├── .gitignore
├── README.md
├── bootstrap.sh
├── channels
└── region1
│ ├── 01_namespace.yaml
│ ├── 02_accounts.yaml
│ ├── 03_git_certca.yaml
│ ├── 03_git_creds.yaml
│ ├── 03_s3_creds.yaml
│ └── 04_channels.yaml
├── observability
└── region1
│ ├── 01_namespace.yaml
│ ├── 02_objstrcreds.yaml
│ ├── 02_pullsecret.yaml
│ ├── 03_observability.yaml
│ ├── 04_custom-metrics.yaml
│ └── 05_custom-dashboard.yaml
├── packages
├── boms
│ ├── acm-addons
│ │ ├── 01_namespace.yaml
│ │ ├── 02_pr-serverless.yaml
│ │ └── 03_pb-serverless.yaml
│ ├── acm-hipaa
│ │ ├── 01_namespace.yaml
│ │ ├── 02_pr-hipaa.yaml
│ │ └── 03_pb-hipaa.yaml
│ └── acm-sandbox
│ │ ├── 01_namespace.yaml
│ │ ├── 02_pr-sandbox.yaml
│ │ └── 03_pb-sandbox.yaml
└── subscriptions
│ ├── base
│ ├── kustomization.yaml
│ └── sb-boms.yaml
│ ├── development
│ └── kustomization.yaml
│ └── production
│ └── kustomization.yaml
└── policies
├── policy-default-ingress-cert
├── base
│ ├── kustomization.yaml
│ └── pl-default-ingress-cert.yaml
└── sandbox
│ └── kustomization.yaml
├── policy-disable-schedule-control
├── base
│ ├── kustomization.yaml
│ └── pl-disable-schedule-control.yaml
└── sandbox
│ └── kustomization.yaml
├── policy-infra-machine-config-pool
├── base
│ ├── kustomization.yaml
│ └── pl-create-infra-mcp.yaml
└── sandbox
│ └── kustomization.yaml
├── policy-label-infra-nodes
├── base
│ ├── kustomization.yaml
│ └── pl-label-infra-nodes.yaml
└── sandbox
│ └── kustomization.yaml
├── policy-olm-disable-defaults
├── base
│ ├── kustomization.yaml
│ └── pl-olm-disable-defaults.yaml
└── sandbox
│ └── kustomization.yaml
├── policy-opa-image-latest
├── base
│ ├── kustomization.yaml
│ └── pl-opa-image-latest.yaml
└── sandbox
│ └── kustomization.yaml
├── policy-registry-pv-nfs
├── base
│ ├── kustomization.yaml
│ └── pl-registry-pv-nfs.yaml
└── sandbox
│ └── kustomization.yaml
├── policy-serverless
├── base
│ ├── kustomization.yaml
│ └── pl-serverless.yaml
└── sandbox
│ └── kustomization.yaml
├── sb-development.yaml
├── sb-production.yaml
└── subscriptions
├── base
├── kustomization.yaml
├── sb-default-ingress-cert.yaml
├── sb-disable-schedule-control.yaml
├── sb-infra-machine-config-pool.yaml
├── sb-label-infra-nodes.yaml
├── sb-olm-disable-defaults.yaml
├── sb-opa-image-latest.yaml
├── sb-registry-pv-nfs.yaml
└── sb-serverless.yaml
├── development
└── kustomization.yaml
└── production
└── kustomization.yaml
/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore folders channels/ and observability/ because they contain credentials
2 | # that should not be stored.
3 | channels/
4 | observability/
5 | bootstrap.sh
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # acm-policies
2 |
3 | A proposed project layout for GitOps-managed policies in Red Hat Advanced Cluster Management (RHACM).
4 |
5 | This project covers configurations commonly found in consulting engagements per Red Hat Consulting's best practices or policies required to satisfy security standards such as HIPAA.
6 |
7 | There are also other security standard policies found in the upstream project (Open Cluster Management) called [policy-collection](https://github.com/open-cluster-management/policy-collection). The product team will periodically check here for useful policies.
8 |
9 | Please do not use this repository as your GitOps endpoint. Clone or fork the repo.
10 |
11 | ---
12 |
13 | ## Quickstart
14 | 1. Clone or fork this repo. You will need to fill in a few of the Secrets for this to work.
15 | 2. Under the channels folder, copy or rename the region1 folder to represent where you RHACM instance is located, like lab or datacenter1. Update the following files:
16 | 1. 03_git_certca.yaml (if necessary)
17 | 2. 03_git_creds.yaml (if necessary)
18 | 3. 04_channels.yaml
19 | 3. Under the observability folder, copy or rename the region1 folder to the same name you selected above (or if you do not wish to setup observability, delete the region1 folder). Update the following files:
20 | 1. 02_objstrcreds.yaml
21 | 2. 02_pullsecret.yaml
22 | 4. Download the bootstrap.sh file to where you run oc or kubectl.
23 | 5. Update the bootstrap file to have the correct environment and region values.
24 | 6. Run bootstrap.sh
25 |
26 | ---
27 |
28 | ## Project Directories
29 |
30 | There are four directories to provide the channel credentials, observability credentials, policy groupings and the policies themselves.
31 |
32 | ### Channels Directory
33 | ```
34 | channels/
35 | └── region1
36 | ├── 01_namespace.yaml
37 | ├── 02_accounts.yaml
38 | ├── 03_git_certca.yaml
39 | ├── 03_git_creds.yaml
40 | ├── 03_s3_creds.yaml
41 | └── 04_channels.yaml
42 | ```
43 |
44 | Channels directory contains folders that represent an area that is managed under a single instance of RHACM. This repository provides an example "region1" for your convenience, but you should rename it and replace the values with something useful.
45 |
46 | The namespace is where the Channel and Secret (credentials and certificates) objects are kept. Other objects such as the Subscriptions that watch for changes will be placed here.
47 |
48 | The account binds the system:admin user to the role 'open-cluster-management:subscription-admin'. As of right now, only the system:admin is functional enough to execute subscription-admin actions. This is being addressed in JIRA.
49 |
50 | The git definitions are for TLS verification and git authentication. The same goes for the s3 definition. These are for the source repositories for the policies.
51 |
52 | The channel defines the source repository.
53 |
54 |
55 | Note: channels/ is listed in the gitignore file so that users do not accidentally upload their secrets.
56 |
57 |
58 | ### Observability Directory
59 | ```
60 | observability/
61 | └── region1
62 | ├── 01_namespace.yaml
63 | ├── 02_objstrcreds.yaml
64 | ├── 02_pullsecret.yaml
65 | ├── 03_observability.yaml
66 | ├── 04_custom-metrics.yaml
67 | └── 05_custom-dashboard.yaml
68 | ```
69 |
70 | Observability directory contains folders that represent an area that is managed under a single instance of RHACM. This area name should match the name found under the channel directory.
71 |
72 | The namespace contains the observability operator, deployments, secrets and configurations. Use the default name.
73 |
74 | The objstrcreds defines will thanos will store the raw metrics collected from the managed clusters.
75 |
76 | The pullsecret lets us pull the observability images.
77 |
78 | The custom-metrics is a ConfigMap that allows us to include or exclude a list of metrics collected at the hub.
79 |
80 | The custom-dashboard is a ConfigMap that contains the json definition of a custom grafana dashboard.
81 |
82 |
83 | Note: observability/ is listed in the gitignore file so that users do not accidentally upload their secrets.
84 |
85 |
86 | ### Packages Directory
87 | ```
88 | packages/
89 | ├── boms
90 | │ ├── acm-addons
91 | │ │ ├── 01_namespace.yaml
92 | │ │ ├── 02_pr-serverless.yaml
93 | │ │ └── 03_pb-serverless.yaml
94 | │ ├── acm-hipaa
95 | │ │ ├── 01_namespace.yaml
96 | │ │ ├── 02_pr-hipaa.yaml
97 | │ │ └── 03_pb-hipaa.yaml
98 | │ └── acm-sandbox
99 | │ ├── 01_namespace.yaml
100 | │ ├── 02_pr-sandbox.yaml
101 | │ └── 03_pb-sandbox.yaml
102 | └── subscriptions
103 | ├── base
104 | │ ├── kustomization.yaml
105 | │ └── sb-boms.yaml
106 | ├── development
107 | │ └── kustomization.yaml
108 | └── production
109 | └── kustomization.yaml
110 | ```
111 |
112 | Packages directory contains two folders: boms and subscriptions.
113 |
114 | Boms is short for bill-of-materials. Each folder under boms represents a collection or grouping of policies, placementbindings, and placementrules. These objects live in the same namespace. In this repo, we have a bom for cluster addon features, a bom for hipaa compliance policies, and a bom for the sandbox policies.
115 |
116 | Subscriptions contain the subscription that will keep the boms folder under GitOps watch. That means that any additional collections created under the boms folder will be pulled into RHACM.
117 |
118 | The subscription has also been kustomized so that different git branches branches and reconcile-rates can be used for different environment deployments. Development and production environments are defined as examples.
119 |
120 | ### Policies Directory
121 | ```
122 | policies/
123 | ├── policy-default-ingress-cert
124 | │ ├── base
125 | │ │ ├── kustomization.yaml
126 | │ │ └── pl-default-ingress-cert.yaml
127 | │ └── sandbox
128 | │ └── kustomization.yaml
129 | ├── policy-disable-schedule-control
130 | │ ├── base
131 | │ │ ├── kustomization.yaml
132 | │ │ └── pl-disable-schedule-control.yaml
133 | │ └── sandbox
134 | │ └── kustomization.yaml
135 | ├── policy-serverless
136 | │ ├── base
137 | │ │ ├── kustomization.yaml
138 | │ │ └── pl-serverless.yaml
139 | │ └── sandbox
140 | │ └── kustomization.yaml
141 | ├── sb-development.yaml
142 | ├── sb-production.yaml
143 | └── subscriptions
144 | ├── base
145 | │ ├── kustomization.yaml
146 | │ ├── sb-default-ingress-cert.yaml
147 | │ ├── sb-disable-schedule-control.yaml
148 | │ └── sb-serverless.yaml
149 | ├── development
150 | │ └── kustomization.yaml
151 | └── production
152 | └── kustomization.yaml
153 | ```
154 |
155 | Policies directory contain all the policies and policy variations as well as the subscriptions that assign them to one or more boms.
156 |
157 | Each policy folder contains a base folder and more variation folders (commonly referred to as overlays). Kustomize allows changes to base policy using naming ammendments, common annotations, and patches. It is convenient, but is not required. It is entirely possible to have a bunch of separate base folders containing a unique version of the policy.
158 |
159 | Subscriptions for policies are responsible for watching the correct folder (ie, the correct policy variant) and writing the policy in the correct bom namespace. This is why the policies themselves do not define a namespace. It is expected that the subscription will override it. The end effect is that both the subscription and the policy will end up in the same namespace.
160 |
161 | If a policy version is intended for multiple locations, then multiple subscriptions must be defined. This could all be done in a single manifest yaml, but we have broken the manifests into one yaml per policy. Separate the definitions by the document delimiter (three dashes).
162 |
163 | In order for us to continue serving different environments in our GitOps model, we kustomize the subscriptions to pull from the correct git-branch. We can also choose to change its reconcile-rate.
164 |
165 | Lastly, we use a subscription of subscriptions model to keep all subscriptions/polices under watch. That is what the sb-development and sb-production yamls are for.
166 |
167 |
--------------------------------------------------------------------------------
/bootstrap.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | tput setaf 3
4 | echo '*** CONFIGURATION STARTED ***'
5 | tput sgr0
6 | echo
7 | read -p "Select environment (type dev|prd): " environment
8 |
9 | if [ "$environment" == "dev" ]; then
10 | ENVO="development"
11 | elif [ "$environment" == "prd" ]; then
12 | ENVO="production"
13 | else
14 | echo " Environment is rejected"
15 | echo
16 | exit
17 | fi
18 |
19 | read -p "Select region (type 1|2): " region
20 |
21 | if [ "$region" == "1" ]; then
22 | REGO="region1"
23 | elif [ "$region" == "2" ]; then
24 | REGO="region2"
25 | else
26 | echo " Region is rejected"
27 | echo
28 | exit
29 | fi
30 |
31 | echo
32 | tput setaf 1
33 | echo '##########################################################################################'
34 | echo "Region is $REGO"
35 | echo " RHACM Hub will be using $REGO folder under channels/ and observability/"
36 | echo "Environment is $ENVO."
37 | echo " RHACM Hub will be watching branch $ENVO in the configured Git Repo"
38 | echo
39 | echo -n "Current Context: "
40 | oc login -u system:admin > /dev/null
41 | oc config current-context
42 | tput setaf 1
43 | echo '##########################################################################################'
44 | tput sgr0
45 |
46 | RANDO=`echo $RANDOM`
47 |
48 | echo
49 | read -p "Confirm details and user 'system:admin' (type $RANDO): " confirmation
50 |
51 | if [ "$confirmation" == "$RANDO" ]; then
52 | echo " Configuration is confirmed"
53 | echo
54 | else
55 | echo " Configuration is rejected"
56 | echo
57 | exit
58 | fi
59 |
60 | tput setaf 3
61 | echo '*** CONFIGURATION COMPLETED ***'
62 | tput sgr0
63 | echo
64 | echo
65 | echo
66 |
67 | tput setaf 3
68 | echo '*** BOOTSTRAP STARTED ***'
69 | tput sgr0
70 | echo
71 |
72 | tput setaf 2
73 | echo 'Creating Namespaces, Secrets, and Channels'
74 | tput sgr0
75 | oc apply -f channels/$REGO/
76 | echo
77 |
78 | if [ -d "observability/$REGO/" ]; then
79 | tput setaf 2
80 | echo 'Creating Observability Addon'
81 | tput sgr0
82 | oc apply -f observability/$REGO/
83 | echo
84 | else
85 | tput setaf 2
86 | echo 'Skipping Observability Addon'
87 | tput sgr0
88 | echo
89 | fi
90 |
91 | tput setaf 2
92 | echo 'Creating Placement Rules and Bindings (Packages)'
93 | tput sgr0
94 | oc apply -k packages/subscriptions/$ENVO/
95 | echo
96 |
97 | tput setaf 2
98 | echo 'Creating Subscriptions for Policy Subs'
99 | tput sgr0
100 | oc apply -f policies/sb-$ENVO.yaml
101 | echo
102 |
103 | tput setaf 3
104 | echo '*** BOOTSTRAP COMPLETED ***'
105 | tput sgr0
106 | echo
107 |
--------------------------------------------------------------------------------
/channels/region1/01_namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: acm-channels
6 |
7 |
--------------------------------------------------------------------------------
/channels/region1/02_accounts.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | kind: ClusterRoleBinding
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | metadata:
5 | name: 'open-cluster-management:subscription-admin'
6 | subjects:
7 | - apiGroup: rbac.authorization.k8s.io
8 | kind: User
9 | name: system:admin
10 | roleRef:
11 | apiGroup: rbac.authorization.k8s.io
12 | kind: ClusterRole
13 | name: 'open-cluster-management:subscription-admin'
14 |
--------------------------------------------------------------------------------
/channels/region1/03_git_certca.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: git-certca
6 | namespace: acm-channels
7 | data:
8 | caCerts: |
9 | BlockOfCACertsAllTheWayDown
10 | BlockOfCACertsAllTheWayDown
--------------------------------------------------------------------------------
/channels/region1/03_git_creds.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: git-creds
6 | namespace: acm-channels
7 | data:
8 | user: base64encUserName
9 | accessToken: base64encAccessToken
10 |
--------------------------------------------------------------------------------
/channels/region1/03_s3_creds.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: s3-creds
6 | namespace: acm-channels
7 | data:
8 | AccessKeyID: base64encAccessKeyID
9 | SecretAccessKey: base64encSecretAccessKey
10 | Region: base64encRegion
11 |
--------------------------------------------------------------------------------
/channels/region1/04_channels.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Channel
4 | metadata:
5 | name: cluster-gitops
6 | namespace: acm-channels
7 | spec:
8 | type: GitHub
9 | pathname: http://yourgitserver/openshift/thisrepo.git
10 | # configMapRef:
11 | # name: git-certca
12 | # secretRef:
13 | # name: git-creds
14 | ---
15 | apiVersion: apps.open-cluster-management.io/v1
16 | kind: Channel
17 | metadata:
18 | name: cluster-objops
19 | namespace: acm-channels
20 | spec:
21 | type: ObjectBucket
22 | pathname: https://s3.us-west-1.amazonaws.com/yourbucketname
23 | secretRef:
24 | name: s3-creds
--------------------------------------------------------------------------------
/observability/region1/01_namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: project.openshift.io/v1
3 | kind: Project
4 | metadata:
5 | name: open-cluster-management-observability
--------------------------------------------------------------------------------
/observability/region1/02_objstrcreds.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: acmthanos
6 | namespace: open-cluster-management-observability
7 | type: Opaque
8 | stringData:
9 | thanos.yaml: |
10 | type: s3
11 | config:
12 | bucket: acmthanos
13 | endpoint: s3.us-west-1.amazonaws.com
14 | signature_version2: false
15 | insecure: true
16 | access_key: ACCESSKEY1234567890
17 | secret_key: S3cr3tk3y
18 | http_config:
19 | insecure_skip_verify: false
20 |
--------------------------------------------------------------------------------
/observability/region1/02_pullsecret.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | kind: Secret
3 | apiVersion: v1
4 | metadata:
5 | name: multiclusterhub-operator-pull-secret
6 | namespace: open-cluster-management-observability
7 | data:
8 | .dockerconfigjson: >-
9 | reallyLongBase64encPullSecret
10 | type: kubernetes.io/dockerconfigjson
--------------------------------------------------------------------------------
/observability/region1/03_observability.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: observability.open-cluster-management.io/v1beta2
3 | kind: MultiClusterObservability
4 | metadata:
5 | name: observability
6 | namespace: open-cluster-management-observability
7 | spec:
8 | advanced:
9 | retentionConfig:
10 | retentionResolution1h: 30d
11 | retentionResolution5m: 14d
12 | retentionResolutionRaw: 5d
13 | enableDownsampling: false
14 | imagePullPolicy: Always
15 | imagePullSecret: multiclusterhub-operator-pull-secret
16 | observabilityAddonSpec:
17 | enableMetrics: true
18 | interval: 60
19 | storageConfig:
20 | alertmanagerStorageSize: 10Gi
21 | compactStorageSize: 10Gi
22 | metricObjectStorage:
23 | key: thanos.yaml
24 | name: acmthanos
25 | receiveStorageSize: 10Gi
26 | ruleStorageSize: 10Gi
27 | storageClass: gp2
28 | storeStorageSize: 10Gi
--------------------------------------------------------------------------------
/observability/region1/04_custom-metrics.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: observability-metrics-custom-allowlist
6 | namespace: open-cluster-management-observability
7 | data:
8 | metrics_list.yaml: |
9 | names:
10 | - apiserver_request_total
11 | - etcd_server_health_success
12 | - storage_operation_errors_total
13 | - storage_operation_status_count
14 | - coredns_panic_count_total
15 | - openshift_kube_scheduler_operator_build_info
16 | - openshift_etcd_operator_build_info
17 | - openshift_apiserver_operator_build_info
18 | - openshift_console_operator_build_info
19 | - openshift_kube_apiserver_operator_build_info
20 | - openshift_kube_controller_manager_operator_build_info
21 | - openshift_service_ca_operator_build_info
22 | - openshift_authentication_operator_build_info
23 | - openshift_config_operator_build_info
24 | - apiserver_request_duration_seconds_bucket
--------------------------------------------------------------------------------
/observability/region1/05_custom-dashboard.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: daniel-custom-grafana
6 | namespace: open-cluster-management-observability
7 | labels:
8 | grafana-custom-dashboard: "true"
9 | data:
10 | clp-monitor.json: |-
11 | {
12 | "annotations": {
13 | "list": [
14 | {
15 | "builtIn": 1,
16 | "datasource": "-- Grafana --",
17 | "enable": true,
18 | "hide": true,
19 | "iconColor": "rgba(0, 211, 255, 1)",
20 | "name": "Annotations & Alerts",
21 | "type": "dashboard"
22 | }
23 | ]
24 | },
25 | "editable": true,
26 | "gnetId": null,
27 | "graphTooltip": 0,
28 | "id": 14,
29 | "iteration": 1629827466318,
30 | "links": [],
31 | "panels": [
32 | {
33 | "datasource": null,
34 | "fieldConfig": {
35 | "defaults": {
36 | "color": {
37 | "mode": "thresholds"
38 | },
39 | "custom": {},
40 | "mappings": [
41 | {
42 | "from": "",
43 | "id": 1,
44 | "text": "Operator Down",
45 | "to": "",
46 | "type": 1,
47 | "value": "0"
48 | },
49 | {
50 | "from": "",
51 | "id": 2,
52 | "text": "Operator Up",
53 | "to": "",
54 | "type": 1,
55 | "value": "1"
56 | }
57 | ],
58 | "thresholds": {
