Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Manual]Delete placementRule and placementBinding #87

Merged
merged 3 commits into from
Aug 26, 2024
+100 −3,839
Merged

[Manual]Delete placementRule and placementBinding #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
44ee98c
Delete placementrule and placementbinding manifest
yiraeChristineKim Jul 5, 2024
cbfdb9a
Delete placementrule and placementbinding under configurationPolicy
yiraeChristineKim Jul 5, 2024
73c807d
Update the README to reflect the deletion of PlacementRule in the Git…
yiraeChristineKim Jul 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@

A collection of policy examples for Open Cluster Management.

> **Important**: The `PlacementRule` resource has been deprecated so policy users must begin moving to
the Placement API instead. See the
[Transitioning from `PlacementRule`(deprecated) to `Placement`](#transitioning-from-placementruledeprecated-to-placement)
that provides details below to learn how to begin using Placement. Policies will no longer include
placement details as part of contributions since placement resources can be shared to avoid
duplication and to allow users to choose different ways of including placement with gitops.

## Repository structure

This repository hosts policies for Open Cluster Management. You can find policies from the following
Expand Down Expand Up @@ -35,13 +42,6 @@ for details on installing the Application addon. **Note**: If you are using Argo
similar script [argoDeploy.sh](deploy/argoDeploy.sh) is provided that does not require the
Application Lifecycle addon.

The policies are applied to all managed clusters that are available, and have the `environment` set
to `dev`. If policies need to be applied to another set of clusters, update the
`PlacementRule.spec.clusterSelector.matchExpressions` section in the policies.

