---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-role-mariadb-rollout
  namespace: rhacm-policies
  annotations:
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/categories: AC Access Control
    policy.open-cluster-management.io/controls: AC-3 Access Enforcement
spec:
  remediationAction: inform
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-role-mariadb-rollout
        spec:
          remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
          severity: high
          namespaceSelector:
            include: ["mariadb"]
          object-templates:
            - complianceType: mustonlyhave # role definition should exact match
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: Role
                metadata:
                  name: dc-rollout-role
                rules:
                  - apiGroups: ["apps.openshift.io", ""]
                    resources: ["deploymentconfigs"]
                    verbs: ["get", "list", "watch", "patch", "update"]
                  - apiGroups: [""]
                    resources: ["replicationcontrollers"]
                    verbs: ["update", "patch", "list", "get"]
                  - apiGroups: [""]
                    resources: ["pods"]
                    verbs: ["get", "list", "watch"]
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: role-placement-binding
  namespace: rhacm-policies
placementRef:
  name: dev-clusters
  kind: PlacementRule
  apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-role-mariadb-rollout
  kind: Policy
  apiGroup: policy.open-cluster-management.io