59 | "mode": "absolute",
60 | "steps": [
61 | {
62 | "color": "orange",
63 | "value": null
64 | },
65 | {
66 | "color": "red",
67 | "value": 0
68 | },
69 | {
70 | "color": "green",
71 | "value": 1
72 | }
73 | ]
74 | },
75 | "unit": "short"
76 | },
77 | "overrides": []
78 | },
79 | "gridPos": {
80 | "h": 8,
81 | "w": 12,
82 | "x": 0,
83 | "y": 0
84 | },
85 | "id": 7,
86 | "options": {
87 | "reduceOptions": {
88 | "calcs": [
89 | "mean"
90 | ],
91 | "fields": "",
92 | "values": false
93 | },
94 | "showThresholdLabels": false,
95 | "showThresholdMarkers": true,
96 | "text": {}
97 | },
98 | "pluginVersion": "7.4.2",
99 | "targets": [
100 | {
101 | "expr": "openshift_kube_scheduler_operator_build_info{cluster=\"$cluster\"}",
102 | "interval": "",
103 | "legendFormat": "kube_scheduler",
104 | "refId": "A"
105 | },
106 | {
107 | "expr": "openshift_etcd_operator_build_info{cluster=\"$cluster\"}",
108 | "hide": false,
109 | "interval": "",
110 | "legendFormat": "etcd_operator",
111 | "refId": "B"
112 | },
113 | {
114 | "expr": "openshift_apiserver_operator_build_info{cluster=\"$cluster\"}",
115 | "hide": false,
116 | "interval": "",
117 | "legendFormat": "apiserver_operator",
118 | "refId": "C"
119 | },
120 | {
121 | "expr": "openshift_console_operator_build_info{cluster=\"$cluster\"}",
122 | "hide": false,
123 | "interval": "",
124 | "legendFormat": "openshift_console",
125 | "refId": "D"
126 | },
127 | {
128 | "expr": "openshift_kube_apiserver_operator_build_info{cluster=\"$cluster\"}",
129 | "hide": false,
130 | "interval": "",
131 | "legendFormat": "kube_apiserver",
132 | "refId": "E"
133 | },
134 | {
135 | "expr": "openshift_kube_controller_manager_operator_build_info{cluster=\"$cluster\"}",
136 | "hide": false,
137 | "interval": "",
138 | "legendFormat": "controller_manager",
139 | "refId": "F"
140 | },
141 | {
142 | "expr": "openshift_service_ca_operator_build_info{cluster=\"$cluster\"}",
143 | "hide": false,
144 | "interval": "",
145 | "legendFormat": "service_ca",
146 | "refId": "G"
147 | },
148 | {
149 | "expr": "openshift_authentication_operator_build_info{cluster=\"$cluster\"}",
150 | "hide": false,
151 | "interval": "",
152 | "legendFormat": "authentication",
153 | "refId": "H"
154 | },
155 | {
156 | "expr": "openshift_config_operator_build_info{cluster=\"$cluster\"}",
157 | "hide": false,
158 | "interval": "",
159 | "legendFormat": "config",
160 | "refId": "I"
161 | }
162 | ],
163 | "title": "Cluster Operator Status",
164 | "type": "gauge"
165 | },
166 | {
167 | "datasource": null,
168 | "fieldConfig": {
169 | "defaults": {
170 | "color": {
171 | "mode": "thresholds"
172 | },
173 | "custom": {},
174 | "decimals": 2,
175 | "mappings": [],
176 | "thresholds": {
177 | "mode": "percentage",
178 | "steps": [
179 | {
180 | "color": "green",
181 | "value": null
182 | },
183 | {
184 | "color": "yellow",
185 | "value": 5
186 | },
187 | {
188 | "color": "red",
189 | "value": 10
190 | }
191 | ]
192 | }
193 | },
194 | "overrides": []
195 | },
196 | "gridPos": {
197 | "h": 8,
198 | "w": 4,
199 | "x": 12,
200 | "y": 0
201 | },
202 | "id": 5,
203 | "options": {
204 | "reduceOptions": {
205 | "calcs": [
206 | "mean"
207 | ],
208 | "fields": "",
209 | "values": false
210 | },
211 | "showThresholdLabels": false,
212 | "showThresholdMarkers": true,
213 | "text": {}
214 | },
215 | "pluginVersion": "7.4.2",
216 | "targets": [
217 | {
218 | "expr": "sum(rate(coredns_panic_count_total{cluster=\"$cluster\"}[1d]))",
219 | "interval": "",
220 | "legendFormat": "",
221 | "refId": "A"
222 | }
223 | ],
224 | "title": "DNS Panic Count",
225 | "type": "gauge"
226 | },
227 | {
228 | "datasource": null,
229 | "fieldConfig": {
230 | "defaults": {
231 | "color": {
232 | "mode": "thresholds"
233 | },
234 | "custom": {},
235 | "decimals": 5,
236 | "mappings": [],
237 | "thresholds": {
238 | "mode": "percentage",
239 | "steps": [
240 | {
241 | "color": "red",
242 | "value": null
243 | },
244 | {
245 | "color": "yellow",
246 | "value": 95
247 | },
248 | {
249 | "color": "green",
250 | "value": 99
251 | }
252 | ]
253 | },
254 | "unit": "percent"
255 | },
256 | "overrides": []
257 | },
258 | "gridPos": {
259 | "h": 8,
260 | "w": 4,
261 | "x": 16,
262 | "y": 0
263 | },
264 | "id": 2,
265 | "options": {
266 | "reduceOptions": {
267 | "calcs": [
268 | "mean"
269 | ],
270 | "fields": "",
271 | "values": false
272 | },
273 | "showThresholdLabels": false,
274 | "showThresholdMarkers": true,
275 | "text": {}
276 | },
277 | "pluginVersion": "7.4.2",
278 | "targets": [
279 | {
280 | "expr": "100-((sum(rate(apiserver_request_total{code=~\"5..\",cluster=\"$cluster\"}[1h]))/sum(rate(apiserver_request_total{cluster=\"$cluster\"}[1h])))/1e-2)",
281 | "interval": "",
282 | "legendFormat": "",
283 | "refId": "A"
284 | }
285 | ],
286 | "title": "API Error Budget",
287 | "type": "gauge"
288 | },
289 | {
290 | "aliasColors": {},
291 | "bars": false,
292 | "dashLength": 10,
293 | "dashes": false,
294 | "datasource": null,
295 | "fieldConfig": {
296 | "defaults": {
297 | "custom": {}
298 | },
299 | "overrides": []
300 | },
301 | "fill": 1,
302 | "fillGradient": 0,
303 | "gridPos": {
304 | "h": 8,
305 | "w": 12,
306 | "x": 0,
307 | "y": 8
308 | },
309 | "hiddenSeries": false,
310 | "id": 11,
311 | "legend": {
312 | "avg": false,
313 | "current": false,
314 | "max": false,
315 | "min": false,
316 | "show": true,
317 | "total": false,
318 | "values": false
319 | },
320 | "lines": true,
321 | "linewidth": 1,
322 | "nullPointMode": "null",
323 | "options": {
324 | "alertThreshold": true
325 | },
326 | "percentage": false,
327 | "pluginVersion": "7.4.2",
328 | "pointradius": 2,
329 | "points": false,
330 | "renderer": "flot",
331 | "seriesOverrides": [],
332 | "spaceLength": 10,
333 | "stack": false,
334 | "steppedLine": false,
335 | "targets": [
336 | {
337 | "expr": "sum(rate(coredns_dns_response_rcode_count_total{cluster=\"$cluster\"}[5m])) by (rcode)",
338 | "interval": "",
339 | "legendFormat": "{{rcode}}",
340 | "refId": "A"
341 | }
342 | ],
343 | "thresholds": [],
344 | "timeFrom": null,
345 | "timeRegions": [],
346 | "timeShift": null,
347 | "title": "DNS Response Rate by RCode",
348 | "tooltip": {
349 | "shared": true,
350 | "sort": 0,
351 | "value_type": "individual"
352 | },
353 | "type": "graph",
354 | "xaxis": {
355 | "buckets": null,
356 | "mode": "time",
357 | "name": null,
358 | "show": true,
359 | "values": []
360 | },
361 | "yaxes": [
362 | {
363 | "$$hashKey": "object:442",
364 | "format": "short",
365 | "label": null,
366 | "logBase": 1,
367 | "max": null,
368 | "min": null,
369 | "show": true
370 | },
371 | {
372 | "$$hashKey": "object:443",
373 | "format": "short",
374 | "label": null,
375 | "logBase": 1,
376 | "max": null,
377 | "min": null,
378 | "show": true
379 | }
380 | ],
381 | "yaxis": {
382 | "align": false,
383 | "alignLevel": null
384 | }
385 | },
386 | {
387 | "datasource": null,
388 | "fieldConfig": {
389 | "defaults": {
390 | "color": {
391 | "mode": "thresholds"
392 | },
393 | "custom": {},
394 | "decimals": 5,
395 | "mappings": [],
396 | "thresholds": {
397 | "mode": "percentage",
398 | "steps": [
399 | {
400 | "color": "red",
401 | "value": null
402 | },
403 | {
404 | "color": "yellow",
405 | "value": 95
406 | },
407 | {
408 | "color": "green",
409 | "value": 99
410 | }
411 | ]
412 | },
413 | "unit": "percent"
414 | },
415 | "overrides": []
416 | },
417 | "gridPos": {
418 | "h": 8,
419 | "w": 4,
420 | "x": 12,
421 | "y": 8
422 | },
423 | "id": 3,
424 | "options": {
425 | "reduceOptions": {
426 | "calcs": [
427 | "mean"
428 | ],
429 | "fields": "",
430 | "values": false
431 | },
432 | "showThresholdLabels": false,
433 | "showThresholdMarkers": true,
434 | "text": {}
435 | },
436 | "pluginVersion": "7.4.2",
437 | "targets": [
438 | {
439 | "expr": "100-((sum(rate(etcd_server_health_failures{cluster=\"$cluster\"}[1d]))/sum(rate(etcd_server_health_success{cluster=\"$cluster\"}[1d])))/1e-2)",
440 | "interval": "",
441 | "legendFormat": "",
442 | "refId": "A"
443 | }
444 | ],
445 | "title": "Etcd Health",
446 | "type": "gauge"
447 | },
448 | {
449 | "datasource": null,
450 | "fieldConfig": {
451 | "defaults": {
452 | "color": {
453 | "mode": "thresholds"
454 | },
455 | "custom": {},
456 | "decimals": 5,
457 | "mappings": [],
458 | "thresholds": {
459 | "mode": "percentage",
460 | "steps": [
461 | {
462 | "color": "red",
463 | "value": null
464 | },
465 | {
466 | "color": "yellow",
467 | "value": 95
468 | },
469 | {
470 | "color": "green",
471 | "value": 99
472 | }
473 | ]
474 | },
475 | "unit": "percent"
476 | },
477 | "overrides": []
478 | },
479 | "gridPos": {
480 | "h": 8,
481 | "w": 4,
482 | "x": 16,
483 | "y": 8
484 | },
485 | "id": 4,
486 | "options": {
487 | "reduceOptions": {
488 | "calcs": [
489 | "mean"
490 | ],
491 | "fields": "",
492 | "values": false
493 | },
494 | "showThresholdLabels": false,
495 | "showThresholdMarkers": true,
496 | "text": {}
497 | },
498 | "pluginVersion": "7.4.2",
499 | "targets": [
500 | {
501 | "expr": "100-((sum(rate(storage_operation_errors_total{cluster=\"$cluster\"}[1d]))/sum(rate(storage_operation_status_count{cluster=\"$cluster\"}[1d])))/1e-2)",
502 | "interval": "",
503 | "legendFormat": "",
504 | "refId": "A"
505 | }
506 | ],
507 | "title": "Storage Operations",
508 | "type": "gauge"
509 | },
510 | {
511 | "aliasColors": {},
512 | "bars": false,
513 | "dashLength": 10,
514 | "dashes": false,
515 | "datasource": null,
516 | "fieldConfig": {
517 | "defaults": {
518 | "custom": {}
519 | },
520 | "overrides": []
521 | },
522 | "fill": 1,
523 | "fillGradient": 0,
524 | "gridPos": {
525 | "h": 8,
526 | "w": 12,
527 | "x": 0,
528 | "y": 16
529 | },
530 | "hiddenSeries": false,
531 | "id": 13,
532 | "legend": {
533 | "avg": false,
534 | "current": false,
535 | "max": false,
536 | "min": false,
537 | "show": true,
538 | "total": false,
539 | "values": false
540 | },
541 | "lines": true,
542 | "linewidth": 1,
543 | "nullPointMode": "null",
544 | "options": {
545 | "alertThreshold": true
546 | },
547 | "percentage": false,
548 | "pluginVersion": "7.4.2",
549 | "pointradius": 2,
