| Upgrade OpenShift-Cluster Sample policy |
Use this policy to upgrade an OpenShift cluster. |
In the provided example, a version 4.5 cluster is upgraded to version 4.5.3. Change the channel and the desired version if you want to upgrade other versions. |
| Egress sample policy |
With the egress firewall you can define rules (per-project) to allow or deny traffic (TCP-or UDP) to the external network. |
See the OpenShift Security Guide. Use the OpenShift Security Guide to secure your OpenShift cluster. |
| Example of configuring a cluster-wide proxy with a policy |
Use this policy to configure a cluster-wide proxy. |
See the OpenShift Documentation. This policy is only valid for OpenShift 4.x and needs to be adjusted for the proper environment. |
| Example of configuring DNS with a policy |
Use this policy to configure DNS in your OpenShift cluster. For example, you can remove public DNS. |
See the OpenShift Documentation This policy is only valid for OpenShift 4.x and needs to be adjusted for the proper environment. |
| Example of configuring the Cluster Network Operator with a policy |
Use this policy to configure the network of your OpenShift cluster. |
See the OpenShift Documentation. This policy is only valid for OpenShift 4.x and needs to be adjusted for the proper environment. |
| Example of creating a deployment object |
This example generates 5 replicas of `nginx-pods`. |
See the Kubernetes Documentation to learn more about Deployments. |
| Example of a policy used to configure GitHub-Authentication |
Use this policy to log in to your OpenShift cluster with GitHub-Authentication. |
See the OpenShift Documentation, Configuring a GitHub or GitHub Enterprise identify provider to learn more information. |
| Example of installing Performance Addon Operator |
Use this policy to install the Performance Addon Operator, which provides the ability to enable advanced node performance tunings on a set of nodes. |
See the ACM & Performance Addon Operator repository documentation for more details. |
| Example of installing PTP Operator |
Use this policy to install the Precision Time Protocol (PTP) Operator, which creates and manages the linuxptp services on a set of nodes. |
See the ACM & PTP Operator repository documentation for more details. |
| Example of installing SR-IOV Network Operator |
Use this policy to install the Single Root I/O Virtualization (SR-IOV) Network Operator, which manages the SR-IOV network devices and network attachments in your clusters. |
See the ACM & SR-IOV Network Operator repository documentation for more details. |
| Example of labelling nodes of a cluster |
Use this policy to label nodes in your managed clusters. Notice you must know the name of the node or nodes to label. |
See the OpenShift Documentation to learn more about labelling objects. |
| Example of a policy used to configure GitHub-Authentication |
Use this policy to log in to your OpenShift cluster with GitHub-Authentication. |
See the OpenShift Documentation, Configuring a GitHub or GitHub Enterprise identify provider to learn more information. |
| Example to configure an image policy |
Use the image policy to define the repositories from where OpenShift can pull images. |
See the OpenShift Security Guide. Use the OpenShift Security Guide to secure your OpenShift cluster. |
| Gatekeeper operator policy |
Use the Gatekeeper operator policy to install the community version of Gatekeeper on a managed cluster. |
See the Gatekeeper Operator. |
| Gatekeeper container image with the latest tag |
Use the Gatekeeper policy to enforce containers in deployable resources to not use images with the latest tag. |
See the Gatekeeper documentation. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper liveness probe not set |
Use the Gatekeeper policy to enforce pods that have a liveness probe. |
See the Gatekeeper documentation. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper readiness probe not set |
Use the Gatekeeper policy to enforce pods that have a readiness probe. |
See the Gatekeeper documentation. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper allowed external IPs |
Use the Gatekeeper allowed external IPs policy to define external IPs that can be applied to a managed cluster. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper sample policy |
Use the Gatekeeper sample policy to view an example of how a gatekeeper policy can be applied to a managed cluster. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper mutation policy (owner annotation) |
Use the Gatekeeper mutation policy to set the owner annotation on pods. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. You must enable mutatingWebhook to use the gatekeeper mutation feature. |
| Gatekeeper mutation policy (image pull policy) |
Use the Gatekeeper mutation policy to set or update image pull policy on pods. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. You must enable mutatingWebhook to use the gatekeeper mutation feature. |
| MachineConfig Chrony sample policy |
Use the MachineConfig Chrony policy to configure /etc/chrony.conf on certain machines . |
For more information see, Modifying node configurations in OpenShift 4.x blog. Note: The policy requires that the managed cluster is OpenShift Container Platform. |
| Network-Policy-Samples |
Use the Network policy to specify how groups of pods are allowed to communicate with each other and other network endpoints. |
See the OpenShift Security Guide. Note: The policy might be modified to the actual usecases. |
| OPA sample policy |
Use the Open Policy Agent (OPA) Sample policy to view an example of how an OPA policy can be created. You can also view an example of adding a REGO script into a ConfigMap, which is evaluated by the OPA. |
See the OPA example repository. Note: OPA must be installed to use the OPA ConfigMap policy. |
| Trusted Container policy |
Use the trusted container policy to detect if running pods are using trusted images. |
Trusted Container Policy Controller |
| Trusted Node policy |
Use the trusted node policy to detect if there are untrusted or unattested nodes in the cluster. |
Trusted Node Policy Controller |
| ETCD Backup |
Use the ETCD Backup policy to receive the last six backup snapshots for etcd. This policy uses the etcd container image in the policy because it contains all required tools like etcdctl. |
For more information, see OpenShift 4 with default storage class. |
| Integrity Shield |
Use the Integrity Shield to protect the integrity of Kubernetes resources in a cluster (e.g. OpenShift). |
See the Integrity Shield documentation. |
| Integrity Shield Events |
Use the Integrity Shield Events policy to show a status, which represents whether Integrity Shield has denied some requests in a cluster or not. |
See the Integrity Shield documentation. |
| PolicyReport failures |
The policy-check-reports policy searches for any PolicyReport resources that contain failures in the results. |
An example of a tool that creates PolicyReports is Kyverno. |
| Kyverno sample policy |
Use the Kyverno sample policy to view an example of how a kyverno policy can be applied to a managed cluster. This policy is evaluated by the kyverno controller on a managed cluster. |
See the Installation instructions and How to write Kyverno policies. Note: Kyverno must be installed on managed cluster to use Kyverno policy. |