# This policy deploys the Red Hat Advanced Cluster Security Secure Cluster # Services to all OpenShift managed clusters. Note that it is set to # enforce by default and it requires Open Cluster Management template support. # # Prior to applying this policy you must visit # https://github.com/stolostron/advanced-cluster-security # and follow the instructions there to deploy prerequisite bundles # needed by the Secure Cluster Services for communicating with the # Central server. # apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: name: policy-advanced-managed-cluster-security annotations: policy.open-cluster-management.io/standards: NIST SP 800-53 policy.open-cluster-management.io/categories: CM Configuration Management policy.open-cluster-management.io/controls: CM-2 Baseline Configuration spec: remediationAction: enforce disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: managed-cluster-security-ns spec: remediationAction: inform severity: high object-templates: - complianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: name: stackrox - complianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: name: rhacs-operator - complianceType: musthave objectDefinition: apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: rhacs-operator-group namespace: rhacs-operator spec: {} - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: managed-cluster-security-operator-sub spec: remediationAction: inform severity: high object-templates: - complianceType: musthave objectDefinition: apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: rhacs-operator namespace: rhacs-operator spec: channel: latest installPlanApproval: Automatic name: rhacs-operator source: redhat-operators sourceNamespace: openshift-marketplace - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: managed-cluster-security-endpoints spec: remediationAction: inform severity: high object-templates: - complianceType: musthave objectDefinition: apiVersion: platform.stackrox.io/v1alpha1 kind: SecuredCluster metadata: namespace: stackrox name: stackrox-secured-cluster-services spec: clusterName: | {{ fromSecret "open-cluster-management-agent" "hub-kubeconfig-secret" "cluster-name" | base64dec }} auditLogs: collection: Auto centralEndpoint: | {{ fromSecret "stackrox" "sensor-tls" "acs-host" | base64dec }} admissionControl: listenOnCreates: false listenOnEvents: true listenOnUpdates: false perNode: collector: collection: EBPF imageFlavor: Regular taintToleration: TolerateTaints --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding metadata: name: binding-policy-advanced-managed-cluster-security placementRef: name: placement-policy-advanced-managed-cluster-security kind: PlacementRule apiGroup: apps.open-cluster-management.io subjects: - name: policy-advanced-managed-cluster-security kind: Policy apiGroup: policy.open-cluster-management.io --- apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule metadata: name: placement-policy-advanced-managed-cluster-security spec: clusterSelector: matchExpressions: - {key: vendor, operator: In, values: ["OpenShift"]}