Last active
September 24, 2021 04:44
-
-
Save radikaled/5261d652c149e109ca76efb8bc41e2f1 to your computer and use it in GitHub Desktop.
policy-advanced-managed-cluster-security (dynamic centralEndpoint and clusterName)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This policy deploys the Red Hat Advanced Cluster Security Secure Cluster | |
| # Services to all OpenShift managed clusters. Note that it is set to | |
| # enforce by default and it requires RHACM 2.3 template support. | |
| # | |
| # Prior to applying this policy you must visit | |
| # https://github.com/open-cluster-management/advanced-cluster-security | |
| # and follow the instructions there to deploy prerequisite bundles | |
| # needed by the Secure Cluster Services for communicating with the | |
| # Central server. | |
| # | |
| apiVersion: policy.open-cluster-management.io/v1 | |
| kind: Policy | |
| metadata: | |
| name: policy-advanced-managed-cluster-security | |
| annotations: | |
| policy.open-cluster-management.io/standards: NIST SP 800-53 | |
| policy.open-cluster-management.io/categories: CM Configuration Management | |
| policy.open-cluster-management.io/controls: CM-2 Baseline Configuration | |
| spec: | |
| remediationAction: enforce | |
| disabled: false | |
| policy-templates: | |
| - objectDefinition: | |
| apiVersion: policy.open-cluster-management.io/v1 | |
| kind: ConfigurationPolicy | |
| metadata: | |
| name: managed-cluster-security-ns | |
| spec: | |
| remediationAction: inform | |
| severity: high | |
| object-templates: | |
| - complianceType: musthave | |
| objectDefinition: | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: stackrox | |
| - objectDefinition: | |
| apiVersion: policy.open-cluster-management.io/v1 | |
| kind: ConfigurationPolicy | |
| metadata: | |
| name: managed-cluster-security-operator-sub | |
| spec: | |
| remediationAction: inform | |
| severity: high | |
| object-templates: | |
| - complianceType: musthave | |
| objectDefinition: | |
| apiVersion: operators.coreos.com/v1alpha1 | |
| kind: Subscription | |
| metadata: | |
| name: rhacs-operator | |
| namespace: openshift-operators | |
| spec: | |
| channel: latest | |
| installPlanApproval: Automatic | |
| name: rhacs-operator | |
| source: redhat-operators | |
| sourceNamespace: openshift-marketplace | |
| startingCSV: rhacs-operator.v3.65.1 | |
| - objectDefinition: | |
| apiVersion: policy.open-cluster-management.io/v1 | |
| kind: ConfigurationPolicy | |
| metadata: | |
| name: managed-cluster-security-endpoints | |
| spec: | |
| remediationAction: inform | |
| severity: high | |
| object-templates: | |
| - complianceType: musthave | |
| objectDefinition: | |
| apiVersion: platform.stackrox.io/v1alpha1 | |
| kind: SecuredCluster | |
| metadata: | |
| namespace: stackrox | |
| name: stackrox-secured-cluster-services | |
| spec: | |
| clusterName: |- | |
| {{ if (lookup "platform.stackrox.io/v1alpha1" "Central" "stackrox" "stackrox-central-services") -}} | |
| local-cluster | |
| {{ else }} | |
| {{- (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").status.infrastructureName }} | |
| {{- end }} | |
| auditLogs: | |
| collection: Auto | |
| centralEndpoint: |- | |
| {{ if (lookup "platform.stackrox.io/v1alpha1" "Central" "stackrox" "stackrox-central-services") -}} | |
| central.stackrox.svc:443 | |
| {{ else }} | |
| {{ if (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").status.infrastructureName | printf "%s" | eq "crc-5dd5m" }} | |
| external.stackrox.svc:443 | |
| {{ end }} | |
| {{- end }} | |
| admissionControl: | |
| listenOnCreates: false | |
| listenOnEvents: true | |
| listenOnUpdates: false | |
| perNode: | |
| collector: | |
| collection: KernelModule | |
| imageFlavor: Regular | |
| taintToleration: TolerateTaints | |
| --- | |
| apiVersion: policy.open-cluster-management.io/v1 | |
| kind: PlacementBinding | |
| metadata: | |
| name: binding-policy-advanced-managed-cluster-security | |
| placementRef: | |
| name: placement-policy-advanced-managed-cluster-security | |
| kind: PlacementRule | |
| apiGroup: apps.open-cluster-management.io | |
| subjects: | |
| - name: policy-advanced-managed-cluster-security | |
| kind: Policy | |
| apiGroup: policy.open-cluster-management.io | |
| --- | |
| apiVersion: apps.open-cluster-management.io/v1 | |
| kind: PlacementRule | |
| metadata: | |
| name: placement-policy-advanced-managed-cluster-security | |
| spec: | |
| clusterConditions: | |
| - status: "True" | |
| type: ManagedClusterConditionAvailable | |
| clusterSelector: | |
| matchExpressions: | |
| - {key: vendor, operator: In, values: ["OpenShift"]} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment