forked from stolostron/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy-oauth-htpasswd.yaml
93 lines (93 loc) · 3.57 KB
/
policy-oauth-htpasswd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Configure the htpasswd identity provider to allow users to log in to OpenShift Container Platform with credentials from an htpasswd file.
# Before creating these objects, you must generate a flat file that stores the usernames and passwords for your cluster by using htpasswd. Create or update your flat file by executing the following:
# htpasswd -c -b -B <htpasswd file> user password
# For more information on configuring the OAuth server, consult the OpenShift documentation:
# htpasswd file: https://docs.openshift.com/container-platform/4.10/authentication/identity_providers/configuring-htpasswd-identity-provider.html#identity-provider-creating-htpasswd-file-linux_configuring-htpasswd-identity-provider
# https://docs.openshift.com/container-platform/4.10/authentication/identity_providers/configuring-htpasswd-identity-provider.html
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-oauth-htpasswd
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management, AC Access Control
policy.open-cluster-management.io/controls: AC-3 Access Enforcement
policy.open-cluster-management.io/standards: NIST SP 800-53
spec:
disabled: false
policy-templates:
# Create a secret that stores information about htpasswd users
# htpasswd: <base64_encoded_htpasswd_file_contents>
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-oauth-htpasswd-secret
spec:
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
data:
htpasswd: <base64_encoded_htpasswd_file_contents>
kind: Secret
metadata:
name: htpass-secret
namespace: openshift-config
type: Opaque
pruneObjectBehavior: DeleteIfCreated
remediationAction: inform
severity: high
# Configure the OAuth for using htpasswd as the identity provider
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-oauth
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: htpasswd_provider
htpasswd:
fileData:
name: htpass-secret
mappingMethod: claim
type: HTPasswd
pruneObjectBehavior: DeleteIfCreated
remediationAction: inform
severity: high
remediationAction: inform
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: policy-oauth-htpasswd-placement
placementRef:
name: policy-oauth-htpasswd-placement
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
subjects:
- name: policy-oauth-htpasswd
apiGroup: policy.open-cluster-management.io
kind: Policy
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: policy-oauth-htpasswd-placement
spec:
clusterSelector:
matchExpressions:
- key: environment
operator: In
values:
- dev
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable