Convert existing policies to operator policies for installing operators

Converted policies: - Compliance operator policy - Quay container security operator policy - Gatekeeper operator policy ref: https://issues.redhat.com/browse/ACM-10573 Signed-off-by: Jason Zhang <[email protected]>
open-cluster-management-io · Aug 13, 2024 · 7edc5a9 · 7edc5a9
1 parent f8d8dc9
commit 7edc5a9
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 130 deletions.
diff --git a/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml b/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml
@@ -32,61 +32,44 @@ spec:
                 metadata:
                   name: openshift-compliance
     - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
+        apiVersion: policy.open-cluster-management.io/v1beta1
+        kind: OperatorPolicy
         metadata:
-          name: comp-operator-operator-group
+          name: operatorpolicy-comp-operator
         spec:
-          remediationAction: inform # will be overridden by remediationAction in parent policy
+          remediationAction: inform
           severity: high
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1
-                kind: OperatorGroup
-                metadata:
-                  name: compliance-operator
-                  namespace: openshift-compliance
-                spec:
-                  targetNamespaces:
-                    - openshift-compliance
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: comp-operator-subscription
-        spec:
-          remediationAction: inform # will be overridden by remediationAction in parent policy
-          severity: high
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: compliance-operator
-                  namespace: openshift-compliance
-                spec:
-                  installPlanApproval: Automatic
-                  name: compliance-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: comp-operator-status
-        spec:
-          remediationAction: inform # will be overridden by remediationAction in parent policy
-          severity: high
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: ClusterServiceVersion
-                metadata:
-                  namespace: openshift-compliance
-                spec:
-                  displayName: Compliance Operator
-                status:
-                  phase: Succeeded # check the csv status to determine if operator is running or not
+          complianceType: musthave
+          operatorGroup:
+            name: compliance-operator
+            namespace: openshift-compliance
+            targetNamespaces:
+              - openshift-compliance
+          subscription:
+            name: compliance-operator
+            namespace: openshift-compliance
+            installPlanApproval: Automatic
+            source: redhat-operators
+            sourceNamespace: openshift-marketplace
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: binding-policy-comp-operator
+placementRef:
+  name: placement-policy-comp-operator
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: policy-comp-operator
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: placement-policy-comp-operator
+spec:
+  clusterSelector:
+    matchExpressions:
+      - { key: vendor, operator: In, values: ['OpenShift'] }
diff --git a/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml b/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml
@@ -15,46 +15,21 @@ spec:
   disabled: false
   policy-templates:
     - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
+        apiVersion: policy.open-cluster-management.io/v1beta1
+        kind: OperatorPolicy
         metadata:
-          name: gatekeeper-operator-product-sub
+          name: operatorpolicy-gatekeeper-operator
         spec:
           remediationAction: inform
           severity: high
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: gatekeeper-operator-product
-                  namespace: openshift-operators
-                spec:
-                  channel: stable
-                  installPlanApproval: Automatic
-                  name: gatekeeper-operator-product
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: gatekeeper-operator-status
-        spec:
-          remediationAction: inform
-          severity: high
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: ClusterServiceVersion
-                metadata:
-                  namespace: openshift-gatekeeper-system
-                spec:
-                  displayName: Gatekeeper Operator
-                status:
-                  phase: Succeeded # check the csv status to determine if operator is running or not
+          complianceType: musthave
+          subscription:
+            channel: stable
+            name: gatekeeper-operator-product
+            namespace: openshift-operators
+            installPlanApproval: Automatic
+            source: redhat-operators
+            sourceNamespace: openshift-marketplace
     - objectDefinition:
         apiVersion: policy.open-cluster-management.io/v1
         kind: ConfigurationPolicy
@@ -110,3 +85,25 @@ spec:
                     control-plane: controller-manager
                 status:
                   phase: Running # check the pod status to determine if operator is running or not
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: binding-policy-gatekeeper-operator
+placementRef:
+  name: placement-policy-gatekeeper-operator
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: policy-gatekeeper-operator
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: placement-policy-gatekeeper-operator
+spec:
+  clusterSelector:
+    matchExpressions:
+      - { key: environment, operator: In, values: ['dev'] }
diff --git a/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml b/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml
@@ -11,46 +11,20 @@ spec:
   disabled: false
   policy-templates:
     - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
+        apiVersion: policy.open-cluster-management.io/v1beta1
+        kind: OperatorPolicy
         metadata:
-          name: policy-imagemanifestvuln-example-sub
+          name: operatorpolicy-imagemanifestvuln
         spec:
-          remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
+          remediationAction: inform
           severity: high
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: container-security-operator
-                  namespace: openshift-operators
-                spec:
-                  # channel: quay-v3.3 # specify a specific channel if desired
-                  installPlanApproval: Automatic
-                  name: container-security-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: policy-imagemanifestvuln-status
-        spec:
-          remediationAction: inform # will be overridden by remediationAction in parent policy
-          severity: high
-          object-templates:
-            - complianceType: musthave
-              objectDefinition:
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: ClusterServiceVersion
-                metadata:
-                  namespace: openshift-operators
-                spec:
-                  displayName: Red Hat Quay Container Security Operator
-                status:
-                  phase: Succeeded # check the csv status to determine if operator is running or not
+          complianceType: musthave
+          subscription:
+            name: container-security-operator
+            namespace: openshift-operators
+            installPlanApproval: Automatic
+            source: redhat-operators
+            sourceNamespace: openshift-marketplace
     - objectDefinition:
         apiVersion: policy.open-cluster-management.io/v1
         kind: ConfigurationPolicy
@@ -60,10 +34,32 @@ spec:
           remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
           severity: high
           namespaceSelector:
-            exclude: ["kube-*"]
-            include: ["*"]
+            exclude: ['kube-*']
+            include: ['*']
           object-templates:
             - complianceType: mustnothave # mustnothave any ImageManifestVuln object
               objectDefinition:
                 apiVersion: secscan.quay.redhat.com/v1alpha1
                 kind: ImageManifestVuln # checking for a kind
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: binding-policy-imagemanifestvuln
+placementRef:
+  name: placement-policy-imagemanifestvuln
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: policy-imagemanifestvuln
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: placement-policy-imagemanifestvuln
+spec:
+  clusterSelector:
+    matchExpressions:
+      - { key: environment, operator: In, values: ['dev'] }