stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-imagemanifestvuln
  annotations:
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/categories: SI System and Information Integrity
    policy.open-cluster-management.io/controls: SI-4 Information System Monitoring
spec:
  remediationAction: inform
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-imagemanifestvuln-example-sub
        spec:
          remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
          severity: high
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: operators.coreos.com/v1alpha1
                kind: Subscription
                metadata:
                  name: container-security-operator
                  namespace: openshift-operators
                spec:
                  # channel: quay-v3.3 # specify a specific channel if desired
                  installPlanApproval: Automatic
                  name: container-security-operator
                  source: redhat-operators
                  sourceNamespace: openshift-marketplace
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-imagemanifestvuln-status
        spec:
          remediationAction: inform  # will be overridden by remediationAction in parent policy
          severity: high
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: operators.coreos.com/v1alpha1
                kind: ClusterServiceVersion
                metadata:
                  namespace: openshift-operators
                spec:
                  displayName: Red Hat Quay Container Security Operator
                status:
                  phase: Succeeded   # check the csv status to determine if operator is running or not
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-imagemanifestvuln-example-imv
        spec:
          remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
          severity: high
          namespaceSelector:
            exclude: ["kube-*"]
            include: ["*"]
          object-templates:
            - complianceType: mustnothave # mustnothave any ImageManifestVuln object
              objectDefinition:
                apiVersion: secscan.quay.redhat.com/v1alpha1
                kind: ImageManifestVuln # checking for a kind
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-policy-imagemanifestvuln
placementRef:
  name: placement-policy-imagemanifestvuln
  kind: PlacementRule
  apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-imagemanifestvuln
  kind: Policy
  apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name: placement-policy-imagemanifestvuln
spec:
  clusterConditions:
  - status: "True"
    type: ManagedClusterConditionAvailable
  clusterSelector:
    matchExpressions:
      - {key: environment, operator: In, values: ["dev"]}