-
Notifications
You must be signed in to change notification settings - Fork 255
/
policy-mce-hcp-autoimport.yaml
109 lines (109 loc) · 5.06 KB
/
policy-mce-hcp-autoimport.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-mce-hcp-autoimport
namespace: open-cluster-management-global-set
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/description: Discovered clusters that are of
type MultiClusterEngineHCP can be automatically imported into ACM as managed clusters.
This policy helps you select those managed clusters and configure them so the import
will happen. Fine tuning MultiClusterEngineHCP clusters to be automatically imported
can be done by configure filters at the configMap or add annotation to the discoverd cluster.
spec:
# Remove the default remediation below to enforce the policies.
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: mce-hcp-autoimport-config
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: ConfigMap
metadata:
name: discovery-config
namespace: open-cluster-management-global-set
data:
rosa-filter: ""
remediationAction: enforce
severity: low
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-mce-hcp-autoimport
spec:
remediationAction: enforce
severity: low
object-templates-raw: |
{{- /* find the MultiClusterEngineHCP DiscoveredClusters */ -}}
{{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
{{- /* Check for the flag that indicates the import should be skipped */ -}}
{{- $skip := "false" -}}
{{- range $key, $value := $dc.metadata.annotations }}
{{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
(eq $value "true") }}
{{- $skip = "true" }}
{{- end }}
{{- end }}
{{- /* if the type is MultiClusterEngineHCP and the status is Active */ -}}
{{- if and (eq $dc.spec.status "Active")
(contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "mce-hcp-filter") $dc.spec.displayName)
(eq $dc.spec.type "MultiClusterEngineHCP")
(eq $skip "false") }}
- complianceType: musthave
objectDefinition:
apiVersion: discovery.open-cluster-management.io/v1
kind: DiscoveredCluster
metadata:
name: {{ $dc.metadata.name }}
namespace: {{ $dc.metadata.namespace }}
spec:
importAsManagedCluster: true
{{- end }}
{{- end }}
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-mce-hcp-managedcluster-status
spec:
remediationAction: inform
severity: low
object-templates-raw: |
{{- /* Use the same DiscoveredCluster list to check ManagedCluster status */ -}}
{{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
{{- /* Check for the flag that indicates the import should be skipped */ -}}
{{- $skip := "false" -}}
{{- range $key, $value := $dc.metadata.annotations }}
{{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
(eq $value "true") }}
{{- $skip = "true" }}
{{- end }}
{{- end }}
{{- /* if the type is MultiClusterEngineHCP and the status is Active */ -}}
{{- if and (eq $dc.spec.status "Active")
(contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "mce-hcp-filter") $dc.spec.displayName)
(eq $dc.spec.type "MultiClusterEngineHCP")
(eq $skip "false") }}
- complianceType: musthave
objectDefinition:
apiVersion: cluster.open-cluster-management.io/v1
kind: ManagedCluster
metadata:
name: {{ $dc.spec.displayName }}
namespace: {{ $dc.spec.displayName }}
status:
conditions:
- type: ManagedClusterConditionAvailable
status: "True"
{{- end }}
{{- end }}