From 5b068d8a22f882286c76793d48ffdca835bf2a74 Mon Sep 17 00:00:00 2001 From: Jason Zhang Date: Tue, 16 Apr 2024 15:50:46 -0400 Subject: [PATCH] Convert existing policies to operator policies for installing operators Converted policies: - Compliance operator policy - Quay container security operator policy - Gatekeeper operator policy ref: https://issues.redhat.com/browse/ACM-10573 Signed-off-by: Jason Zhang --- .../policy-compliance-operator-install.yaml | 88 ++++--------------- ...policy-gatekeeper-operator-downstream.yaml | 49 +++-------- .../policy-imagemanifestvuln.yaml | 54 +++--------- 3 files changed, 43 insertions(+), 148 deletions(-) diff --git a/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml b/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml index 816a45be..e0c5dbee 100644 --- a/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml +++ b/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml @@ -17,79 +17,25 @@ spec: disabled: false policy-templates: - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy + apiVersion: policy.open-cluster-management.io/v1beta1 + kind: OperatorPolicy metadata: - name: comp-operator-ns + name: operatorpolicy-comp-operator spec: - remediationAction: inform # will be overridden by remediationAction in parent policy + remediationAction: inform severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: v1 - kind: Namespace - metadata: - name: openshift-compliance - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: comp-operator-operator-group - spec: - remediationAction: inform # will be overridden by remediationAction in parent policy - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: compliance-operator - namespace: openshift-compliance - spec: - targetNamespaces: - - openshift-compliance - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: comp-operator-subscription - spec: - remediationAction: inform # will be overridden by remediationAction in parent policy - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: compliance-operator - namespace: openshift-compliance - spec: - installPlanApproval: Automatic - name: compliance-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: comp-operator-status - spec: - remediationAction: inform # will be overridden by remediationAction in parent policy - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: ClusterServiceVersion - metadata: - namespace: openshift-compliance - spec: - displayName: Compliance Operator - status: - phase: Succeeded # check the csv status to determine if operator is running or not + complianceType: musthave + operatorGroup: + name: compliance-operator + namespace: openshift-compliance + targetNamespaces: + - openshift-compliance + subscription: + name: compliance-operator + namespace: openshift-compliance + installPlanApproval: Automatic + source: redhat-operators + sourceNamespace: openshift-marketplace --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding @@ -111,4 +57,4 @@ metadata: spec: clusterSelector: matchExpressions: - - {key: vendor, operator: In, values: ["OpenShift"]} + - { key: vendor, operator: In, values: ['OpenShift'] } diff --git a/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml b/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml index b524573f..f6202b25 100644 --- a/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml +++ b/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml @@ -15,46 +15,21 @@ spec: disabled: false policy-templates: - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy + apiVersion: policy.open-cluster-management.io/v1beta1 + kind: OperatorPolicy metadata: - name: gatekeeper-operator-product-sub + name: operatorpolicy-gatekeeper-operator spec: remediationAction: inform severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: gatekeeper-operator-product - namespace: openshift-operators - spec: - channel: stable - installPlanApproval: Automatic - name: gatekeeper-operator-product - source: redhat-operators - sourceNamespace: openshift-marketplace - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: gatekeeper-operator-status - spec: - remediationAction: inform - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: ClusterServiceVersion - metadata: - namespace: openshift-gatekeeper-system - spec: - displayName: Gatekeeper Operator - status: - phase: Succeeded # check the csv status to determine if operator is running or not + complianceType: musthave + subscription: + channel: stable + name: gatekeeper-operator-product + namespace: openshift-operators + installPlanApproval: Automatic + source: redhat-operators + sourceNamespace: openshift-marketplace - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy @@ -131,4 +106,4 @@ metadata: spec: clusterSelector: matchExpressions: - - {key: environment, operator: In, values: ["dev"]} + - { key: environment, operator: In, values: ['dev'] } diff --git a/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml b/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml index 739d3ce3..f9a447df 100644 --- a/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml +++ b/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml @@ -11,46 +11,20 @@ spec: disabled: false policy-templates: - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy + apiVersion: policy.open-cluster-management.io/v1beta1 + kind: OperatorPolicy metadata: - name: policy-imagemanifestvuln-example-sub + name: operatorpolicy-imagemanifestvuln spec: - remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. + remediationAction: inform severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: container-security-operator - namespace: openshift-operators - spec: - # channel: quay-v3.3 # specify a specific channel if desired - installPlanApproval: Automatic - name: container-security-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: policy-imagemanifestvuln-status - spec: - remediationAction: inform # will be overridden by remediationAction in parent policy - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: ClusterServiceVersion - metadata: - namespace: openshift-operators - spec: - displayName: Red Hat Quay Container Security Operator - status: - phase: Succeeded # check the csv status to determine if operator is running or not + complianceType: musthave + subscription: + name: container-security-operator + namespace: openshift-operators + installPlanApproval: Automatic + source: redhat-operators + sourceNamespace: openshift-marketplace - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy @@ -60,8 +34,8 @@ spec: remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. severity: high namespaceSelector: - exclude: ["kube-*"] - include: ["*"] + exclude: ['kube-*'] + include: ['*'] object-templates: - complianceType: mustnothave # mustnothave any ImageManifestVuln object objectDefinition: @@ -88,4 +62,4 @@ metadata: spec: clusterSelector: matchExpressions: - - {key: environment, operator: In, values: ["dev"]} + - { key: environment, operator: In, values: ['dev'] }