Skip to content

Commit

Permalink
Convert existing policies to operator policies for installing operators
Browse files Browse the repository at this point in the history
Converted policies:
- Compliance operator policy
- Quay container security operator policy
- Gatekeeper operator policy

ref: https://issues.redhat.com/browse/ACM-10573
Signed-off-by: Jason Zhang <[email protected]>
  • Loading branch information
zyjjay committed Aug 20, 2024
1 parent f8d8dc9 commit 783f00b
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 130 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -32,61 +32,22 @@ spec:
metadata:
name: openshift-compliance
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: comp-operator-operator-group
name: operatorpolicy-comp-operator
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: compliance-operator
namespace: openshift-compliance
spec:
targetNamespaces:
- openshift-compliance
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-subscription
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: compliance-operator
namespace: openshift-compliance
spec:
installPlanApproval: Automatic
name: compliance-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-status
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-compliance
spec:
displayName: Compliance Operator
status:
phase: Succeeded # check the csv status to determine if operator is running or not
complianceType: musthave
upgradeApproval: Automatic
operatorGroup:
name: compliance-operator
namespace: openshift-compliance
targetNamespaces:
- openshift-compliance
subscription:
name: compliance-operator
namespace: openshift-compliance
source: redhat-operators
sourceNamespace: openshift-marketplace
Original file line number Diff line number Diff line change
Expand Up @@ -15,46 +15,21 @@ spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: gatekeeper-operator-product-sub
name: operatorpolicy-gatekeeper-operator
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: gatekeeper-operator-product
namespace: openshift-operators
spec:
channel: stable
installPlanApproval: Automatic
name: gatekeeper-operator-product
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: gatekeeper-operator-status
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-gatekeeper-system
spec:
displayName: Gatekeeper Operator
status:
phase: Succeeded # check the csv status to determine if operator is running or not
complianceType: musthave
upgradeApproval: Automatic
subscription:
channel: stable
name: gatekeeper-operator-product
namespace: openshift-operators
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,46 +11,20 @@ spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
name: policy-imagemanifestvuln-example-sub
name: operatorpolicy-imagemanifestvuln
spec:
remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: container-security-operator
namespace: openshift-operators
spec:
# channel: quay-v3.3 # specify a specific channel if desired
installPlanApproval: Automatic
name: container-security-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-imagemanifestvuln-status
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-operators
spec:
displayName: Red Hat Quay Container Security Operator
status:
phase: Succeeded # check the csv status to determine if operator is running or not
complianceType: musthave
upgradeApproval: Automatic
subscription:
name: container-security-operator
namespace: openshift-operators
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
Expand All @@ -60,8 +34,8 @@ spec:
remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
severity: high
namespaceSelector:
exclude: ["kube-*"]
include: ["*"]
exclude: ['kube-*']
include: ['*']
object-templates:
- complianceType: mustnothave # mustnothave any ImageManifestVuln object
objectDefinition:
Expand Down

0 comments on commit 783f00b

Please sign in to comment.