Add Sysdig Agent enforcement policy (open-cluster-management-io#6)

Signed-off-by: Alvaro Iradier <[email protected]>

community/README.md

@@ -23,6 +23,7 @@ View a list of policies that are organized by the security control catalog.
 * System and Communications Protection
 * System and Information Integrity
   * [Falco Cloud-Native runtime security](./SI-System-and-Information-Integrity/policy-falco.yaml) -- Falco parses Linux system calls from the kernel at runtime, and asserts the stream against a powerful rules engine. If a rule is violated a Falco alert is triggered. See [The Falco Project](https://falco.org/).
+  * [Sysdig Agent](./SI-System-and-Information-Integrity/policy-sysdig.yaml) -- Enforce Sysdig Agent deployment in all targeted clusters. The Sysdig Secure DevOps Platform converges security and compliance with performance and capacity monitoring to create a secure DevOps workflow. It uses the same data to monitor and secure, so you can correlate system activity with Kubernetes services. Check [Sysdig](https://sysdig.com/) and start a [Free Trial](https://go.sysdig.com/IBM-OpenShift-Everywhere.html).
 
 
 

community/SI-System-and-Information-Integrity/policy-sysdig.yaml

@@ -0,0 +1,129 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: policy-sysdig
+  annotations:
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+    policy.open-cluster-management.io/categories: SI System and Information Integrity
+    policy.open-cluster-management.io/controls: SI-5 Security Alerts, Advisories, and Directives
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-sysdig-ns
+        spec:
+          remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
+          severity: low
+          namespaceSelector:
+            exclude: ["kube-*"]
+            include: ["*"]
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: v1
+                kind: Namespace
+                metadata:
+                  name: sysdig-operator
+                spec: {}
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-sysdig-operatorgroup
+        spec:
+          remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
+          severity: low
+          namespaceSelector:
+            exclude: ["kube-*"]
+            include: ["sysdig-operator"]
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: operators.coreos.com/v1
+                kind: OperatorGroup
+                metadata:
+                  name: sysdig-operatorgroup
+                  namespace: sysdig-operator
+                spec:
+                  targetNamespaces:
+                  - sysdig-operator
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-sysdig-subscription
+        spec:
+          remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
+          severity: low
+          namespaceSelector:
+            exclude: ["kube-*"]
+            include: ["sysdig-operator"]
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: operators.coreos.com/v1alpha1
+                kind: Subscription
+                metadata:
+                  name: sysdig-operator
+                  namespace: sysdig-operator
+                spec:
+                  channel: stable
+                  installPlanApproval: Automatic
+                  name: sysdig-certified
+                  source: certified-operators
+                  sourceNamespace: openshift-marketplace
+                  startingCSV: sysdig-operator.v1.8.3
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-sysdig-installation
+        spec:
+          remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
+          severity: low
+          namespaceSelector:
+            exclude: ["kube-*"]
+            include: ["sysdig-operator"]
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: sysdig.com/v1
+                kind: SysdigAgent
+                metadata:
+                  name: sysdigagent-enforcement
+                  namespace: sysdig-operator
+                spec:
+                  scc:
+                    create: true
+                  sysdig:
+                    #Set access key
+                    accessKey: "<SYSDIG_AGENT_ACCESS_KEY>"
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: binding-policy-sysdig
+placementRef:
+  name: placement-policy-sysdig
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+- name: policy-sysdig
+  kind: Policy
+  apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: placement-policy-sysdig
+spec:
+  clusterConditions:
+  - status: "True"
+    type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - {key: environment, operator: In, values: ["dev"]}