Updating the Policy Package
Describes how to update the policy or the policy path.
The following steps describe how to update the policy or the policy path.
Modify the policy or the location where the policy has been uploaded.
Run the
helm upgradecommand to update the policy package or the policy package path.
For example, the line --set policyPuller.policy.path="s3://apjavacontainers/static-iap-java-rel-a/try/Sample_App_Policy.tgz" in the following code block indicates that the path where the policy package is stored has changed.
helm -n devops-10-v5 upgrade test-sampleapp-10-v1 spring-apjava-devops/ \
--set imagePullSecrets[0].name="regcred" \
--set springappImage.repository="829528124735.dkr.ecr.us-east-1.amazonaws.com/containers" \
--set springappImage.tag="APJAVA_RHUBI_SAMPLE-10-v14-v1" \
--set policyLoaderImage.repository="829528124735.dkr.ecr.us-east-1.amazonaws.com/containers" \
--set policyLoaderImage.tag="POLICY-LOADER_RHUBI-9-64_x86-64_K8S_1.0.0.13.e0beab.tgz" \
--set protector.kms.host="test-kms-10-v1-kms-proxy.devops-10-v5.svc" \
--set protector.kms.certificates="pty-certs-cli-secret" \
--set protector.logs.host="test-logforwarder10-v1.devops-10-v5.svc" \
**--set policyPuller.policy.path="s3://apjavacontainer/new-10-49-7-212/iap-java-policy-core-big-10-49-7-212.json"**
For more information about using set arguments to deploy the Protector, refer to the section Appendix - Deploying the Helm Charts by Using the Set Argument.
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-java
NAME READY STATUS RESTARTS AGE
test-devops-logforwarder10-v1-2m49b 1/1 Running 0 163m
test-devops-logforwarder10-v1-wwjzh 1/1 Running 0 165m
test-kms-10-v1-kms-proxy-687657cff9-dlzdz 1/1 Running 0 161m
test-sampleapp-10-v1-iap-java-devops-54668997cf-kw628 3/3 Running 0 5m11s
- Run the following command to check the logs.
kubectl logs <Pod_name> -n <Namespace> -f
For example:
kubectl logs test-sampleapp-10-v1-iap-java-devops-54668997cf-kw628 -n iap-java -f
The following logs appear on the console output. The line [INFO ] 2025/10/29 11:47:19.335550 runner.go:226: New Policy source path s3://apjavacontainers/new-10-49-7-212/new/policy-sample-app-10-49-7-212-v1.json indicates that the policy package path has been updated.
Defaulted container "policy-loader" out of: policy-loader, iap-java-devops
[INFO ] 2025/10/29 11:45:16.090634 runner.go:104: starting policy loader with version: 1.0.0+13.e0beab
Starting Health Server.
[INFO ] 2025/10/29 11:45:16.090811 runner.go:187: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:45:16.313683 runner.go:196: Loading policy from source path s3://apjavacontainers/new-10-49-7-212/policy-v1-10-49-7-212.json
[root@ip-10-49-5-222 ~]# kubectl logs test-sampleapp-10-v1-iap-java-devops-7f4f9b9cc4-zbbkg -n devops-10-v6 -f
Defaulted container "policy-loader" out of: policy-loader, iap-java-devops
[INFO ] 2025/10/29 11:45:16.090634 runner.go:104: starting policy loader with version: 1.0.0+13.e0beab
Starting Health Server.
[INFO ] 2025/10/29 11:45:16.090811 runner.go:187: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:45:16.313683 runner.go:196: Loading policy from source path s3://apjavacontainers/new-10-49-7-212/policy-v1-10-49-7-212.json
[INFO ] 2025/10/29 11:45:48.914901 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:45:48.914935 runner.go:242: Policy source path is same. Checking based on timestamp.
[INFO ] 2025/10/29 11:45:49.057011 runner.go:250: Policy source is not modified since last fetch. Skipping policy load operation.
[INFO ] 2025/10/29 11:46:19.057887 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:46:19.057916 runner.go:242: Policy source path is same. Checking based on timestamp.
[INFO ] 2025/10/29 11:46:19.201224 runner.go:250: Policy source is not modified since last fetch. Skipping policy load operation.
[INFO ] 2025/10/29 11:46:49.201456 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:46:49.201485 runner.go:242: Policy source path is same. Checking based on timestamp.
[INFO ] 2025/10/29 11:46:49.335206 runner.go:250: Policy source is not modified since last fetch. Skipping policy load operation.
[INFO ] 2025/10/29 11:47:19.335501 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:47:19.335536 runner.go:224: Policy source path is modified. Triggering policy load operation.
[INFO ] 2025/10/29 11:47:19.335545 runner.go:225: Old Policy source path s3://apjavacontainers/new-10-49-7-212/policy-v1-10-49-7-212.json.
[INFO ] 2025/10/29 11:47:19.335550 runner.go:226: New Policy source path s3://apjavacontainers/new-10-49-7-212/new/policy-sample-app-10-49-7-212-v1.json
Feedback
Was this page helpful?