Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Supported Red Hat Advanced Cluster Management for Kubernetes policies

View the supported policies to learn how to define rules, processes, and controls on the hub cluster when you create and manage policies in Red Hat Advanced Cluster Management for Kubernetes.

4.1. Table of sample configuration policies
Copy link

View the following sample configuration policies:

Expand
Table 4.1. Table list of configuration policies
Policy sampleDescription

Namespace policy

Ensure consistent environment isolation and naming with namespaces.

Pod policy

Ensure cluster workload configuration.

Memory usage policy

Limit workload resource usage using limit ranges.

Pod security policy (Deprecated)

Ensure consistent workload security.

Role policy and Role binding policy

Manage role permissions and bindings using roles and role bindings.

Security content constraints (SCC) policy

Manage workload permissions with Security Context Constraints.

ETCD encryption policy

Ensure data security with etcd encryption.

Compliance operator policy

Deploy the Compliance Operator to scan and enforce the compliance state of clusters leveraging OpenSCAP.

Compliance operator E8 scan

After applying the Compliance operator policy, deploy an Essential 8 (E8) scan to check for compliance with E8 security profiles.

Compliance operator CIS scan

After applying the Compliance operator policy, deploy a Center for Internet Security (CIS) scan to check for compliance with CIS security profiles.

Image vulnerability policy

Deploy the Container Security Operator and detect known image vulnerabilities in pods running on the cluster.

Gatekeeper operator deployment

Gatekeeper is an admission webhook that enforces custom resource definition-based policies that are run by the Open Policy Agent (OPA) policy engine. The Gatekeeper operator is available for installing Gatekeeper.

Gatekeeper compliance policy

After deploying Gatekeeper to the clusters, deploy this sample Gatekeeper policy that ensures namespaces that are created on the cluster are labeled as specified.

Red Hat OpenShift Platform Plus policy set

Red Hat OpenShift Platform Plus is a hybrid-cloud suite of products to securely build, deploy, run, and manage applications for multiple infrastructures. You can deploy Red Hat OpenShift Platform Plus to managed clusters using PolicySets delivered through a Red Hat Advanced Cluster Management application.

Red Hat OpenShift Container Platform 4.x also supports the Red Hat Advanced Cluster Management configuration policies.

4.2. Additional resources
Copy link

View the following policy documentation to learn how to apply policies:

4.3. Namespace policy
Copy link

The Kubernetes configuration policy controller monitors the status of your namespace policy. Apply the namespace policy to define specific rules for your namespace.

Learn more details about the namespace policy structure in the following sections:

4.3.1. Namespace policy YAML structure
Copy link

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          object-templates:
            - complianceType:
              objectDefinition:
                kind: Namespace
                apiVersion: v1
                metadata:
                  name:
                ...
Copy to Clipboard Toggle word wrap

4.3.2. Namespace policy YAML table
Copy link

Expand
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional because it overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

4.3.3. Namespace policy sample
Copy link

4.4. Pod policy
Copy link

The Kubernetes configuration policy controller monitors the status of your pod policies. Apply the pod policy to define the container rules for your pods. A pod must exist in your cluster to use this information.

Learn more details about the pod policy structure in the following sections:

4.4.1. Pod policy YAML structure
Copy link

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          namespaceSelector:
            exclude:
            include:
            matchLabels:
            matchExpressions:
          object-templates:
            - complianceType:
              objectDefinition:
                apiVersion: v1
                kind: Pod
                metadata:
                  name:
                spec:
                  containers:
                  - image:
                    name:
                ...
Copy to Clipboard Toggle word wrap

4.4.2. Pod policy table
Copy link

Expand
Table 4.2. Parameter table
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional because the value overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

4.4.3. Pod policy sample
Copy link

Refer to Kubernetes configuration policy controller to view other configuration policies that are monitored by the configuration controller, and see the Hub cluster policy framework to see a full description of the policy YAML structure and additional fields. Return to Creating configuration policies documentation to manage other policies.

4.5. Memory usage policy
Copy link

The Kubernetes configuration policy controller monitors the status of the memory usage policy. Use the memory usage policy to limit or restrict your memory and compute usage. For more information, see Limit Ranges in the Kubernetes documentation.

Learn more details about the memory usage policy structure in the following sections:

4.5.1. Memory usage policy YAML structure
Copy link

Your memory usage policy might resemble the following YAML file: 

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          namespaceSelector:
            exclude:
            include:
            matchLabels:
            matchExpressions:
          object-templates:
            - complianceType: mustonlyhave
              objectDefinition:
                apiVersion: v1
                kind: LimitRange
                metadata:
                  name:
                spec:
                  limits:
                  - default:
                      memory:
                    defaultRequest:
                      memory:
                    type:
        ...
Copy to Clipboard Toggle word wrap

4.5.2. Memory usage policy table
Copy link

Expand
Table 4.3. Parameter table
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional because the value overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

4.5.3. Memory usage policy sample
Copy link

4.6. Pod security policy (Deprecated)
Copy link

The Kubernetes configuration policy controller monitors the status of the pod security policy. Apply a pod security policy to secure pods and containers.

Learn more details about the pod security policy structure in the following sections:

4.6.1. Pod security policy YAML structure
Copy link

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          namespaceSelector:
            exclude:
            include:
            matchLabels:
            matchExpressions:
          object-templates:
            - complianceType:
              objectDefinition:
                apiVersion: policy/v1beta1
                kind: PodSecurityPolicy
                metadata:
                  name:
                  annotations:
                    seccomp.security.alpha.kubernetes.io/allowedProfileNames:
                spec:
                  privileged:
                  allowPrivilegeEscalation:
                  allowedCapabilities:
                  volumes:
                  hostNetwork:
                  hostPorts:
                  hostIPC:
                  hostPID:
                  runAsUser:
                  seLinux:
                  supplementalGroups:
                  fsGroup:
                ...
Copy to Clipboard Toggle word wrap

4.6.2. Pod security policy table
Copy link

Expand
Table 4.4. Parameter table
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional because the value overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

4.6.3. Pod security policy sample
Copy link

The support of pod security policies is removed from OpenShift Container Platform and from Kubernetes v1.25 and later. If you apply a PodSecurityPolicy resource, you might receive the following non-compliant message: 

violation - couldn't find mapping resource with kind PodSecurityPolicy, please check if you have CRD deployed
Copy to Clipboard Toggle word wrap

4.7. Role policy
Copy link

The Kubernetes configuration policy controller monitors the status of role policies. Define roles in the object-template to set rules and permissions for specific roles in your cluster.

Learn more details about the role policy structure in the following sections:

4.7.1. Role policy YAML structure
Copy link

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          namespaceSelector:
            exclude:
            include:
            matchLabels:
            matchExpressions:
          object-templates:
            - complianceType:
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: Role
                metadata:
                  name:
                rules:
                  - apiGroups:
                    resources:
                    verbs:
                ...
Copy to Clipboard Toggle word wrap

4.7.2. Role policy table
Copy link

Expand
Table 4.5. Parameter table
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional because the value overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

4.7.3. Role policy sample
Copy link

Apply a role policy to set rules and permissions for specific roles in your cluster. For more information on roles, see Role-based access control.

To learn how to manage role policies, refer to Creating configuration policies for more information. See the Kubernetes configuration policy controller to view other configuration policies that are monitored the controller.

4.8. Role binding policy
Copy link

The Kubernetes configuration policy controller monitors the status of your role binding policy. Apply a role binding policy to bind a policy to a namespace in your managed cluster.