**Note**: As new clusters are added that fit the criteria previously mentioned, the policies are
applied automatically.

### Subscription Administrator

In new versions of Open Cluster Management you must be a subscription administrator in order to
Expand Down Expand Up @@ -185,8 +185,8 @@ following steps on migrating from `PlacementRule` to `Placement`:
- {key: environment, operator: In, values: ["dev"]}
```

See the [Placement documentation](https://open-cluster-management.io/concepts/placement/) for
additional details on selecting managed clusters using `Placement`.
See the [Placement documentation](https://open-cluster-management.io/concepts/placement/) for
additional details on selecting managed clusters using `Placement`.

4. Identify any `PlacementBinding` resources that reference a `PlacementRule`. Update the
`PlacementBinding` to reference the new `Placement`:
Expand Down
22 changes: 0 additions & 22 deletions community/AC-Access-Control/policy-configure-appworkloads-rbac-sample.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,25 +163,3 @@ spec:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-configure-appworkloads-rbac
placementRef:
name: placement-policy-configure-appworkloads-rbac
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-configure-appworkloads-rbac
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-configure-appworkloads-rbac
spec:
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}
22 changes: 0 additions & 22 deletions community/AC-Access-Control/policy-configure-clusterlevel-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,25 +89,3 @@ spec:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-configure-clusterlevel-rbac
placementRef:
name: placement-policy-configure-clusterlevel-rbac
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-configure-clusterlevel-rbac
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-configure-clusterlevel-rbac
spec:
clusterSelector:
matchExpressions:
- {key: local-cluster, operator: In, values: ['true']}
22 changes: 0 additions & 22 deletions community/AC-Access-Control/policy-gatekeeper-disallow-anonymous.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,25 +99,3 @@ spec:
constraint_kind: K8sDisallowAnonymous
constraint_name: no-anonymous
event_type: violation
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-gatekeeper-disallow-anonymous
placementRef:
name: placement-policy-gatekeeper-disallow-anonymous
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-gatekeeper-disallow-anonymous
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-gatekeeper-disallow-anonymous
spec:
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}
25 changes: 0 additions & 25 deletions community/AC-Access-Control/policy-rbac-adminiterpolicies-sample.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,28 +129,3 @@ spec:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-rbac-adminiterpolicies
placementRef:
name: placement-policy-rbac-adminiterpolicies
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-rbac-adminiterpolicies
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-rbac-adminiterpolicies
spec:
clusterSelector:
matchExpressions:
- key: local-cluster
operator: In
values:
- 'true'
22 changes: 0 additions & 22 deletions community/AC-Access-Control/policy-roles-no-wildcards.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,25 +32,3 @@ spec:
- '*'
verbs:
- '*'
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-disallowed-roles
placementRef:
name: placement-policy-disallowed-roles
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-disallowed-roles
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-disallowed-roles
spec:
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}
25 changes: 0 additions & 25 deletions community/AU-Audit-and-Accountability/policy-openshift-audit-logs-sample.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,28 +33,3 @@ spec:
- group: system:authenticated
profile: AllRequestBodies
profile: Default
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-config-audit
placementRef:
name: placement-config-audit
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-config-audit
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-config-audit
spec:
clusterSelector:
matchExpressions:
- key: environment
operator: In
values:
- dev
22 changes: 0 additions & 22 deletions community/CA-Security-Assessment-and-Authorization/policy-check-fips.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,25 +39,3 @@ spec:
name: 99-master-fips
spec:
fips: true
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-checkfipscompliance
placementRef:
name: placement-checkfipscompliance
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: checkfipscompliance
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-checkfipscompliance
spec:
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}
22 changes: 0 additions & 22 deletions ...CA-Security-Assessment-and-Authorization/policy-compliance-operator-install-upstream.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,25 +92,3 @@ spec:
name: compliance-operator
source: compliance-operator
sourceNamespace: openshift-marketplace
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-comp-operator
placementRef:
name: placement-policy-comp-operator
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-comp-operator
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-comp-operator
spec:
clusterSelector:
matchExpressions:
- {key: vendor, operator: In, values: ["OpenShift"]}
22 changes: 0 additions & 22 deletions community/CM-Configuration-Management/policy-acs-operator-central.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,25 +102,3 @@ spec:
minReplicas: 2
replicas: 3
scannerComponent: Enabled
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-advanced-cluster-security-central
placementRef:
name: placement-policy-advanced-cluster-security-central
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-advanced-cluster-security-central
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-advanced-cluster-security-central
spec:
clusterSelector:
matchExpressions:
- {key: local-cluster, operator: In, values: ["true"]}
23 changes: 0 additions & 23 deletions community/CM-Configuration-Management/policy-acs-operator-secured-clusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,26 +102,3 @@ spec:
collector:
collection: EBPF
imageFlavor: Regular
taintToleration: TolerateTaints
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-advanced-managed-cluster-security
placementRef:
name: placement-policy-advanced-managed-cluster-security
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-advanced-managed-cluster-security
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-advanced-managed-cluster-security
spec:
clusterSelector:
matchExpressions:
- {key: vendor, operator: In, values: ["OpenShift"]}
25 changes: 0 additions & 25 deletions community/CM-Configuration-Management/policy-ansible-awx-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,28 +49,3 @@ spec:
source: redhat-operators
sourceNamespace: openshift-marketplace
startingCSV: awx-resource-operator.v0.1.1
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-awx-resource-operator
placementRef:
name: placement-policy-awx-resource-operator
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-awx-resource-operator
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-awx-resource-operator
spec:
clusterSelector:
matchExpressions:
- key: environment
operator: In
values:
- dev
42 changes: 0 additions & 42 deletions community/CM-Configuration-Management/policy-argocd-kubernetes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,23 +57,6 @@ spec:
packageOverrides:
- packageAlias: argo-cd
packageName: argo-cd
placement:
placementRef:
name: helmchartargo-placement-1
kind: PlacementRule
- complianceType: musthave
objectDefinition:
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: helmchartargo-placement-1
namespace: argocd
labels:
app: helmchartargo
spec:
clusterSelector:
matchLabels:
environment: dev
- complianceType: musthave
objectDefinition:
apiVersion: apps.open-cluster-management.io/v1
Expand All @@ -86,28 +69,3 @@ spec:
spec:
pathname: https://charts.wener.tech
type: HelmRepo
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-argocd-kubernetes
placementRef:
name: placement-argocd-kubernetes
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-argocd-kubernetes
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-argocd-kubernetes
spec:
clusterSelector:
matchExpressions:
- key: local-cluster
operator: In
values:
- 'true'
Loading