshooting
2. **[TOOLS.md](TOOLS.md)** - Tool catalog updated with:
- Detailed `arc_validate_policies` documentation
- All operation modes explained
- Parameter reference
- Usage examples
3. **[README.md](README.md)** - Updated with:
- Policy validation in tool catalog
- Moved from "Roadmap" to "Implemented"
- Enhanced Natural Language Examples section
- Updated Key Features highlighting policy engine
## π Migration Notes
### From Previous Versions
The policy engine was always present in the codebase but had no user-facing tool. This release exposes all functionality through the `arc_validate_policies` MCP tool.
**No Breaking Changes**: All existing tools continue to work as before.
### Roadmap Update
Moved from future roadmap to implemented:
- β
`arc_validate_policies` - **NOW AVAILABLE**
- β³ `arc_audit_logs` - Still planned (next priority)
## π― What's Next
### Coming Soon
- **Full Auto-Fix Implementation**: Complete automated remediation with rollback
- **Audit Logging Tool** (`arc_audit_logs`): Security audit log analysis
- **Policy Webhooks**: Real-time policy validation on deployment
- **Custom Policy DSL**: Domain-specific language for easier policy creation
### Roadmap Priorities
1. Complete auto-fix implementation (beyond preview mode)
2. Audit logging integration
3. Policy-as-Code CI/CD templates
4. Multi-cluster policy management
## π€ Contributing
Want to add custom policies or enhance the engine? Check:
- [Contributing Guide](README.md#-contributing)
- [Policy Engine Source](src/engines/policy-engine.ts)
- Open issues tagged with `policy-engine`
## π Acknowledgments
The policy engine was inspired by:
- OPA (Open Policy Agent) best practices
- Kubernetes admission controllers
- Enterprise compliance requirements
- Community feedback on security needs
## π Support
- **Documentation**: [docs/POLICY_VALIDATION.md](docs/POLICY_VALIDATION.md)
- **Issues**: [GitHub Issues](https://github.com/tsviz/arc-config-mcp/issues)
- **Discussions**: [GitHub Discussions](https://github.com/tsviz/arc-config-mcp/discussions)
---
**Version**: 2.4.5 (Policy Engine Release)
**Release Date**: November 1, 2025
**Compatibility**: ARC 0.13.0+, Kubernetes 1.24+
π **Ready to validate your ARC deployment?** Try the new tool today!