Learn more details about the namespace policy structure in the following sections:

4.8.1. Role binding policy YAML structure
Copy link

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          namespaceSelector:
            exclude:
            include:
            matchLabels:
            matchExpressions:
          object-templates:
            - complianceType:
              objectDefinition:
                kind: RoleBinding # role binding must exist
                apiVersion: rbac.authorization.k8s.io/v1
                metadata:
                  name:
                subjects:
                - kind:
                  name:
                  apiGroup:
                roleRef:
                  kind:
                  name:
                  apiGroup:
                ...
Copy to Clipboard Toggle word wrap

4.8.2. Role binding policy table
Copy link

Expand
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional since it overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

4.8.3. Role binding policy sample
Copy link

For a full description of the policy YAML structure and additional fields, see the Hub cluster policy framework. Refer to Kubernetes configuration policy controller documentation to learn about other configuration policies.

4.9. Security Context Constraints policy
Copy link

The Kubernetes configuration policy controller monitors the status of your Security Context Constraints (SCC) policy. Apply an Security Context Constraints (SCC) policy to control permissions for pods by defining conditions in the policy.

Learn more details about SCC policies in the following sections:

4.9.1. SCC policy YAML structure
Copy link

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          namespaceSelector:
            exclude:
            include:
            matchLabels:
            matchExpressions:
          object-templates:
            - complianceType:
              objectDefinition:
                apiVersion: security.openshift.io/v1
                kind: SecurityContextConstraints
                metadata:
                  name:
                allowHostDirVolumePlugin:
                allowHostIPC:
                allowHostNetwork:
                allowHostPID:
                allowHostPorts:
                allowPrivilegeEscalation:
                allowPrivilegedContainer:
                fsGroup:
                readOnlyRootFilesystem:
                requiredDropCapabilities:
                runAsUser:
                seLinuxContext:
                supplementalGroups:
                users:
                volumes:
                ...
Copy to Clipboard Toggle word wrap

4.9.2. SCC policy table
Copy link

Expand
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional since it overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

For explanations on the contents of a SCC policy, see Managing Security Context Constraints from the OpenShift Container Platform documentation.

4.9.3. SCC policy sample
Copy link

Apply a Security context constraints (SCC) policy to control permissions for pods by defining conditions in the policy. For more information, see Managing Security Context Constraints.

To view the policy sample, see policy-scc.yaml. For a full description of the policy YAML structure and additional fields, see the Hub cluster policy framework documentation. Refer to Kubernetes configuration policy controller documentation to learn about other configuration policies.

4.10. ETCD encryption policy
Copy link

Apply the etcd-encryption policy to detect, or enable encryption of sensitive data in the ETCD data-store. The Kubernetes configuration policy controller monitors the status of the etcd-encryption policy. For more information, see Encrypting etcd data in the OpenShift Container Platform documentation. Note: The ETCD encryption policy only supports Red Hat OpenShift Container Platform 4 and later.

Learn more details about the etcd-encryption policy structure in the following sections:

4.10.1. ETCD encryption policy YAML structure
Copy link

Your etcd-encryption policy might resemble the following YAML file: 

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  namespace:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
    policy.open-cluster-management.io/description:
spec:
  remediationAction:
  disabled:
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name:
        spec:
          remediationAction:
          severity:
          object-templates:
            - complianceType:
              objectDefinition:
                apiVersion: config.openshift.io/v1
                kind: APIServer
                metadata:
                  name:
                spec:
                  encryption:
                ...
Copy to Clipboard Toggle word wrap

4.10.2. ETCD encryption policy table
Copy link

Expand
Table 4.6. Parameter table
FieldOptional or requiredDescription

apiVersion

Required

Set the value to policy.open-cluster-management.io/v1.

kind

Required

Set the value to Policy to indicate the type of policy.

metadata.name

Required

The name for identifying the policy resource.

metadata.namespace

Required

The namespace of the policy.

spec.remediationAction

Optional

Specifies the remediation of your policy. The parameter values are enforce and inform. This value is optional because it overrides any values provided in spec.policy-templates.

spec.disabled

Required

Set the value to true or false. The disabled parameter provides the ability to enable and disable your policies.

spec.policy-templates[].objectDefinition

Required

Used to list configuration policies containing Kubernetes objects that must be evaluated or applied to the managed clusters.

4.10.3. ETCD encryption policy sample
Copy link

See the Hub cluster policy framework documentation and the Kubernetes configuration policy controller to view additional details on policy and configuration policy fields.

4.11. Compliance Operator policy
Copy link

You can use the Compliance Operator to automate the inspection of numerous technical implementations and compare those against certain aspects of industry standards, benchmarks, and baselines. The Compliance Operator is not an auditor. To be compliant or certified with these various standards, you need to engage an authorized auditor such as a Qualified Security Assessor (QSA), Joint Authorization Board (JAB), or other industry recognized regulatory authority to assess your environment.

Recommendations that are generated from the Compliance Operator are based on generally available information and practices regarding such standards, and might assist you with remediations, but actual compliance is your responsibility. Work with an authorized auditor to achieve compliance with a standard.

For the latest updates, see the Compliance Operator release notes.

4.11.1. Compliance Operator policy overview
Copy link

You can install the Compliance Operator on your managed cluster by using the Compliance Operator policy. The Compliance operator policy is created as a Kubernetes configuration policy in Red Hat Advanced Cluster Management. OpenShift Container Platform supports the compliance operator policy.

Note: The Compliance operator policy relies on the OpenShift Container Platform Compliance Operator, which is not supported on the IBM Power or IBM Z architectures. See Understanding the Compliance Operator in the OpenShift Container Platform documentation for more information about the Compliance Operator.

4.11.2. Compliance operator resources
Copy link

When you create a compliance operator policy, the following resources are created:

  • A compliance operator namespace (openshift-compliance) for the operator installation: 
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: comp-operator-ns
spec:
  remediationAction: inform # will be overridden by remediationAction in parent policy
  severity: high
  object-templates:
    - complianceType: musthave
      objectDefinition:
        apiVersion: v1
        kind: Namespace
        metadata:
          name: openshift-compliance
Copy to Clipboard Toggle word wrap
  • An operator group (compliance-operator) to specify the target namespace: 
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: comp-operator-operator-group
spec:
  remediationAction: inform # will be overridden by remediationAction in parent policy
  severity: high
  object-templates:
    - complianceType: musthave
      objectDefinition:
        apiVersion: operators.coreos.com/v1
        kind: OperatorGroup
        metadata:
          name: compliance-operator
          namespace: openshift-compliance
        spec:
          targetNamespaces:
            - openshift-compliance
Copy to Clipboard Toggle word wrap
  • A subscription (comp-operator-subscription) to reference the name and channel. The subscription pulls the profile, as a container, that it supports. See the following sample, with the current version replacing 4.x: 
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: comp-operator-subscription
spec:
  remediationAction: inform  # will be overridden by remediationAction in parent policy
  severity: high
  object-templates:
    - complianceType: musthave
      objectDefinition:
        apiVersion: operators.coreos.com/v1alpha1
        kind: Subscription
        metadata:
          name: compliance-operator
          namespace: openshift-compliance
        spec:
          channel: "4.x"
          installPlanApproval: Automatic
          name: compliance-operator
          source: redhat-operators
          sourceNamespace: openshift-marketplace
Copy to Clipboard Toggle word wrap

After you install the compliance operator policy, the following pods are created: compliance-operator, ocp4, and rhcos4.

4.11.3. Additional resources
Copy link

4.12. E8 scan policy
Copy link

An Essential 8 (E8) scan policy deploys a scan that checks the master and worker nodes for compliance with the E8 security profiles. You must install the compliance operator to apply the E8 scan policy.

The E8 scan policy is created as a Kubernetes configuration policy in Red Hat Advanced Cluster Management. OpenShift Container Platform supports the E8 scan policy. For more information, see Managing the Compliance Operator in the OpenShift Container Platform documentation for more details.

