forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add autoimport policy to include MultiClusterEngineHCP & Fix ROSA aut…
…o import policy Signed-off-by: melserngawy <[email protected]> (cherry picked from commit e3692c7)
- Loading branch information
1 parent
7f94319
commit b4c6058
Showing
2 changed files
with
112 additions
and
5 deletions.
There are no files selected for viewing
109 changes: 109 additions & 0 deletions
109
community/CM-Configuration-Management/policy-mce-hcp-autoimport.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| apiVersion: policy.open-cluster-management.io/v1 | ||
| kind: Policy | ||
| metadata: | ||
| name: policy-mce-hcp-autoimport | ||
| namespace: open-cluster-management-global-set | ||
| annotations: | ||
| policy.open-cluster-management.io/standards: NIST SP 800-53 | ||
| policy.open-cluster-management.io/categories: CM Configuration Management | ||
| policy.open-cluster-management.io/controls: CM-2 Baseline Configuration | ||
| policy.open-cluster-management.io/description: Discovered clusters that are of | ||
| type MultiClusterEngineHCP can be automatically imported into ACM as managed clusters. | ||
| This policy helps you select those managed clusters and configure them so the import | ||
| will happen. Fine tuning MultiClusterEngineHCP clusters to be automatically imported | ||
| can be done by configure filters at the configMap or add annotation to the discoverd cluster. | ||
| spec: | ||
| # Remove the default remediation below to enforce the policies. | ||
| remediationAction: inform | ||
| disabled: false | ||
| policy-templates: | ||
| - objectDefinition: | ||
| apiVersion: policy.open-cluster-management.io/v1 | ||
| kind: ConfigurationPolicy | ||
| metadata: | ||
| name: mce-hcp-autoimport-config | ||
| spec: | ||
| object-templates: | ||
| - complianceType: musthave | ||
| objectDefinition: | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: discovery-config | ||
| namespace: open-cluster-management-global-set | ||
| data: | ||
| rosa-filter: "" | ||
| remediationAction: enforce | ||
| severity: low | ||
| - objectDefinition: | ||
| apiVersion: policy.open-cluster-management.io/v1 | ||
| kind: ConfigurationPolicy | ||
| metadata: | ||
| name: policy-mce-hcp-autoimport | ||
| spec: | ||
| remediationAction: enforce | ||
| severity: low | ||
| object-templates-raw: | | ||
| {{- /* find the MultiClusterEngineHCP DiscoveredClusters */ -}} | ||
| {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }} | ||
| {{- /* Check for the flag that indicates the import should be skipped */ -}} | ||
| {{- $skip := "false" -}} | ||
| {{- range $key, $value := $dc.metadata.annotations }} | ||
| {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported") | ||
| (eq $value "true") }} | ||
| {{- $skip = "true" }} | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- /* if the type is MultiClusterEngineHCP and the status is Active */ -}} | ||
| {{- if and (eq $dc.spec.status "Active") | ||
| (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "mce-hcp-filter") $dc.spec.displayName) | ||
| (eq $dc.spec.type "MultiClusterEngineHCP") | ||
| (eq $skip "false") }} | ||
| - complianceType: musthave | ||
| objectDefinition: | ||
| apiVersion: discovery.open-cluster-management.io/v1 | ||
| kind: DiscoveredCluster | ||
| metadata: | ||
| name: {{ $dc.metadata.name }} | ||
| namespace: {{ $dc.metadata.namespace }} | ||
| spec: | ||
| importAsManagedCluster: true | ||
| {{- end }} | ||
| {{- end }} | ||
| - objectDefinition: | ||
| apiVersion: policy.open-cluster-management.io/v1 | ||
| kind: ConfigurationPolicy | ||
| metadata: | ||
| name: policy-mce-hcp-managedcluster-status | ||
| spec: | ||
| remediationAction: inform | ||
| severity: low | ||
| object-templates-raw: | | ||
| {{- /* Use the same DiscoveredCluster list to check ManagedCluster status */ -}} | ||
| {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }} | ||
| {{- /* Check for the flag that indicates the import should be skipped */ -}} | ||
| {{- $skip := "false" -}} | ||
| {{- range $key, $value := $dc.metadata.annotations }} | ||
| {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported") | ||
| (eq $value "true") }} | ||
| {{- $skip = "true" }} | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- /* if the type is MultiClusterEngineHCP and the status is Active */ -}} | ||
| {{- if and (eq $dc.spec.status "Active") | ||
| (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "mce-hcp-filter") $dc.spec.displayName) | ||
| (eq $dc.spec.type "MultiClusterEngineHCP") | ||
| (eq $skip "false") }} | ||
| - complianceType: musthave | ||
| objectDefinition: | ||
| apiVersion: cluster.open-cluster-management.io/v1 | ||
| kind: ManagedCluster | ||
| metadata: | ||
| name: {{ $dc.spec.displayName }} | ||
| namespace: {{ $dc.spec.displayName }} | ||
| status: | ||
| conditions: | ||
| - type: ManagedClusterConditionAvailable | ||
| status: "True" | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters