-
Notifications
You must be signed in to change notification settings - Fork 255
/
policy-continuous-restore-event-target-triliovault-for-kubernetes.yaml
100 lines (100 loc) · 3.68 KB
/
policy-continuous-restore-event-target-triliovault-for-kubernetes.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# This is the first policy to setup Continuous Restore Functionality using
# Triliovault for Kubernetes (TVK).
#
# This policy creates an event target on 2 clusters (source and target) participating in the
# Continuous Restore Functionality defined with labels "protected-by=triliovault" and
# "tvk-continuous-restore=enabled"
#
# The event target is a shared backup target between 2 clusters (source and target).
#
# Please note TVK should be installed and configured on both the clusters before applying this policy.
#
# Refer - https://docs.trilio.io/kubernetes/management-console/index/continuous-restore#create-an-event-target
#
# IMPORTANT: Please follow below instructions for the policy to work
# 1. On the hub cluster, create a secret aws-s3-secret and a configmap aws-s3-configmap
# in the namespace where this policy is placed. The secret and configmap have AWS S3
# details for target creation.
#
# 1.1 Secret Example yaml (replace the values)
# apiVersion: v1
# kind: Secret
# metadata:
# name: aws-s3-secret
# type: Opaque
# stringData:
# accessKey: "PROVIDE_ACCESS_KEY"
# secretKey: "PROVIDE_SECRET_KEY"
#
# 1.2 ConfigMap Example yaml (replace the values)
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: aws-s3-configmap
# Data:
# bucketName: "PROVIDE_S3_BUCKET_NAME"
# region: "PROVIDE_REGION"
# thresholdCapacity: "100Gi"
#
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: tvk-continuous-restore-event-target
annotations:
policy.open-cluster-management.io/categories: CA Security Assessment and Authorization
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/controls: CA-2 Security Assessments, CA-7 Continuous Monitoring
spec:
disabled: false
remediationAction: inform
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: tvk-s3-secret
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Secret
metadata:
name: tvk-s3-secret
namespace: default
type: Opaque
data:
accessKey: '{{hub fromSecret "" "aws-s3-secret" "accessKey" hub}}'
secretKey: '{{hub fromSecret "" "aws-s3-secret" "secretKey" hub}}'
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: tvk-s3-event-target
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: triliovault.trilio.io/v1
kind: Target
metadata:
name: tvk-s3-event-target
namespace: default
annotations:
trilio.io/event-target: "true"
spec:
type: ObjectStore
vendor: AWS
objectStoreCredentials:
bucketName: '{{hub fromConfigMap "" "aws-s3-configmap" "bucketName" hub}}'
region: '{{hub fromConfigMap "" "aws-s3-configmap" "region" hub}}'
credentialSecret:
name: tvk-s3-secret
namespace: default
thresholdCapacity: '{{hub fromConfigMap "" "aws-s3-configmap" "thresholdCapacity" hub}}'
status:
status: Available