diff --git a/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml b/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml index 414195bb..32667508 100644 --- a/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml +++ b/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml @@ -32,61 +32,44 @@ spec: metadata: name: openshift-compliance - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy + apiVersion: policy.open-cluster-management.io/v1beta1 + kind: OperatorPolicy metadata: - name: comp-operator-operator-group + name: operatorpolicy-comp-operator spec: - remediationAction: inform # will be overridden by remediationAction in parent policy + remediationAction: inform severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: compliance-operator - namespace: openshift-compliance - spec: - targetNamespaces: - - openshift-compliance - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: comp-operator-subscription - spec: - remediationAction: inform # will be overridden by remediationAction in parent policy - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: compliance-operator - namespace: openshift-compliance - spec: - installPlanApproval: Automatic - name: compliance-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: comp-operator-status - spec: - remediationAction: inform # will be overridden by remediationAction in parent policy - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: ClusterServiceVersion - metadata: - namespace: openshift-compliance - spec: - displayName: Compliance Operator - status: - phase: Succeeded # check the csv status to determine if operator is running or not + complianceType: musthave + operatorGroup: + name: compliance-operator + namespace: openshift-compliance + targetNamespaces: + - openshift-compliance + subscription: + name: compliance-operator + namespace: openshift-compliance + installPlanApproval: Automatic + source: redhat-operators + sourceNamespace: openshift-marketplace +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: binding-policy-comp-operator +placementRef: + name: placement-policy-comp-operator + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: policy-comp-operator + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: placement-policy-comp-operator +spec: + clusterSelector: + matchExpressions: + - { key: vendor, operator: In, values: ['OpenShift'] } diff --git a/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml b/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml index a8eb2ed0..f6202b25 100644 --- a/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml +++ b/stable/CM-Configuration-Management/policy-gatekeeper-operator-downstream.yaml @@ -15,46 +15,21 @@ spec: disabled: false policy-templates: - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy + apiVersion: policy.open-cluster-management.io/v1beta1 + kind: OperatorPolicy metadata: - name: gatekeeper-operator-product-sub + name: operatorpolicy-gatekeeper-operator spec: remediationAction: inform severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: gatekeeper-operator-product - namespace: openshift-operators - spec: - channel: stable - installPlanApproval: Automatic - name: gatekeeper-operator-product - source: redhat-operators - sourceNamespace: openshift-marketplace - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: gatekeeper-operator-status - spec: - remediationAction: inform - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: ClusterServiceVersion - metadata: - namespace: openshift-gatekeeper-system - spec: - displayName: Gatekeeper Operator - status: - phase: Succeeded # check the csv status to determine if operator is running or not + complianceType: musthave + subscription: + channel: stable + name: gatekeeper-operator-product + namespace: openshift-operators + installPlanApproval: Automatic + source: redhat-operators + sourceNamespace: openshift-marketplace - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy @@ -110,3 +85,25 @@ spec: control-plane: controller-manager status: phase: Running # check the pod status to determine if operator is running or not +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: binding-policy-gatekeeper-operator +placementRef: + name: placement-policy-gatekeeper-operator + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: policy-gatekeeper-operator + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: placement-policy-gatekeeper-operator +spec: + clusterSelector: + matchExpressions: + - { key: environment, operator: In, values: ['dev'] } diff --git a/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml b/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml index b4d7edf8..f9a447df 100644 --- a/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml +++ b/stable/SI-System-and-Information-Integrity/policy-imagemanifestvuln.yaml @@ -11,46 +11,20 @@ spec: disabled: false policy-templates: - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy + apiVersion: policy.open-cluster-management.io/v1beta1 + kind: OperatorPolicy metadata: - name: policy-imagemanifestvuln-example-sub + name: operatorpolicy-imagemanifestvuln spec: - remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. + remediationAction: inform severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: container-security-operator - namespace: openshift-operators - spec: - # channel: quay-v3.3 # specify a specific channel if desired - installPlanApproval: Automatic - name: container-security-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: policy-imagemanifestvuln-status - spec: - remediationAction: inform # will be overridden by remediationAction in parent policy - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: operators.coreos.com/v1alpha1 - kind: ClusterServiceVersion - metadata: - namespace: openshift-operators - spec: - displayName: Red Hat Quay Container Security Operator - status: - phase: Succeeded # check the csv status to determine if operator is running or not + complianceType: musthave + subscription: + name: container-security-operator + namespace: openshift-operators + installPlanApproval: Automatic + source: redhat-operators + sourceNamespace: openshift-marketplace - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy @@ -60,10 +34,32 @@ spec: remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. severity: high namespaceSelector: - exclude: ["kube-*"] - include: ["*"] + exclude: ['kube-*'] + include: ['*'] object-templates: - complianceType: mustnothave # mustnothave any ImageManifestVuln object objectDefinition: apiVersion: secscan.quay.redhat.com/v1alpha1 kind: ImageManifestVuln # checking for a kind +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: binding-policy-imagemanifestvuln +placementRef: + name: placement-policy-imagemanifestvuln + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: policy-imagemanifestvuln + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: placement-policy-imagemanifestvuln +spec: + clusterSelector: + matchExpressions: + - { key: environment, operator: In, values: ['dev'] }