forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpolicy-acs-operator-secured-clusters.yaml
130 lines (130 loc) · 4.44 KB
/
policy-acs-operator-secured-clusters.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# This policy deploys the Red Hat Advanced Cluster Security Secure Cluster
# Services to all OpenShift managed clusters. Note that it is set to
# enforce by default and it requires RHACM 2.3 template support.
#
# Prior to applying this policy you must visit
# https://github.com/stolostron/advanced-cluster-security
# and follow the instructions there to deploy prerequisite bundles
# needed by the Secure Cluster Services for communicating with the
# Central server.
#
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-advanced-managed-cluster-security
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: managed-cluster-security-ns
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: stackrox
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: rhacs-operator
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: rhacs-operator-group
namespace: rhacs-operator
spec: {}
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: managed-cluster-security-operator-sub
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: rhacs-operator
namespace: rhacs-operator
spec:
channel: latest
installPlanApproval: Automatic
name: rhacs-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: managed-cluster-security-endpoints
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
namespace: stackrox
name: stackrox-secured-cluster-services
spec:
clusterName: |
{{ fromSecret "open-cluster-management-agent" "hub-kubeconfig-secret" "cluster-name" | base64dec }}
auditLogs:
collection: Auto
centralEndpoint: |
{{ fromSecret "stackrox" "sensor-tls" "acs-host" | base64dec }}
admissionControl:
listenOnCreates: false
listenOnEvents: true
listenOnUpdates: false
perNode:
collector:
collection: KernelModule
imageFlavor: Regular
taintToleration: TolerateTaints
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-advanced-managed-cluster-security
placementRef:
name: placement-policy-advanced-managed-cluster-security
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-advanced-managed-cluster-security
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-advanced-managed-cluster-security
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- {key: vendor, operator: In, values: ["OpenShift"]}