forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy-blackduck.yaml
199 lines (199 loc) · 6.96 KB
/
policy-blackduck.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# This policy verifies the installation of the supported version of
# the Black Duck Connector Operator & the Black Duck Connector on the managed clusters.
# It also verifies all the containers on the specified namespace are are not
# in Black Duck's policy violation.
#
# If set to "enforce" it'll install the operator & connector.
#
# Note that OpenShift 4.6 is required.
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-blackduck
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: SI System and Information Integrity
policy.open-cluster-management.io/controls: SI-4 Information System Monitoring
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-blackduck-operator
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave # Makes sure operators are installed on all clusters
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: blackduck-connector-operator
namespace: openshift-operators
spec:
channel: alpha
installPlanApproval: Automatic
name: blackduck-connector-operator
source: certified-operators
sourceNamespace: openshift-marketplace
startingCSV: blackduck-connector-operator.v1.0.0
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-blackduck-connector
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave # Makes sure connectors are installed on all clusters
objectDefinition:
apiVersion: charts.synopsys.com/v1alpha1
kind: BlackduckConnector
metadata:
name: blackduckconnector
namespace: openshift-operators
spec:
externalBlackDuck:
- scheme: https
domain: example.blackduck.synopsys.com # users need to fill this out
port: 443
user: example_admin # users need to fill this out
password: example_password # users need to fill this out
concurrentScanLimit: 3
logLevel: debug
podProcessor:
nameSpaceFilter: 'default' # users need to fill this out
enabled: true
resources:
requests:
cpu: 300m
memory: 1300Mi
securedRegistries: []
artifactoryProcessor:
dumper: false
enabled: false
expose: None
resources:
requests:
cpu: 300m
memory: 1300Mi
blackduck:
connectionsEnvironmentVariableName: blackduck.json
tlsVerification: false
core:
expose: None
port: 3001
resources:
requests:
cpu: 300m
memory: 1300Mi
timings:
checkForStalledScansPauseHours: 999999
clientTimeoutMilliseconds: 100000
modelMetricsPauseSeconds: 15
stalledScanClientTimeoutHours: 999999
unknownImagePauseMilliseconds: 15000
useMockMode: false
fullnameOverride: ''
imageGetter:
createImagesOnly: false
host: localhost
imagePullerType: skopeo
port: 3004
resources:
requests:
cpu: 300m
memory: 1300Mi
imageProcessor:
enabled: false
resources:
requests:
cpu: 300m
memory: 1300Mi
imagePullSecrets: []
imageTag: 2.2.5
nameOverride: ''
processor:
annotationIntervalSeconds: 30
certificate: ''
certificateKey: ''
dumpIntervalMinutes: 30
port: 3002
prometheus:
affinity: {}
enabled: false
expose: None
imageTag: v2.1.0
nodeSelector: {}
podSecurityContext: {}
registry: docker.io/prom
resources:
requests:
cpu: 300m
memory: 1300Mi
securityContext: {}
tolerations: []
quayProcessor:
enabled: false
expose: None
resources:
requests:
cpu: 300m
memory: 1300Mi
registry: docker.io/blackducksoftware
scanner:
blackDuckClientTimeoutSeconds: 600
imageDirectory: /var/images
port: 3003
replicas: 1
resources:
requests:
cpu: 300m
memory: 1300Mi
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-blackduck-labels
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: mustnothave # Makes sure pods are not in any kind of black duck policy violations
objectDefinition:
apiVersion: v1
kind: Pod
metadata:
labels:
com.blackducksoftware.com.pod.overall-status: IN_VIOLATION
namespace: default
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-blackduck-operator
placementRef:
name: placement-blackduck-operator
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: blackduck-operator
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-blackduck-operator
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
[] # selects all clusters if not specified