Skip to content

Commit

Permalink
Convert existing policies to operator policies for installing operators
Browse files Browse the repository at this point in the history
Converted policies:
- Compliance operator policy
- Quay container security operator policy
- Gatekeeper operator policy

ref: https://issues.redhat.com/browse/ACM-10573
Signed-off-by: Jason Zhang <[email protected]>
  • Loading branch information
zyjjay committed Apr 17, 2024
1 parent f9590a7 commit 5b068d8
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 148 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,79 +17,25 @@ spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: comp-operator-ns
name: operatorpolicy-comp-operator
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: openshift-compliance
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-operator-group
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: compliance-operator
namespace: openshift-compliance
spec:
targetNamespaces:
- openshift-compliance
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-subscription
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: compliance-operator
namespace: openshift-compliance
spec:
installPlanApproval: Automatic
name: compliance-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-status
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-compliance
spec:
displayName: Compliance Operator
status:
phase: Succeeded # check the csv status to determine if operator is running or not
complianceType: musthave
operatorGroup:
name: compliance-operator
namespace: openshift-compliance
targetNamespaces:
- openshift-compliance
subscription:
name: compliance-operator
namespace: openshift-compliance
installPlanApproval: Automatic
source: redhat-operators
sourceNamespace: openshift-marketplace
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
Expand All @@ -111,4 +57,4 @@ metadata:
spec:
clusterSelector:
matchExpressions:
- {key: vendor, operator: In, values: ["OpenShift"]}
- { key: vendor, operator: In, values: ['OpenShift'] }
Original file line number Diff line number Diff line change
Expand Up @@ -15,46 +15,21 @@ spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: gatekeeper-operator-product-sub
name: operatorpolicy-gatekeeper-operator
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: gatekeeper-operator-product
namespace: openshift-operators
spec:
channel: stable
installPlanApproval: Automatic
name: gatekeeper-operator-product
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: gatekeeper-operator-status
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-gatekeeper-system
spec:
displayName: Gatekeeper Operator
status:
phase: Succeeded # check the csv status to determine if operator is running or not
complianceType: musthave
subscription:
channel: stable
name: gatekeeper-operator-product
namespace: openshift-operators
installPlanApproval: Automatic
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
Expand Down Expand Up @@ -131,4 +106,4 @@ metadata:
spec:
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}
- { key: environment, operator: In, values: ['dev'] }
Original file line number Diff line number Diff line change
Expand Up @@ -11,46 +11,20 @@ spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: policy-imagemanifestvuln-example-sub
name: operatorpolicy-imagemanifestvuln
spec:
remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: container-security-operator
namespace: openshift-operators
spec:
# channel: quay-v3.3 # specify a specific channel if desired
installPlanApproval: Automatic
name: container-security-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-imagemanifestvuln-status
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-operators
spec:
displayName: Red Hat Quay Container Security Operator
status:
phase: Succeeded # check the csv status to determine if operator is running or not
complianceType: musthave
subscription:
name: container-security-operator
namespace: openshift-operators
installPlanApproval: Automatic
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
Expand All @@ -60,8 +34,8 @@ spec:
remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
severity: high
namespaceSelector:
exclude: ["kube-*"]
include: ["*"]
exclude: ['kube-*']
include: ['*']
object-templates:
- complianceType: mustnothave # mustnothave any ImageManifestVuln object
objectDefinition:
Expand All @@ -88,4 +62,4 @@ metadata:
spec:
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}
- { key: environment, operator: In, values: ['dev'] }

0 comments on commit 5b068d8

Please sign in to comment.