550 | "points": false,
551 | "renderer": "flot",
552 | "seriesOverrides": [],
553 | "spaceLength": 10,
554 | "stack": false,
555 | "steppedLine": false,
556 | "targets": [
557 | {
558 | "expr": "sum(rate(apiserver_request_total{code=~\"5..\"}[30m]))/sum(rate(apiserver_request_total[30m]))*100",
559 | "interval": "",
560 | "legendFormat": "Code 500",
561 | "refId": "A"
562 | }
563 | ],
564 | "thresholds": [],
565 | "timeFrom": null,
566 | "timeRegions": [],
567 | "timeShift": null,
568 | "title": "Cluster API 500-Errors",
569 | "tooltip": {
570 | "shared": true,
571 | "sort": 0,
572 | "value_type": "individual"
573 | },
574 | "type": "graph",
575 | "xaxis": {
576 | "buckets": null,
577 | "mode": "time",
578 | "name": null,
579 | "show": true,
580 | "values": []
581 | },
582 | "yaxes": [
583 | {
584 | "$$hashKey": "object:670",
585 | "format": "percent",
586 | "label": null,
587 | "logBase": 1,
588 | "max": null,
589 | "min": null,
590 | "show": true
591 | },
592 | {
593 | "$$hashKey": "object:671",
594 | "format": "short",
595 | "label": null,
596 | "logBase": 1,
597 | "max": null,
598 | "min": null,
599 | "show": true
600 | }
601 | ],
602 | "yaxis": {
603 | "align": false,
604 | "alignLevel": null
605 | }
606 | },
607 | {
608 | "aliasColors": {},
609 | "bars": false,
610 | "dashLength": 10,
611 | "dashes": false,
612 | "datasource": null,
613 | "fieldConfig": {
614 | "defaults": {
615 | "custom": {}
616 | },
617 | "overrides": []
618 | },
619 | "fill": 1,
620 | "fillGradient": 0,
621 | "gridPos": {
622 | "h": 8,
623 | "w": 12,
624 | "x": 0,
625 | "y": 24
626 | },
627 | "hiddenSeries": false,
628 | "id": 9,
629 | "legend": {
630 | "avg": false,
631 | "current": false,
632 | "max": false,
633 | "min": false,
634 | "show": true,
635 | "total": false,
636 | "values": false
637 | },
638 | "lines": true,
639 | "linewidth": 1,
640 | "nullPointMode": "null",
641 | "options": {
642 | "alertThreshold": true
643 | },
644 | "percentage": false,
645 | "pluginVersion": "7.4.2",
646 | "pointradius": 2,
647 | "points": false,
648 | "renderer": "flot",
649 | "seriesOverrides": [],
650 | "spaceLength": 10,
651 | "stack": false,
652 | "steppedLine": false,
653 | "targets": [
654 | {
655 | "expr": "sum(rate(apiserver_request_duration_seconds_bucket{le=\"0.2\",cluster=\"$cluster\"}[5m]))/sum(rate(apiserver_request_duration_seconds_bucket{cluster=\"$cluster\"}[5m]))*100",
656 | "interval": "",
657 | "legendFormat": "Percent",
658 | "refId": "A"
659 | }
660 | ],
661 | "thresholds": [],
662 | "timeFrom": null,
663 | "timeRegions": [],
664 | "timeShift": null,
665 | "title": "API Server Request under 200ms",
666 | "tooltip": {
667 | "shared": true,
668 | "sort": 0,
669 | "value_type": "individual"
670 | },
671 | "type": "graph",
672 | "xaxis": {
673 | "buckets": null,
674 | "mode": "time",
675 | "name": null,
676 | "show": true,
677 | "values": []
678 | },
679 | "yaxes": [
680 | {
681 | "$$hashKey": "object:349",
682 | "format": "percent",
683 | "label": null,
684 | "logBase": 1,
685 | "max": null,
686 | "min": null,
687 | "show": true
688 | },
689 | {
690 | "$$hashKey": "object:350",
691 | "format": "short",
692 | "label": null,
693 | "logBase": 1,
694 | "max": null,
695 | "min": null,
696 | "show": true
697 | }
698 | ],
699 | "yaxis": {
700 | "align": false,
701 | "alignLevel": null
702 | }
703 | }
704 | ],
705 | "refresh": "1m",
706 | "schemaVersion": 27,
707 | "style": "dark",
708 | "tags": [],
709 | "templating": {
710 | "list": [
711 | {
712 | "current": {
713 | "selected": false,
714 | "text": "Observatorium",
715 | "value": "Observatorium"
716 | },
717 | "description": null,
718 | "error": null,
719 | "hide": 2,
720 | "includeAll": false,
721 | "label": null,
722 | "multi": false,
723 | "name": "datasource",
724 | "options": [],
725 | "query": "prometheus",
726 | "refresh": 1,
727 | "regex": "",
728 | "skipUrlSync": false,
729 | "type": "datasource"
730 | },
731 | {
732 | "allValue": null,
733 | "current": {
734 | "selected": false,
735 | "text": "local-cluster",
736 | "value": "local-cluster"
737 | },
738 | "datasource": null,
739 | "definition": "label_values(node_cpu_seconds_total,cluster)",
740 | "description": null,
741 | "error": null,
742 | "hide": 0,
743 | "includeAll": false,
744 | "label": "Cluster",
745 | "multi": false,
746 | "name": "cluster",
747 | "options": [],
748 | "query": {
749 | "query": "label_values(node_cpu_seconds_total,cluster)",
750 | "refId": "StandardVariableQuery"
751 | },
752 | "refresh": 1,
753 | "regex": "",
754 | "skipUrlSync": false,
755 | "sort": 1,
756 | "tagValuesQuery": "",
757 | "tags": [],
758 | "tagsQuery": "",
759 | "type": "query",
760 | "useTags": false
761 | }
762 | ]
763 | },
764 | "time": {
765 | "from": "now-6h",
766 | "to": "now"
767 | },
768 | "timepicker": {},
769 | "timezone": "",
770 | "title": "Daniel's Dashboard",
771 | "uid": "ROcuRC77k",
772 | "version": 22
773 | }
774 |
--------------------------------------------------------------------------------
/packages/boms/acm-addons/01_namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: acm-addons
--------------------------------------------------------------------------------
/packages/boms/acm-addons/02_pr-serverless.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: PlacementRule
4 | metadata:
5 | name: pr-serverless
6 | namespace: acm-addons
7 | spec:
8 | clusterConditions:
9 | - type: ManagedClusterConditionAvailable
10 | status: "True"
11 | # clusterNames:
12 | # - "cluster1"
13 | # - "cluster2"
14 | clusterSelector:
15 | matchLabels:
16 | serverless: "present"
17 | # clusterSelector:
18 | # matchExpressions:
19 | # - {key: clustertype, operator: In, values: ["hub"]}
--------------------------------------------------------------------------------
/packages/boms/acm-addons/03_pb-serverless.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: PlacementBinding
4 | metadata:
5 | name: pb-serverless
6 | namespace: acm-addons
7 | placementRef:
8 | name: pr-serverless
9 | namespace: acm-addons
10 | kind: PlacementRule
11 | apiGroup: apps.open-cluster-management.io
12 | subjects:
13 | - name: pl-serverless
14 | namespace: acm-addons
15 | kind: Policy
16 | apiGroup: policy.open-cluster-management.io
--------------------------------------------------------------------------------
/packages/boms/acm-hipaa/01_namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: acm-hipaa
--------------------------------------------------------------------------------
/packages/boms/acm-hipaa/02_pr-hipaa.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: PlacementRule
4 | metadata:
5 | name: pr-hipaa
6 | namespace: acm-hipaa
7 | spec:
8 | clusterConditions:
9 | - type: ManagedClusterConditionAvailable
10 | status: "True"
11 | # clusterNames:
12 | # - "cluster1"
13 | # - "cluster2"
14 | clusterSelector:
15 | matchLabels:
16 | policy: "hipaa"
17 | # clusterSelector:
18 | # matchExpressions:
19 | # - {key: clustertype, operator: In, values: ["hub"]}
--------------------------------------------------------------------------------
/packages/boms/acm-hipaa/03_pb-hipaa.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: PlacementBinding
4 | metadata:
5 | name: pb-hipaa
6 | namespace: acm-hipaa
7 | placementRef:
8 | name: pr-hipaa
9 | namespace: acm-hipaa
10 | kind: PlacementRule
11 | apiGroup: apps.open-cluster-management.io
12 | subjects:
13 | - name: no-policy
14 | namespace: acm-hipaa
15 | kind: Policy
16 | apiGroup: policy.open-cluster-management.io
--------------------------------------------------------------------------------
/packages/boms/acm-sandbox/01_namespace.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: v1
3 | kind: Namespace
4 | metadata:
5 | name: acm-sandbox
--------------------------------------------------------------------------------
/packages/boms/acm-sandbox/02_pr-sandbox.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: PlacementRule
4 | metadata:
5 | name: pr-sandbox
6 | namespace: acm-sandbox
7 | spec:
8 | clusterConditions:
9 | - type: ManagedClusterConditionAvailable
10 | status: "True"
11 | # clusterNames:
12 | # - "cluster1"
13 | # - "cluster2"
14 | clusterSelector:
15 | matchLabels:
16 | local-cluster: 'true'
17 | policy: 'sandbox'
18 | # clusterSelector:
19 | # matchExpressions:
20 | # - {key: clustertype, operator: In, values: ["hub"]}
--------------------------------------------------------------------------------
/packages/boms/acm-sandbox/03_pb-sandbox.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: PlacementBinding
4 | metadata:
5 | name: pb-sandbox
6 | namespace: acm-sandbox
7 | placementRef:
8 | name: pr-sandbox
9 | namespace: acm-sandbox
10 | kind: PlacementRule
11 | apiGroup: apps.open-cluster-management.io
12 | subjects:
13 | - name: pl-serverless
14 | namespace: acm-sandbox
15 | kind: Policy
16 | apiGroup: policy.open-cluster-management.io
17 | - name: pl-default-ingress-certificate
18 | namespace: acm-sandbox
19 | kind: Policy
20 | apiGroup: policy.open-cluster-management.io
21 | - name: pl-olm-disable-defaults
22 | namespace: acm-sandbox
23 | kind: Policy
24 | apiGroup: policy.open-cluster-management.io
25 | - name: pl-opa-image-latest
26 | namespace: acm-sandbox
27 | kind: Policy
28 | apiGroup: policy.open-cluster-management.io
--------------------------------------------------------------------------------
/packages/subscriptions/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - sb-boms.yaml
--------------------------------------------------------------------------------
/packages/subscriptions/base/sb-boms.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-boms
6 | namespace: acm-channels
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: packages/boms
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
22 |
--------------------------------------------------------------------------------
/packages/subscriptions/development/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # When applying the kustomization for development, use the development
9 | # branch and set the reconcile-rate to 'off' for on-demand reconciliation.
