forked from stolostron/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy-zts-xcrypt-deployment.yaml
174 lines (173 loc) · 7.31 KB
/
policy-zts-xcrypt-deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
#Dockerhub version of XCrypt Operator Deployment
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-zts-xcrypt-deployment
annotations:
policy.open-cluster-management.io/standards: NIST 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-install-xcrypts-crd
spec:
remediationAction: inform
severity: low
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: xcrypts.xcrypt.zettaset.com
namespace: zts-xcrypt
spec:
group: xcrypt.zettaset.com
names:
kind: XCrypt
listKind: XCryptList
plural: xcrypts
singular: xcrypt
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: XCrypt is the Schema for the xcrypts API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: XCryptSpec defines the desired state of XCrypt
type: object
status:
description: XCryptStatus defines the observed state of XCrypt
type: object
type: object
served: true
storage: true
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-zts-xcrypt-deployment
spec:
remediationAction: inform
severity: low
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: apps/v1
kind: Deployment
metadata:
name: zts-xcrypt-operator
namespace: zts-xcrypt
spec:
replicas: 1
selector:
matchLabels:
name: zts-xcrypt-operator
template:
metadata:
labels:
name: zts-xcrypt-operator
spec:
serviceAccountName: zts-xcrypt-operator
containers:
- name: zts-xcrypt-operator
imagePullPolicy: IfNotPresent
image: zettasetimg/zts-xcrypt-operator:zts-xcrypt-operator-13-6f1d3f
command:
- zts-xcrypt-operator
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "zts-xcrypt-operator"
- name: AUTH_TOKEN_NAME
value: "zts-dockerhub-token"
- name: RELATED_IMAGE_CA
value: "zettasetimg/zts-ca-server:zts-ca-server-13"
- name: RELATED_IMAGE_KMIP
value: "zettasetimg/zts-kmip-server:zts-kmip-server-7-f4fbeb69a"
- name: RELATED_IMAGE_LS
value: "zettasetimg/zts-license-server:zts-license-server-6"
- name: RELATED_IMAGE_HM
value: "zettasetimg/zts-host-manager:zts-host-manager-13-default-79c9f2"
- name: RELATED_IMAGE_CSI_DRIVER
value: "zettasetimg/test:zts-csi-driver-5-0381e7-1"
- name: RELATED_IMAGE_CSI_PROVISIONER
value: "quay.io/k8scsi/csi-provisioner:v1.3.0"
- name: RELATED_IMAGE_CSI_ATTACHER
value: "quay.io/k8scsi/csi-attacher:v1.2.0"
- name: RELATED_IMAGE_LIVENSSPROBE
value: "quay.io/k8scsi/livenessprobe:v1.1.0"
- name: RELATED_IMAGE_CSI_NODE_DRIVER_REGISTRAR
value: "quay.io/k8scsi/csi-node-driver-registrar:v1.1.0"
imagePullSecrets:
- name: zts-dockerhub-token
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-zts-xcrypt-operator-executor-deployment
spec:
remediationAction: inform
severity: low
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: xcrypt.zettaset.com/v1alpha1
kind: XCrypt
metadata:
name: example-xcrypt
namespace: zts-xcrypt
spec:
replicas: 1
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-zts-xcrypt-deployment
placementRef:
name: placement-policy-zts-xcrypt-deployment
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-zts-xcrypt-deployment
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-zts-xcrypt-deployment
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}