forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy-configure-appworkloads-rbac-sample.yaml
190 lines (189 loc) · 7.06 KB
/
policy-configure-appworkloads-rbac-sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# This is a sample policy to demonstrate configuring RBAC for application workloads
# running on managedclusters.
# NOTE* This policy is not rbac for administering applications or policies through ACM hub,
# it is rbac for directly accessing and working with applications on the managedclusters.
#
# This Policy considers the following example scenario
# Two different applications X and Y are running on the Cluster.
# Application X is deployed in namespace project-x
# Application Y is deployed in namespace project-y
#
# This Policy Configures the following rbac model for the above scenario
# UsersGroups: SreAdminGrp, AppX-AdminGrp, AppX-ViewGrp, AppY-AdminGrp, AppY-ViewGrp
# Rolebindings:
# SreAdminGrp has cluster-admin access to the Cluster
# AppX-AdminGrp has admin access to the namespace project-x where AppX is deployed
# AppY-ViewGrp has view access to the namespace project-x where AppX is deployed
# AppX-AdminGrp has admin access to the namespace project-y where AppY is deployed
# AppY-ViewGrp has view access to the namespace project-y where AppY is deployed
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-configure-appworkloads-rbac
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: AC Access Control
policy.open-cluster-management.io/controls: AC-3 Access Enforcement
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-configure-appworkloads-rbac-example
spec:
remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: SreAdminGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppX-AdminGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppX-ViewGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppY-AdminGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppY-ViewGrp
users: null
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: project-x
labels:
purpose: namespace-for-sample-AppX-artifacts
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: project-y
labels:
purpose: namespace-for-sample-AppY-artifacts
- complianceType: musthave
objectDefinition:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: SreAdmin-Binding
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: SreAdminGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppX-Admin-Binding
namespace: project-x
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppX-AdminGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppX-View-Binding
namespace: project-x
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppX-ViewGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppY-Admin-Binding
namespace: project-y
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppY-AdminGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppY-View-Binding
namespace: project-y
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppY-ViewGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-configure-appworkloads-rbac
placementRef:
name: placement-policy-configure-appworkloads-rbac
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-configure-appworkloads-rbac
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-configure-appworkloads-rbac
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}