apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: name: policy-moderate-scan namespace: rhacm-policies annotations: policy.open-cluster-management.io/standards: NIST SP 800-53 policy.open-cluster-management.io/categories: CM Configuration Management policy.open-cluster-management.io/controls: CM-6 Configuration Settings spec: remediationAction: enforce disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-moderate-scan spec: remediationAction: enforce severity: high object-templates: - complianceType: musthave # this template creates ScanSettingBinding:moderate objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: moderate namespace: openshift-compliance profiles: - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: ocp4-moderate - apiGroup: compliance.openshift.io/v1alpha1 kind: Profile name: rhcos4-moderate settingsRef: apiGroup: compliance.openshift.io/v1alpha1 kind: ScanSetting name: default - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-suite-moderate spec: remediationAction: inform severity: high object-templates: - complianceType: musthave # this template checks if scan has completed by checking the status field objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: moderate namespace: openshift-compliance status: phase: DONE - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: compliance-suite-moderate-results spec: remediationAction: inform severity: high object-templates: - complianceType: mustnothave # this template reports the results for scan suite: moderate by looking at ComplianceCheckResult CRs objectDefinition: apiVersion: compliance.openshift.io/v1alpha1 kind: ComplianceCheckResult metadata: namespace: openshift-compliance labels: compliance.openshift.io/check-status: FAIL compliance.openshift.io/suite: moderate --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding metadata: name: policy-moderate-scan-binding namespace: rhacm-policies placementRef: name: placement-policy-moderate-scan-binding kind: PlacementRule apiGroup: apps.open-cluster-management.io subjects: - name: policy-moderate-scan kind: Policy apiGroup: policy.open-cluster-management.io --- apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule metadata: name: placement-policy-moderate-scan-binding namespace: rhacm-policies spec: clusterConditions: - status: "True" type: ManagedClusterConditionAvailable clusterSelector: matchExpressions: - {key: environment, operator: In, values: ["dev"]}