forked from stolostron/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy-install-external-secrets.yaml
154 lines (153 loc) · 5.39 KB
/
policy-install-external-secrets.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# This policy deploys the external secrets helm chart by creating application resources on the
# ACM hub. The policy must be deployed to the ACM hub, but update the embedded PlacementRule resource in this
# policy to configure which managed clusters the application will be placed on.
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
policy.open-cluster-management.io/standards: NIST 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline
name: external-secrets-policy
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-external-secrets--namespace
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets-system
remediationAction: enforce
severity: high
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-external-secrets-application
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: app.k8s.io/v1beta1
kind: Application
metadata:
name: external-secrets
namespace: external-secrets-system
spec:
componentKinds:
- group: apps.open-cluster-management.io
kind: Subscription
descriptor: {}
selector:
matchExpressions:
- key: app
operator: In
values:
- external-secrets
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: external-secrets-config
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: apps.open-cluster-management.io/v1
kind: Channel
metadata:
annotations:
apps.open-cluster-management.io/reconcile-rate: medium
name: external-secrets
namespace: external-secrets-system
spec:
pathname: https://external-secrets.github.io/kubernetes-external-secrets/
type: HelmRepo
remediationAction: enforce
severity: high
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-external-secrets-subscription
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: apps.open-cluster-management.io/v1
kind: Subscription
metadata:
labels:
app: external-secrets
name: external-secrets-subscription
namespace: external-secrets-system
spec:
channel: external-secrets-system/external-secrets
name: kubernetes-external-secrets
packageOverrides:
- packageAlias: kubernetes-external-secrets
packageName: kubernetes-external-secrets
placement:
placementRef:
kind: PlacementRule
name: external-secrets-placement
remediationAction: enforce
severity: low
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: external-secrets-replication-placement
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: external-secrets-placement
namespace: external-secrets-system
labels:
app: external-secrets
spec:
clusterSelector:
matchLabels:
environment: dev
remediationAction: enforce
severity: high
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-external-secrets-policy-app
placementRef:
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
name: placement-external-secrets-policy-app
subjects:
- apiGroup: policy.open-cluster-management.io
kind: Policy
name: external-secrets-policy
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-external-secrets-policy-app
spec:
clusterConditions:
- status: 'True'
type: ManagedClusterConditionAvailable
clusterSelector:
matchLabels:
name: local-cluster