10 | commonAnnotations:
11 | apps.open-cluster-management.io/github-branch: development
12 | apps.open-cluster-management.io/reconcile-rate: "off"
--------------------------------------------------------------------------------
/packages/subscriptions/production/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # When applying the kustomization for production, use the production
9 | # branch and leave the reconcile-rate to implicit default of 'medium'.
10 | # medium = check for new commits every 3 minutes
11 | # force reconcile every 15 minutes
12 | commonAnnotations:
13 | apps.open-cluster-management.io/github-branch: master
--------------------------------------------------------------------------------
/policies/policy-default-ingress-cert/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-default-ingress-cert.yaml
--------------------------------------------------------------------------------
/policies/policy-default-ingress-cert/base/pl-default-ingress-cert.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: Policy
4 | metadata:
5 | name: pl-default-ingress-certificate
6 | spec:
7 | remediationAction: inform
8 | disabled: false
9 | policy-templates:
10 | - objectDefinition:
11 | apiVersion: policy.open-cluster-management.io/v1
12 | kind: ConfigurationPolicy
13 | metadata:
14 | name: ingress-controller-custom-cert
15 | spec:
16 | remediationAction: inform
17 | severity: low
18 | namespaceSelector:
19 | exclude: ["kube-*"]
20 | include: ["custom-policies"]
21 | object-templates:
22 | - complianceType: musthave
23 | objectDefinition:
24 | apiVersion: v1
25 | kind: ConfigMap
26 | metadata:
27 | name: custom-ca
28 | namespace: openshift-config
29 | data:
30 | ca-bundle.crt: |
31 | -----BEGIN CERTIFICATE-----
32 | MIIEhDCCA2ygAwIBAgIUBHOnq4b49Tb9SEjW3NMbUavnuoYwDQYJKoZIhvcNAQEF
33 | BQAwgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQH
34 | DAhTYW4gSm9zZTEOMAwGA1UECgwFVmVyc2UxFjAUBgNVBAMMDVZlcnNlIFJvb3Qg
35 | Q0ExITAfBgkqhkiG9w0BCQEWEmR0cmlldTgwQGdtYWlsLmNvbTAeFw0yMTA1MDEw
36 | NTA1MjlaFw0yNjA0MzAwNTA1MjlaMIGAMQswCQYDVQQGEwJVUzETMBEGA1UECAwK
37 | Q2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2UxDjAMBgNVBAoMBVZlcnNlMRYw
38 | FAYDVQQDDA1WZXJzZSBSb290IENBMSEwHwYJKoZIhvcNAQkBFhJkdHJpZXU4MEBn
39 | bWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD5dbjsdh8m
40 | 6EbOik2qJIF0Td5rBsJ5bkClqgpgCVP1gQ2q8UXCuYESRbhZdKttQe8bce2IgsRE
41 | LJgnfUl7ldhwFGkygZL+1a4kN+74vo8oISSOLKIuqmwShflgaOoU5CBRJc4FEjwn
42 | jMo9bHW/NpRkc2ATprH5kMqowUR3yUYyWCjP4QenCCfcPkJqLnSmi5jzB5/3+ytu
43 | SQodP0MKWiM44I8eTh3MBXAY1wPLS1ZzK91J2K3YLtrrwTHE39WsgapyAikwhiOm
44 | zHcPTzXPFzrgTVvvR06ZhOf1vZN5VZhCxa/zuPC4eeLaWD/wMEy+rmyBdpuQ04nR
45 | u/UpXOiG9/kRAgMBAAGjgfMwgfAwHQYDVR0OBBYEFFSXE+PLLDyLjGabnfTlRbPW
46 | Rbe0MIHABgNVHSMEgbgwgbWAFFSXE+PLLDyLjGabnfTlRbPWRbe0oYGGpIGDMIGA
47 | MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2Fu
48 | IEpvc2UxDjAMBgNVBAoMBVZlcnNlMRYwFAYDVQQDDA1WZXJzZSBSb290IENBMSEw
49 | HwYJKoZIhvcNAQkBFhJkdHJpZXU4MEBnbWFpbC5jb22CFARzp6uG+PU2/UhI1tzT
50 | G1Gr57qGMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAF2npuDEY++T
51 | xdN2IW8bT4izCAHTO3glSIbc4UOKuKeRfjH/MLeo9fjtAmG6hMDBfsd90C0Lacb4
52 | 0SpN8rKJjlo/TDpeCcoJm0UNbGv8TkajizWge8lIYr+xozlUddqg4fWYD8rqM6pn
53 | 4omyoHY5zgW6PuTqgerXCW5iN7u64LVrId86Oyp2nFu2+83jMNxeb/uva8RLfg8F
54 | ZsP3LFNSnbNBGSjfSmHxxABjHSdLMaelJCXfk18uRVwKSvbZyrm3PkExrMAWXRcT
55 | Lzp4FqCweRMCV25SyrG8KIOjFYlnANyKl5wN30v98Fko5m1b5prNOu8htWsL7Xvg
56 | lEhaB0APbqo=
57 | -----END CERTIFICATE-----
58 | - complianceType: musthave
59 | objectDefinition:
60 | apiVersion: config.openshift.io/v1
61 | kind: Proxy
62 | metadata:
63 | name: cluster
64 | spec:
65 | trustedCA:
66 | name: 'custom-ca'
67 | - complianceType: musthave
68 | objectDefinition:
69 | kind: Secret
70 | apiVersion: v1
71 | metadata:
72 | name: wildcardcert
73 | namespace: openshift-ingress
74 | data:
75 | tls.crt: >-
76 | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUV1VENDQTZHZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRVUZBRENCZ0RFTE1Ba0dBMVVFQmhNQ1ZWTXgKRXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEVUQVBCZ05WQkFjTUNGTmhiaUJLYjNObE1RNHdEQVlEVlFRSwpEQVZXWlhKelpURVdNQlFHQTFVRUF3d05WbVZ5YzJVZ1VtOXZkQ0JEUVRFaE1COEdDU3FHU0liM0RRRUpBUllTClpIUnlhV1YxT0RCQVoyMWhhV3d1WTI5dE1CNFhEVEl4TURVd01qRXpOVFEwTmxvWERUSXlNRFV3TWpFek5UUTAKTmxvd2dZSXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1RNHdEQVlEVlFRSwpEQVZXWlhKelpURU1NQW9HQTFVRUN3d0RUR0ZpTVIwd0d3WURWUVFEREJRcUxtRndjSE11YkdGaUxuWmxjbk5sCkxtUjVkREVoTUI4R0NTcUdTSWIzRFFFSkFSWVNaSFJ5YVdWMU9EQkFaMjFoYVd3dVkyOXRNSUlCSWpBTkJna3EKaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF5SmxmUmNwM2Z4RUNNcjVLV2JXN0lGell1L0hNYjhrRwpLNklLVkpkVVVvNUtnMXE4V2NVK1A3QnorYnUwTDdmN2prV0dzcDJRUk1QelRmS3h5N3dGQmJ0NXk2ZHNncFh6CitoZVpraVQ5OW5lMzQ2S2NsVVlHWnN5ek14d2J5cEtvTzgydFdMNEdPU0VPY3RwSnZTZ0ZmVHJZa1QvSEZydjAKaytEY3o5N0I5ckJXTW03dWRQSUxWQzhxcFdEWXhDR3BwdWxuTUY0VVlTQlpnejgzZEp5S3lybUp6NENDdTFYTwo1cUN6cDBwK1RWd0txd3JyclBYdUJOaERHcGRCVGVmZ1RKMS9XSnpXd0FsVExKdVZmcUJQalBJQU5UYllRZEtSCjZGWVlXdjVIdDZKNTRtekJnMWJUVmpKYU05VjE5ZVVaR2ozN1cwL2IvZ2xKZFNheEh2ZS9HUUlEQVFBQm80SUIKT0RDQ0FUUXdDUVlEVlIwVEJBSXdBREFkQmdOVkhRNEVGZ1FVWXNtN1pWa2RITkVrSGs3SFc0NWtlWmVpeUdNdwpnY0FHQTFVZEl3U0J1RENCdFlBVVZKY1Q0OHNzUEl1TVpwdWQ5T1ZGczlaRnQ3U2hnWWFrZ1lNd2dZQXhDekFKCkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSURBcERZV3hwWm05eWJtbGhNUkV3RHdZRFZRUUhEQWhUWVc0Z1NtOXoKWlRFT01Bd0dBMVVFQ2d3RlZtVnljMlV4RmpBVUJnTlZCQU1NRFZabGNuTmxJRkp2YjNRZ1EwRXhJVEFmQmdrcQpoa2lHOXcwQkNRRVdFbVIwY21sbGRUZ3dRR2R0WVdsc0xtTnZiWUlVQkhPbnE0YjQ5VGI5U0VqVzNOTWJVYXZuCnVvWXdSUVlKWUlaSUFZYjRRZ0VFQkRnV05taDBkSEE2THk5ellXNWtZbTk0TG5abGNuTmxMbVI1ZERvNE1EZ3cKTDNKdmIzUXRZMkV2ZG1WeWMyVXRZMkV0WTNKc0xuQmxiVEFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBUXFvTwovYjRpaHUxTm9OL1RUeHpqVGlhelU5TmZCYlhXdElwK3Yrd1Y4SE5hdWJOeWR5SmdUR3NCUjU5cDRqSGt1WlRtCmR2Z1dEM0pTUGZMRjZPWGRHam9QMms2Q2ZTZWtnZlVSalh4dnR6Y0FJdktmLzcyWkh6Y2lRdGgrVHdBNXhyT04KTThxeXZBMGtLUHNmdFFnSm5NT21TeGdLSnJjUEdydEYzdGlacTRnYXNpTkE4MlBXQUNHTXJpOXZqNERxMnBxeAorb3ZqTkJPOXpsc0ZaajhDN1lUVHhTL1RDdUNEM2JNK09kT3ZjOHJYZmc5eXBzbGdvYmxWMW9zeDdZQlVYWTdoCm1QTWY0bjZLVXlkZndCMXNwb3V2SUIxNWc0Tm8rVXNmRi8yRkFTdHY1YWVMaElQU3lQZkVzdEFTMEsvYlp5cjUKS1hjN0hxSFdrUURoSkM4TEFBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
77 | tls.key: >-
78 | LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRREltVjlGeW5kL0VRSXkKdmtwWnRic2dYTmk3OGN4dnlRWXJvZ3BVbDFSU2prcURXcnhaeFQ0L3NIUDV1N1F2dC91T1JZYXluWkJFdy9OTgo4ckhMdkFVRnUzbkxwMnlDbGZQNkY1bVNKUDMyZDdmam9weVZSZ1ptekxNekhCdktrcWc3emExWXZnWTVJUTV5CjJrbTlLQVY5T3RpUlA4Y1d1L1NUNE56UDNzSDJzRll5YnU1MDhndFVMeXFsWU5qRUlhbW02V2N3WGhSaElGbUQKUHpkMG5Jckt1WW5QZ0lLN1ZjN21vTE9uU241TlhBcXJDdXVzOWU0RTJFTWFsMEZONStCTW5YOVluTmJBQ1ZNcwptNVYrb0UrTThnQTFOdGhCMHBIb1ZoaGEva2Uzb25uaWJNR0RWdE5XTWxvejFYWDE1UmthUGZ0YlQ5ditDVWwxCkpyRWU5NzhaQWdNQkFBRUNnZ0VBYkdadEZKTEhwbE96bzJZdldYRWFNTy9iY3h6RVEvZ1dySWVCRzVzM1J2RjcKbEtYNHVHNGRLRitiSEczeGZnUG5IVWUyOVZpdCtHc0hWS3o4cFVMeVY5bXFoSUh4NGxOVUoyYVBaMmswRC9jNwoyUGdyczRMR3ZOQ0xXZWdyb0hsR0RpTWtOSnRqVTRYb2YrbzBCTkxXdklpTE5WcUlwR0ZuVm00aUJQYTBURENoCnZDV0R2ZFVVV3RKaU1vKzFXWVN4UU1xNHpnMitOQ0JmU2Z1NTU5RTZpQ2JCdUo2NFZNZlgzaXpMcnhsRisxc2wKRVcrRGVESHZzKzg0ejkzL01VRUl0elFmUG1KVkd1YXYwMTBYMnd4Vzhpei9UTUZPYmxEcEIyYXAyVzlvZEExNQp3aFVjaGMraFJPZlArbmpjRm9hcWtST0txQnBTYVdVMFZFOG5HYlB5UFFLQmdRRDlrcUlNZXR1K3JnUzdBNWV0ClF3TGxCSUlkazkwVWplK0VhWVNnU01ueGVOSWlZZ2VnLzZYK01qclJPajR1dWltQXh1RjF6M0lMOVpPOWxWTEEKM3JHRUs4THVXVktQL0pwVjVWd0RBUFBob2pYRVIyempnQk5CaXZub1I1NFA5M1haYVRZZGZvMHNYQUFNejc5OApPZW5rczdMbDF5SmpXTWtvSHBMVzRwam8rd0tCZ1FES2hPNE9NdVhVbVAxdVNiRWRKMjEvQlF0M1F1eG1UakFpCnJxYmhCWWdyeEtRWmcrdkVFRDdTR1lPRDh3SWp3RFYya0trVTQ0cDJONnN3Mjk0SGEwVm85UlFsWCtHbGY5cm8KSUl3UVBQbjB0RmMyR09HYlRIZnNDWHRnbGdCbllGNEhQczYzNC85dXFiRDJWYzJvSklCQ3FoWVpSVURHYTNmUwpON3lwZk1Nait3S0JnRHlyR0pwanlxK1VjdzFManI2bGljdkJpR0FMUUpucVc2UVNtdWkrZ1pLRWxjSWtNaThTCisyUVdJSHh1c3ZIN0dITDNJbnBOWjd2MHhhUldWYlpQa2FsTnp4VzN5VWtwNXNNbVhSMWEzUDdmRUg0bG1LZlYKdk1XeHVwa1lpWGpJZkNuSVFtcE1IUHJBQ0VNSWNZZ0hVeTZreitpdDBFeDBzYXducEhwRlBOQ0JBb0dCQUplUApQL0RVV25mdVBzdUl6c200dGhNM0hVdVZoQUZVUm1YT093bHY4R2FBOVNZN09mZ3pDRENIODRxT0ZHM1k3S25jCnZRenE5TFpnRnZlcnM4L3RrYlpvb3prTk5udDY0Y0tTaVArbUFwSUZYTGNaaTgyRFBzUWduSHErQjNOV0JVaDYKMG8yQVRhcnR4NGV5MHdRZ3ZQUW5BZjdMZXh5RFZOcTM1N01Yc1pwOUFvR0JBSldLK0xjRVRuMU5GaFBIVVNwZApYcFhPRW53RkhqV1Vtc0I0VG5qQVBvbUNOVGRIckF1WGdBUksyVzB6NlQ5VnVZMVY5UkNvTjlzRksxaGwxc1RBCkJkejV4TkFsbXVnN21KcjhvTzRYTlV6VXBieXdYNmYzR1pkZG5VSWpTNjVrWDcwdGRFUFJmcnBhNUFoeWhINjQKOW1NQjJaZ3B5VUhOTmRCZjhmZXpzM1pmCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
79 | type: kubernetes.io/tls
80 | - complianceType: musthave
81 | objectDefinition:
82 | apiVersion: operator.openshift.io/v1
83 | kind: IngressController
84 | metadata:
85 | name: default
86 | namespace: openshift-ingress-operator
87 | spec:
88 | defaultCertificate:
89 | name: 'wildcardcert'
--------------------------------------------------------------------------------
/policies/policy-default-ingress-cert/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Traffic
17 | policy.open-cluster-management.io/controls: Certificate
--------------------------------------------------------------------------------
/policies/policy-disable-schedule-control/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-disable-schedule-control.yaml
--------------------------------------------------------------------------------
/policies/policy-disable-schedule-control/base/pl-disable-schedule-control.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: Policy
4 | metadata:
5 | name: pl-disable-schedule-control
6 | spec:
7 | remediationAction: inform
8 | disabled: false
9 | policy-templates:
10 | - objectDefinition:
11 | apiVersion: policy.open-cluster-management.io/v1
12 | kind: ConfigurationPolicy
13 | metadata:
14 | name: policy-scheduling
15 | spec:
16 | remediationAction: inform
17 | severity: low
18 | namespaceSelector:
19 | exclude: ["kube-*"]
20 | include: ["custom-policies"]
21 | object-templates:
22 | - complianceType: musthave
23 | objectDefinition:
24 | apiVersion: config.openshift.io/v1
25 | kind: Scheduler
26 | metadata:
27 | name: cluster
28 | spec:
29 | mastersSchedulable: false
30 | policy:
31 | name: ""
32 |
--------------------------------------------------------------------------------
/policies/policy-disable-schedule-control/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Node
17 | policy.open-cluster-management.io/controls: Configuration
--------------------------------------------------------------------------------
/policies/policy-infra-machine-config-pool/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-create-infra-mcp.yaml
--------------------------------------------------------------------------------
/policies/policy-infra-machine-config-pool/base/pl-create-infra-mcp.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: Policy
4 | metadata:
5 | name: pl-create-infra-mcp
6 | spec:
7 | disabled: false
8 | policy-templates:
9 | - objectDefinition:
10 | apiVersion: policy.open-cluster-management.io/v1
11 | kind: ConfigurationPolicy
12 | metadata:
13 | name: policy-create-infra-machine-config-pool
14 | spec:
15 | namespaceSelector:
16 | exclude:
17 | - kube-*
18 | include:
19 | - default
20 | object-templates:
21 | - complianceType: musthave
22 | objectDefinition:
23 | apiVersion: machineconfiguration.openshift.io/v1
24 | kind: MachineConfigPool
25 | metadata:
26 | name: infra
27 | spec:
28 | machineConfigSelector:
29 | matchExpressions:
30 | - key: machineconfiguration.openshift.io/role
31 | operator: In
32 | values:
33 | - worker # used for testing
34 | - infra
35 | nodeSelector:
36 | matchLabels:
37 | node-role.kubernetes.io/infra: "" # testing
38 | remediationAction: enforce
39 | severity: low
40 | remediationAction: inform
--------------------------------------------------------------------------------
/policies/policy-infra-machine-config-pool/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Node
17 | policy.open-cluster-management.io/controls: Configuration
--------------------------------------------------------------------------------
/policies/policy-label-infra-nodes/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-label-infra-nodes.yaml
--------------------------------------------------------------------------------
/policies/policy-label-infra-nodes/base/pl-label-infra-nodes.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: Policy
4 | metadata:
5 | name: pl-label-infra-nodes
6 | spec:
7 | remediationAction: inform
8 | disabled: false
9 | policy-templates:
10 | - objectDefinition:
11 | apiVersion: policy.open-cluster-management.io/v1
12 | kind: ConfigurationPolicy
13 | metadata:
14 | name: policy-label-infra-nodes
15 | spec:
16 | severity: medium
17 | namespaceSelector:
18 | exclude: []
19 | include:
20 | - "default"
21 | object-templates:
22 | - complianceType: musthave
23 | objectDefinition:
24 | apiVersion: v1
25 | kind: Node
26 | name: infra1
27 | metadata:
28 | labels:
29 | node-role.kubernetes.io/infra: ""
30 | #- complianceType: mustnothave
31 | # objectDefinition:
32 | # apiVersion: v1
33 | # kind: Node
34 | # name: infra1
35 | # metadata:
36 | # labels:
37 | # node-role.kubernetes.io/worker: ""
--------------------------------------------------------------------------------
/policies/policy-label-infra-nodes/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Node
17 | policy.open-cluster-management.io/controls: Configuration
--------------------------------------------------------------------------------
/policies/policy-olm-disable-defaults/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-olm-disable-defaults.yaml
--------------------------------------------------------------------------------
/policies/policy-olm-disable-defaults/base/pl-olm-disable-defaults.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: policy.open-cluster-management.io/v1
2 | kind: Policy
3 | metadata:
4 | name: pl-olm-disable-defaults
5 | spec:
6 | remediationAction: inform
7 | disabled: false
8 | policy-templates:
9 | - objectDefinition:
10 | apiVersion: policy.open-cluster-management.io/v1
11 | kind: ConfigurationPolicy
12 | metadata:
13 | name: olm-disable-defaults
14 | spec:
15 | remediationAction: inform
16 | severity: high
17 | object-templates:
18 | - complianceType: musthave
19 | objectDefinition:
20 | apiVersion: config.openshift.io/v1
21 | kind: OperatorHub
22 | metadata:
23 | name: cluster
24 | spec:
25 | disableAllDefaultSources: true
26 |
27 |
--------------------------------------------------------------------------------
/policies/policy-olm-disable-defaults/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Binaries
17 | policy.open-cluster-management.io/controls: Catalogs
--------------------------------------------------------------------------------
/policies/policy-opa-image-latest/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-opa-image-latest.yaml
--------------------------------------------------------------------------------
/policies/policy-opa-image-latest/base/pl-opa-image-latest.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: policy.open-cluster-management.io/v1
2 | kind: Policy
3 | metadata:
4 | name: pl-opa-image-latest
5 | spec:
6 | remediationAction: inform
7 | disabled: false
8 | policy-templates:
9 | - objectDefinition:
10 | apiVersion: policy.open-cluster-management.io/v1
11 | kind: ConfigurationPolicy
12 | metadata:
13 | name: policy-gatekeeper-containerimagelatest
14 | spec:
15 | remediationAction: enforce
16 | severity: low
17 | object-templates:
18 | - complianceType: musthave
19 | objectDefinition:
20 | apiVersion: templates.gatekeeper.sh/v1beta1
21 | kind: ConstraintTemplate
22 | metadata:
23 | creationTimestamp: null
24 | name: containerimagelatest
25 | spec:
26 | crd:
27 | spec:
28 | names:
29 | kind: ContainerImageLatest
30 | targets:
31 | - libs:
32 | - |
33 | package lib.konstraint
34 | default is_gatekeeper = false
35 | is_gatekeeper {
36 | has_field(input, "review")
37 | has_field(input.review, "object")
38 | }
39 | object = input {
40 | not is_gatekeeper
41 | }
42 | object = input.review.object {
43 | is_gatekeeper
44 | }
45 | format(msg) = gatekeeper_format {
46 | is_gatekeeper
47 | gatekeeper_format = {"msg": msg}
48 | }
49 | format(msg) = msg {
50 | not is_gatekeeper
51 | }
52 | name = object.metadata.name
53 | kind = object.kind
54 | has_field(obj, field) {
55 | obj[field]
56 | }
57 | missing_field(obj, field) = true {
58 | obj[field] == ""
59 | }
60 | missing_field(obj, field) = true {
61 | not has_field(obj, field)
62 | }
63 | is_service {
64 | lower(kind) == "service"
65 | }
66 | is_statefulset {
67 | lower(kind) == "statefulset"
68 | }
69 | is_daemonset {
70 | lower(kind) == "daemonset"
71 | }
72 | is_deployment {
73 | lower(kind) == "deployment"
74 | }
75 | is_pod {
76 | lower(kind) == "pod"
77 | }
78 | is_namespace {
79 | lower(kind) == "namespace"
80 | }
81 | is_workload {
82 | containers[_]
83 | }
84 | pod_containers(pod) = all_containers {
85 | keys = {"containers", "initContainers"}
86 | all_containers = [c | keys[k]; c = pod.spec[k][_]]
87 | }
88 | containers[container] {
89 | pods[pod]
90 | all_containers = pod_containers(pod)
91 | container = all_containers[_]
92 | }
93 | containers[container] {
94 | all_containers = pod_containers(object)
95 | container = all_containers[_]
96 | }
97 | container_images[image] {
98 | containers[container]
99 | image = container.image
100 | }
101 | container_images[image] {
102 | image = object.spec.image
103 | }
104 | split_image(image) = [image, "latest"] {
105 | not contains(image, ":")
106 | }
107 | split_image(image) = [image_name, tag] {
108 | [image_name, tag] = split(image, ":")
109 | }
110 | pods[pod] {
111 | is_statefulset
112 | pod = object.spec.template
113 | }
114 | pods[pod] {
115 | is_daemonset
116 | pod = object.spec.template
117 | }
118 | pods[pod] {
119 | is_deployment
120 | pod = object.spec.template
121 | }
122 | pods[pod] {
123 | is_pod
124 | pod = object
125 | }
126 | volumes[volume] {
127 | pods[pod]
128 | volume = pod.spec.volumes[_]
129 | }
130 | mem_multiple("E") = 1000000000000000000000 { true }
131 | mem_multiple("P") = 1000000000000000000 { true }
132 | mem_multiple("T") = 1000000000000000 { true }
133 | mem_multiple("G") = 1000000000000 { true }
134 | mem_multiple("M") = 1000000000 { true }
135 | mem_multiple("k") = 1000000 { true }
136 | mem_multiple("") = 1000 { true }
137 | mem_multiple("m") = 1 { true }
138 | mem_multiple("Ki") = 1024000 { true }
139 | mem_multiple("Mi") = 1048576000 { true }
140 | mem_multiple("Gi") = 1073741824000 { true }
141 | mem_multiple("Ti") = 1099511627776000 { true }
142 | mem_multiple("Pi") = 1125899906842624000 { true }
143 | mem_multiple("Ei") = 1152921504606846976000 { true }
144 | get_suffix(mem) = suffix {
145 | not is_string(mem)
146 | suffix := ""
147 | }
148 | get_suffix(mem) = suffix {
149 | is_string(mem)
150 | count(mem) > 0
151 | suffix := substring(mem, count(mem) - 1, -1)
152 | mem_multiple(suffix)
153 | }
154 | get_suffix(mem) = suffix {
155 | is_string(mem)
156 | count(mem) > 1
157 | suffix := substring(mem, count(mem) - 2, -1)
158 | mem_multiple(suffix)
159 | }
160 | get_suffix(mem) = suffix {
161 | is_string(mem)
162 | count(mem) > 1
163 | not mem_multiple(substring(mem, count(mem) - 1, -1))
164 | not mem_multiple(substring(mem, count(mem) - 2, -1))
165 | suffix := ""
166 | }
167 | get_suffix(mem) = suffix {
168 | is_string(mem)
169 | count(mem) == 1
170 | not mem_multiple(substring(mem, count(mem) - 1, -1))
171 | suffix := ""
172 | }
173 | get_suffix(mem) = suffix {
174 | is_string(mem)
175 | count(mem) == 0
176 | suffix := ""
177 | }
178 | canonify_mem(orig) = new {
179 | is_number(orig)
180 | new := orig * 1000
181 | }
182 | canonify_mem(orig) = new {
183 | not is_number(orig)
184 | suffix := get_suffix(orig)
185 | raw := replace(orig, suffix, "")
186 | re_match("^[0-9]+$", raw)
187 | new := to_number(raw) * mem_multiple(suffix)
188 | }
189 | canonify_storage(orig) = new {
190 | is_number(orig)
191 | new := orig
192 | }
193 | canonify_storage(orig) = new {
194 | not is_number(orig)
195 | suffix := get_suffix(orig)
196 | raw := replace(orig, suffix, "")
197 | re_match("^[0-9]+$", raw)
198 | new := to_number(raw) * mem_multiple(suffix)
199 | }
200 | canonify_cpu(orig) = new {
201 | is_number(orig)
202 | new := orig * 1000
203 | }
204 | canonify_cpu(orig) = new {
205 | not is_number(orig)
206 | endswith(orig, "m")
207 | new := to_number(replace(orig, "m", ""))
208 | }
209 | canonify_cpu(orig) = new {
210 | not is_number(orig)
211 | not endswith(orig, "m")
212 | re_match("^[0-9]+$", orig)
213 | new := to_number(orig) * 1000
214 | }
215 | dropped_capability(container, cap) {
216 | container.securityContext.capabilities.drop[_] == cap
217 | }
218 | added_capability(container, cap) {
219 | container.securityContext.capabilities.add[_] == cap
220 | }
221 | no_read_only_filesystem(c) {
222 | not has_field(c, "securityContext")
223 | }
224 | no_read_only_filesystem(c) {
225 | has_field(c, "securityContext")
226 | not has_field(c.securityContext, "readOnlyRootFilesystem")
227 | }
228 | priviledge_escalation_allowed(c) {
229 | not has_field(c, "securityContext")
230 | }
231 | priviledge_escalation_allowed(c) {
232 | has_field(c, "securityContext")
233 | has_field(c.securityContext, "allowPrivilegeEscalation")
234 | }
235 | - |-
236 | package lib.openshift
237 | import data.lib.konstraint
238 | is_deploymentconfig {
239 | lower(konstraint.object.apiVersion) == "apps.openshift.io/v1"
240 | lower(konstraint.object.kind) == "deploymentconfig"
241 | }
242 | is_route {
243 | lower(konstraint.object.apiVersion) == "route.openshift.io/v1"
244 | lower(konstraint.object.kind) == "route"
245 | }
246 | is_workload_kind {
247 | is_deploymentconfig
248 | }
249 | is_workload_kind {
250 | konstraint.is_statefulset
251 | }
252 | is_workload_kind {
253 | konstraint.is_daemonset
254 | }
255 | is_workload_kind {
256 | konstraint.is_deployment
257 | }
258 | is_all_kind {
259 | is_workload_kind
260 | }
261 | is_all_kind {
262 | konstraint.is_service
263 | }
264 | is_all_kind {
265 | is_route
266 | }
267 | pods[pod] {
268 | is_deploymentconfig
269 | pod = konstraint.object.spec.template
270 | }
271 | pods[pod] {
272 | pod = konstraint.pods[_]
273 | }
274 | containers[container] {
275 | pods[pod]
276 | all_containers = konstraint.pod_containers(pod)
277 | container = all_containers[_]
278 | }
279 | containers[container] {
280 | container = konstraint.containers[_]
281 | }
282 | rego: |-
283 | package ocp.bestpractices.container_image_latest
284 | import data.lib.konstraint
285 | import data.lib.openshift
286 | violation[msg] {
287 | openshift.is_workload_kind
288 | container := openshift.containers[_]
289 | endswith(container.image, ":latest")
290 | obj := konstraint.object
291 | msg := konstraint.format(sprintf("%s/%s: container '%s' is using the latest tag for its image (%s), which is an anti-pattern.", [obj.kind, obj.metadata.name, container.name, container.image]))
292 | }
293 | target: admission.k8s.gatekeeper.sh
294 | - complianceType: musthave
295 | objectDefinition:
296 | apiVersion: constraints.gatekeeper.sh/v1beta1
297 | kind: ContainerImageLatest
298 | metadata:
299 | name: containerimagelatest
300 | spec:
301 | match:
302 | kinds:
303 | - apiGroups:
304 | - apps.openshift.io
305 | - apps
306 | kinds:
307 | - DeploymentConfig
308 | - DaemonSet
309 | - Deployment
310 | - StatefulSet
311 | - objectDefinition:
312 | apiVersion: policy.open-cluster-management.io/v1
313 | kind: ConfigurationPolicy
314 | metadata:
315 | name: policy-gatekeeper-audit-latest
316 | spec:
317 | remediationAction: inform # will be overridden by remediationAction in parent policy
318 | severity: low
319 | object-templates:
320 | - complianceType: musthave
321 | objectDefinition:
322 | apiVersion: constraints.gatekeeper.sh/v1beta1
323 | kind: ContainerImageLatest
324 | metadata:
325 | name: containerimagelatest
326 | status:
327 | totalViolations: 0
328 | - objectDefinition:
329 | apiVersion: policy.open-cluster-management.io/v1
330 | kind: ConfigurationPolicy
331 | metadata:
332 | name: policy-gatekeeper-admission-latest
333 | spec:
334 | remediationAction: inform # will be overridden by remediationAction in parent policy
335 | severity: low
336 | object-templates:
337 | - complianceType: mustnothave
338 | objectDefinition:
339 | apiVersion: v1
340 | kind: Event
341 | metadata:
342 | namespace: openshift-gatekeeper-system # set it to the actual namespace where gatekeeper is running if different
343 | annotations:
344 | constraint_action: deny
345 | constraint_kind: ContainerImageLatest
346 | constraint_name: containerimagelatest
347 | event_type: violation
--------------------------------------------------------------------------------
/policies/policy-opa-image-latest/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Binaries
17 | policy.open-cluster-management.io/controls: Images
--------------------------------------------------------------------------------
/policies/policy-registry-pv-nfs/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-registry-pv-nfs.yaml
--------------------------------------------------------------------------------
/policies/policy-registry-pv-nfs/base/pl-registry-pv-nfs.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: policy.open-cluster-management.io/v1
3 | kind: Policy
4 | metadata:
5 | name: pl-registry-pv-nfs
6 | spec:
7 | disabled: false
8 | policy-templates:
9 | - objectDefinition:
10 | apiVersion: policy.open-cluster-management.io/v1
11 | kind: ConfigurationPolicy
12 | metadata:
13 | name: policy-registry-pv-nfs
14 | spec:
15 | namespaceSelector:
16 | exclude: ["kube-*"]
17 | include: ["custom-policies"]
18 | object-templates:
19 | - complianceType: musthave
20 | objectDefinition:
21 | apiVersion: v1
22 | kind: PersistentVolume
23 | metadata:
24 | name: registry-pv
25 | spec:
26 | - complianceType: musthave
27 | objectDefinition:
28 | apiVersion: imageregistry.operator.openshift.io/v1
29 | kind: Config
30 | metadata:
31 | name: cluster
32 | spec:
33 | remediationAction: inform
34 | severity: low
35 | remediationAction: inform
36 |
--------------------------------------------------------------------------------
/policies/policy-registry-pv-nfs/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Applications
17 | policy.open-cluster-management.io/controls: Registry
--------------------------------------------------------------------------------
/policies/policy-serverless/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - pl-serverless.yaml
--------------------------------------------------------------------------------
/policies/policy-serverless/base/pl-serverless.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: policy.open-cluster-management.io/v1
2 | kind: Policy
3 | metadata:
4 | name: pl-serverless
5 | spec:
6 | remediationAction: inform
7 | disabled: false
8 | policy-templates:
9 | - objectDefinition:
10 | apiVersion: policy.open-cluster-management.io/v1
11 | kind: ConfigurationPolicy
12 | metadata:
13 | name: serverless-operator-ns
14 | spec:
15 | remediationAction: inform
16 | severity: high
17 | object-templates:
18 | - complianceType: musthave
19 | objectDefinition:
20 | apiVersion: v1
21 | kind: Namespace
22 | metadata:
23 | name: openshift-serverless
24 | - objectDefinition:
25 | apiVersion: policy.open-cluster-management.io/v1
26 | kind: ConfigurationPolicy
27 | metadata:
28 | name: serverless-operator-group
29 | spec:
30 | remediationAction: inform
31 | severity: high
32 | object-templates:
33 | - complianceType: musthave
34 | objectDefinition:
35 | apiVersion: operators.coreos.com/v1
36 | kind: OperatorGroup
37 | metadata:
38 | generateName: openshift-serverless-
39 | namespace: openshift-serverless
40 | - objectDefinition:
41 | apiVersion: policy.open-cluster-management.io/v1
42 | kind: ConfigurationPolicy
43 | metadata:
44 | name: serverless-operator-subscription
45 | spec:
46 | remediationAction: inform
47 | severity: high
48 | object-templates:
49 | - complianceType: musthave
50 | objectDefinition:
51 | apiVersion: operators.coreos.com/v1alpha1
52 | kind: Subscription
53 | metadata:
54 | name: serverless-operator
55 | namespace: openshift-serverless
56 | spec:
57 | channel: stable
58 | installPlanApproval: Automatic
59 | name: serverless-operator
60 | source: redhat-operators
61 | sourceNamespace: openshift-marketplace
62 | startingCSV: serverless-operator.v1.15.0
63 |
--------------------------------------------------------------------------------
/policies/policy-serverless/sandbox/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # namespace: my-namespace
9 | # namePrefix: dev-
10 | # nameSuffix: "-001"
11 | # commonLabels:
12 | # app: bingo
13 |
14 | commonAnnotations:
15 | policy.open-cluster-management.io/standards: Sandbox
16 | policy.open-cluster-management.io/categories: Addons
17 | policy.open-cluster-management.io/controls: Serverless
--------------------------------------------------------------------------------
/policies/sb-development.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-policy-subscriptions
6 | namespace: acm-channels
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/subscriptions/development
11 | apps.open-cluster-management.io/github-branch: development
12 | apps.open-cluster-management.io/reconcile-rate: "off"
13 | spec:
14 | channel: acm-channels/cluster-gitops
15 | placement:
16 | local: true
17 | # timewindow:
18 | # windowtype: "active"
19 | # location: "America/Los_Angeles"
20 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
21 | # hours:
22 | # - start: "05:00PM"
23 | # end: "10:00PM"
24 |
--------------------------------------------------------------------------------
/policies/sb-production.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-policy-subscriptions
6 | namespace: acm-channels
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/subscriptions/production
11 | apps.open-cluster-management.io/github-branch: master
12 | spec:
13 | channel: acm-channels/cluster-gitops
14 | placement:
15 | local: true
16 | # timewindow:
17 | # windowtype: "active"
18 | # location: "America/Los_Angeles"
19 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
20 | # hours:
21 | # - start: "05:00PM"
22 | # end: "10:00PM"
23 |
--------------------------------------------------------------------------------
/policies/subscriptions/base/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | resources:
6 | - sb-default-ingress-cert.yaml
7 | - sb-disable-schedule-control.yaml
8 | - sb-infra-machine-config-pool.yaml
9 | - sb-label-infra-nodes.yaml
10 | - sb-olm-disable-defaults.yaml
11 | - sb-opa-image-latest.yaml
12 | - sb-registry-pv-nfs.yaml
13 | - sb-serverless.yaml
14 |
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-default-ingress-cert.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-default-ingress-cert
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-default-ingress-cert/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
22 |
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-disable-schedule-control.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-disable-schedule-control
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-disable-schedule-control/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
22 |
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-infra-machine-config-pool.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-infra-machine-config-pool
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-infra-machine-config-pool/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
22 |
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-label-infra-nodes.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-label-infra-nodes
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-label-infra-nodes/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
22 |
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-olm-disable-defaults.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-olm-disable-defaults
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-olm-disable-defaults/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-opa-image-latest.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-opa-image-latest
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-opa-image-latest/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-registry-pv-nfs.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-registry-pv-nfs
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-registry-pv-nfs/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
22 |
--------------------------------------------------------------------------------
/policies/subscriptions/base/sb-serverless.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: apps.open-cluster-management.io/v1
3 | kind: Subscription
4 | metadata:
5 | name: sb-serverless
6 | namespace: acm-sandbox
7 | labels:
8 | subscription-pause: "false"
9 | annotations:
10 | apps.open-cluster-management.io/github-path: policies/policy-serverless/sandbox
11 | spec:
12 | channel: acm-channels/cluster-gitops
13 | placement:
14 | local: true
15 | # timewindow:
16 | # windowtype: "active"
17 | # location: "America/Los_Angeles"
18 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
19 | # hours:
20 | # - start: "05:00PM"
21 | # end: "10:00PM"
22 | ---
23 | apiVersion: apps.open-cluster-management.io/v1
24 | kind: Subscription
25 | metadata:
26 | name: sb-serverless
27 | namespace: acm-addons
28 | labels:
29 | subscription-pause: "false"
30 | annotations:
31 | apps.open-cluster-management.io/github-path: policies/policy-serverless/sandbox
32 | spec:
33 | channel: acm-channels/cluster-gitops
34 | placement:
35 | local: true
36 | # timewindow:
37 | # windowtype: "active"
38 | # location: "America/Los_Angeles"
39 | # daysofweek: [ "Friday", "Saturday", "Sunday" ]
40 | # hours:
41 | # - start: "05:00PM"
42 | # end: "10:00PM"
--------------------------------------------------------------------------------
/policies/subscriptions/development/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # When applying the kustomization for development, use the development
9 | # branch and set the reconcile-rate to 'off' for on-demand reconciliation.
10 | commonAnnotations:
11 | apps.open-cluster-management.io/github-branch: development
12 | apps.open-cluster-management.io/reconcile-rate: "off"
--------------------------------------------------------------------------------
/policies/subscriptions/production/kustomization.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: kustomize.config.k8s.io/v1beta1
3 | kind: Kustomization
4 |
5 | bases:
6 | - ../base
7 |
8 | # When applying the kustomization for production, use the production
9 | # branch and leave the reconcile-rate to implicit default of 'medium'.
10 | # medium = check for new commits every 3 minutes
11 | # force reconcile every 15 minutes
12 | commonAnnotations:
13 | apps.open-cluster-management.io/github-branch: master
--------------------------------------------------------------------------------