diff --git a/community/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install-upstream.yaml b/community/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install-upstream.yaml new file mode 100644 index 00000000..d8566383 --- /dev/null +++ b/community/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install-upstream.yaml @@ -0,0 +1,132 @@ +# This policy verifies the installation of the upstream version of the +# Compliance Operator on the managed clusters. +# +# If set to "enforce" it'll install the operator. +# +# Note that OpenShift 4.6 is required. +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: policy-comp-operator + annotations: + policy.open-cluster-management.io/standards: NIST SP 800-53 + policy.open-cluster-management.io/categories: CA Security Assessment and Authorization + policy.open-cluster-management.io/controls: CA-2 Security Assessments, CA-7 Continuous Monitoring +spec: + remediationAction: inform + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: comp-operator-ns + spec: + remediationAction: inform # will be overridden by remediationAction in parent policy + severity: high + namespaceSelector: + exclude: ["kube-*"] + include: ["*"] + object-templates: + - complianceType: musthave + objectDefinition: + apiVersion: v1 + kind: Namespace + metadata: + name: openshift-compliance + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: comp-operator-catalog-source + spec: + remediationAction: inform # will be overridden by remediationAction in parent policy + severity: high + namespaceSelector: + exclude: ["kube-*"] + include: ["*"] + object-templates: + - complianceType: musthave + objectDefinition: + apiVersion: operators.coreos.com/v1alpha1 + kind: CatalogSource + metadata: + name: compliance-operator + namespace: openshift-marketplace + spec: + displayName: Compliance Operator Upstream + publisher: github.com/openshift/compliance-operator + sourceType: grpc + image: quay.io/compliance-operator/compliance-operator-index:latest + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: comp-operator-operator-group + spec: + remediationAction: inform # will be overridden by remediationAction in parent policy + severity: high + namespaceSelector: + exclude: ["kube-*"] + include: ["*"] + object-templates: + - complianceType: musthave + objectDefinition: + apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: compliance-operator + namespace: openshift-compliance + spec: + selector: + matchLabels: + policy.open-cluster-management.io/isClusterNamespace: "true" + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: comp-operator-subscription + spec: + remediationAction: inform # will be overridden by remediationAction in parent policy + severity: high + namespaceSelector: + exclude: ["kube-*"] + include: ["*"] + object-templates: + - complianceType: musthave + objectDefinition: + apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: compliance-operator-sub + namespace: openshift-compliance + spec: + channel: alpha + name: compliance-operator + source: compliance-operator + sourceNamespace: openshift-marketplace +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + name: binding-policy-comp-operator +placementRef: + name: placement-policy-comp-operator + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: +- name: policy-comp-operator + kind: Policy + apiGroup: policy.open-cluster-management.io +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + name: placement-policy-comp-operator +spec: + clusterConditions: + - status: "True" + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - {key: vendor, operator: In, values: ["OpenShift"]} diff --git a/community/README.md b/community/README.md index b34fa55f..9226129c 100644 --- a/community/README.md +++ b/community/README.md @@ -25,8 +25,8 @@ Policies in this folder are organized by [NIST Special Publication 800-53](https