Create an ACM policy set for Advanced Cluster Security Secured Clusters #438
Conversation
gparvin
force-pushed
the
sensors-policyset
branch
from
598360c to
b376786
Compare
|
|
||
| ## Installation | ||
|
|
||
| The ACS PolicySet for Secured Clusters contains two `PolicySets` that will be deployed.i |
There was a problem hiding this comment.
| The ACS PolicySet for Secured Clusters contains two `PolicySets` that will be deployed.i | |
| The ACS PolicySet for Secured Clusters contains two `PolicySets` that will be deployed. |
| Prior to applying the `PolicySet`, perform these steps: | ||
|
|
||
| 1. To allow for subscriptions to be applied below you must apply and set to enforce the policy [policy-configure-subscription-admin-hub.yaml](https://github.com/open-cluster-management-io/policy-collection/blob/main/community/CM-Configuration-Management/policy-configure-subscription-admin-hub.yaml). | ||
| 2. Install the Policy generator Kustomize plugin by following the [installation instructions](https://github.com/stolostron/policy-generator-plugin#installation). It is recommended to use Kustomize v4.5+. |
There was a problem hiding this comment.
| 2. Install the Policy generator Kustomize plugin by following the [installation instructions](https://github.com/stolostron/policy-generator-plugin#installation). It is recommended to use Kustomize v4.5+. | |
| 2. Install the Policy generator Kustomize plugin by following the [installation instructions](https://github.com/open-cluster-management-io/policy-generator-plugin#installation). It is recommended to use Kustomize v4.5+. |
|
|
||
| Prior to applying the `PolicySet`, perform these steps: | ||
|
|
||
| 1. To allow for subscriptions to be applied below you must apply and set to enforce the policy [policy-configure-subscription-admin-hub.yaml](https://github.com/open-cluster-management-io/policy-collection/blob/main/community/CM-Configuration-Management/policy-configure-subscription-admin-hub.yaml). |
There was a problem hiding this comment.
This only applies if using App Sub, so maybe this is not a required step.
|
|
||
| 1. To allow for subscriptions to be applied below you must apply and set to enforce the policy [policy-configure-subscription-admin-hub.yaml](https://github.com/open-cluster-management-io/policy-collection/blob/main/community/CM-Configuration-Management/policy-configure-subscription-admin-hub.yaml). | ||
| 2. Install the Policy generator Kustomize plugin by following the [installation instructions](https://github.com/stolostron/policy-generator-plugin#installation). It is recommended to use Kustomize v4.5+. | ||
| 3. Policies are installed to the `policies` namespace. i |
There was a problem hiding this comment.
| 3. Policies are installed to the `policies` namespace. i | |
| 3. Policies are installed to the `policies` namespace. |
| 3. Policies are installed to the `policies` namespace. i | ||
| Make sure the placement bindings match this namespace for the hub and other managed clusters. | ||
| Example yaml to apply a ManagedClusterSetBinding for the policies namespace. | ||
| ```apiVersion: cluster.open-cluster-management.io/v1beta2 |
There was a problem hiding this comment.
| ```apiVersion: cluster.open-cluster-management.io/v1beta2 | |
| ```yaml | |
| apiVersion: cluster.open-cluster-management.io/v1beta2 |
| clusterName: | | ||
| {{ fromSecret "open-cluster-management-agent" "hub-kubeconfig-secret" "cluster-name" | base64dec }} |
There was a problem hiding this comment.
| clusterName: | | |
| {{ fromSecret "open-cluster-management-agent" "hub-kubeconfig-secret" "cluster-name" | base64dec }} | |
| clusterName: {{hub .ManagedClusterName hub}} |
| each managed cluster. | ||
| name: acs-sensors-hub-info | ||
| placement: | ||
| placementPath: placement/hub-placement.yaml |
There was a problem hiding this comment.
I think you could now directly define the cluster selector in the Policy Generator file instead of a placement file:
https://github.com/stolostron/policy-generator-plugin/blob/3ef4ab89c4cecd0012792c9ab886d9f7e6eb3da2/docs/policygenerator-reference.yaml#L133-L142
This has the benefit of getting those default tolerations such as cluster unavailable for free in newer Policy Generator versions.
| spec: {} | ||
| --- | ||
| apiVersion: operators.coreos.com/v1alpha1 | ||
| kind: Subscription |
There was a problem hiding this comment.
Once ACM 2.11 is out, I recommend changing this to OperatorPolicy so that the status information is much richer.
gparvin
force-pushed
the
sensors-policyset
branch
2 times, most recently
from
cbe5fd4 to
f427160
Compare
|
|
||
| ## Prerequisites | ||
| To install Advanced Cluster Security Secured Clusters using this PolicySet, | ||
| you must first have already installed your Advanced Cluster Security Central Server. |
There was a problem hiding this comment.
| you must first have already installed your Advanced Cluster Security Central Server. | |
| you must have already installed your Advanced Cluster Security Central Server. |
gparvin
force-pushed
the
sensors-policyset
branch
from
f427160 to
ede9f26
Compare
| manifests: | ||
| - path: input-sensor/acs-check-certificates.yaml | ||
| - name: policy-advanced-managed-cluster-security | ||
| consolidateManifests: false |
There was a problem hiding this comment.
Setting this to false means the policy will have a lot of ConfigurationPolicies. I think these could all be in the same ConfigurationPolicy. Perhaps you could have one ConfigurationPolicy for managing the operator installation (to be replaced in 2.11) and the other could be managing the content in the stackrox namespace. Then you could use a policy dependency if you wanted to so that the first policy must be compliant before the second one activates.
There was a problem hiding this comment.
I played around with this some yesterday and liked it set to false best. I can play around with some more re-organization too since I would like it to be a bit more streamlined.
| - {key: name, operator: In, values: ["local-cluster"]} | ||
| - description: The Advanced Cluster Security components distributed to all OpenShift | ||
| managed clusters to secure the clusters. | ||
| name: acs-sensor-clusters |
There was a problem hiding this comment.
Is it worth having this additional policy set if it's just going to contain one policy?
There was a problem hiding this comment.
I like having the PolicySet even if there is only one policy.
This takes part of the OPP Policy Set and organizes a solution that only applies the ACS Secured Clusters to ACM OpenShift managed clusters. Refs: - https://issues.redhat.com/browse/ACM-8934 Signed-off-by: Gus Parvin <[email protected]>
gparvin
force-pushed
the
sensors-policyset
branch
from
ede9f26 to
179dbf7
Compare
|
I tried this PR out again just now, and I can confirm that it no longer requires the other PolicySet as it did before. The instructions were easy to follow as well. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gparvin, mprahl The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 88e602a
into
open-cluster-management-io:main
This takes part of the OPP Policy Set and organizes a solution that only applies the ACS Secured Clusters to ACM OpenShift managed clusters.
Refs: