forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy-enable-if-etcd-encrypted-templatized.yaml
116 lines (113 loc) · 4.32 KB
/
policy-enable-if-etcd-encrypted-templatized.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#This demonstrates enabling root policy based on status of a resource on the hub-cluster , using templates
# Below shows two policies
# 1 - policy-conditionalsecret : Enforces a Secret resource on the cluster, it is disabled by default.
# 2 - policy-conditionalsecret-enabler : Checks if etcd encryption is set and enables the above policy #1 that enforces a secure secret.
#NOTE
#The file has 2 related policies clubbed together,
#when deploying through GRC UI Editor pls copy paste each policy resource individually as the ui can handle only one policy at a time.
#pls make sure to deploy both policies in the same namespace and replace any placeholder <POLICIESNS> in this file with the policy namespace.
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-conditionalsecret
annotations:
policy.open-cluster-management.io/standards: NIST 800-53, NIST-CSF
policy.open-cluster-management.io/categories: CM Configuration Management, PR.IP Information Protection Processes and Procedures
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration, PR.IP-1 Baseline Configuration
spec:
remediationAction: enforce
disabled: true #policy is disabled by default, will be enabled by enabler policy (see below) if/when etcd encryption is enabled
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-conditionalsecret
spec:
remediationAction: inform
severity: low
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Secret
metadata:
name: cloudconnectioncreds
namespace: default
type: Opaque
data:
AWS_USER: Zm9v
AWS_PASS: YmFy
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-conditionalsecret-enabler
annotations:
policy.open-cluster-management.io/standards: NIST 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-conditionalsecret-enabler
spec:
remediationAction: inform
severity: low
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
kind: Policy
apiVersion: policy.open-cluster-management.io/v1
metadata:
name: policy-conditionalsecret #name should match the name of the root policy that is being enabled
namespace: <POLICIESNS> #namespace should match the ns of the root policy that is being enabled
spec:
# disable is set to true if encryption.type != aescbc else it is set to false ,
disabled: '{{ ne (lookup "config.openshift.io/v1" "APIServer" "" "cluster").spec.encryption.type "aescbc" | print | toBool }}'
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-conditionalsecret-common
placementRef:
name: placement-policy-conditionalsecret-common
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-conditionalsecret
kind: Policy
apiGroup: policy.open-cluster-management.io
- name: policy-conditionalsecret-enabler
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-conditionalsecret-common
spec:
clusterConditions:
- status: 'True'
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- key: local-cluster
operator: In
values:
- 'true'