4.12.1. E8 scan policy resources
Copy link

When you create an E8 scan policy the following resources are created:

  • A ScanSettingBinding resource (e8) to identify which profiles to scan: 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-suite-e8
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: musthave # this template checks if scan has completed by checking the status field
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ScanSettingBinding
        metadata:
          name: e8
          namespace: openshift-compliance
        profiles:
        - apiGroup: compliance.openshift.io/v1alpha1
          kind: Profile
          name: ocp4-e8
        - apiGroup: compliance.openshift.io/v1alpha1
          kind: Profile
          name: rhcos4-e8
        settingsRef:
          apiGroup: compliance.openshift.io/v1alpha1
          kind: ScanSetting
          name: default
    Copy to Clipboard Toggle word wrap

  • A ComplianceSuite resource (compliance-suite-e8) to verify if the scan is complete by checking the status field: 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-suite-e8
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: musthave # this template checks if scan has completed by checking the status field
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ComplianceSuite
        metadata:
          name: e8
          namespace: openshift-compliance
        status:
          phase: DONE
    Copy to Clipboard Toggle word wrap

  • A ComplianceCheckResult resource (compliance-suite-e8-results) which reports the results of the scan suite by checking the ComplianceCheckResult custom resources (CR): 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-suite-e8-results
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: mustnothave # this template reports the results for scan suite: e8 by looking at ComplianceCheckResult CRs
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ComplianceCheckResult
        metadata:
          namespace: openshift-compliance
          labels:
            compliance.openshift.io/check-status: FAIL
            compliance.openshift.io/suite: e8
    Copy to Clipboard Toggle word wrap

Note: Automatic remediation is supported. Set the remediation action to enforce to create ScanSettingBinding resource.

See Managing security policies for more information. Note: After your E8 policy is deleted, it is removed from your target cluster or clusters.

4.13. OpenShift CIS scan policy
Copy link

An OpenShift CIS scan policy deploys a scan that checks the master and worker nodes for compliance with the OpenShift CIS security benchmark. You must install the compliance operator to apply the OpenShift CIS policy.

The OpenShift CIS scan policy is created as a Kubernetes configuration policy in Red Hat Advanced Cluster Management. OpenShift Container Platform supports the OpenShift CIS scan policy. For more information, see Understanding the Compliance Operator in the OpenShift Container Platform documentation for more details.

4.13.1. OpenShift CIS resources
Copy link

When you create an OpenShift CIS scan policy the following resources are created:

  • A ScanSettingBinding resource (cis) to identify which profiles to scan: 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-cis-scan
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: musthave # this template creates ScanSettingBinding:cis
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ScanSettingBinding
        metadata:
          name: cis
          namespace: openshift-compliance
        profiles:
        - apiGroup: compliance.openshift.io/v1alpha1
          kind: Profile
          name: ocp4-cis
        - apiGroup: compliance.openshift.io/v1alpha1
          kind: Profile
          name: ocp4-cis-node
        settingsRef:
          apiGroup: compliance.openshift.io/v1alpha1
          kind: ScanSetting
          name: default
    Copy to Clipboard Toggle word wrap

  • A ComplianceSuite resource (compliance-suite-cis) to verify if the scan is complete by checking the status field: 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-suite-cis
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: musthave # this template checks if scan has completed by checking the status field
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ComplianceSuite
        metadata:
          name: cis
          namespace: openshift-compliance
        status:
          phase: DONE
    Copy to Clipboard Toggle word wrap

  • A ComplianceCheckResult resource (compliance-suite-cis-results) which reports the results of the scan suite by checking the ComplianceCheckResult custom resources (CR): 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: compliance-suite-cis-results
spec:
  remediationAction: inform
  severity: high
  object-templates:
    - complianceType: mustnothave # this template reports the results for scan suite: cis by looking at ComplianceCheckResult CRs
      objectDefinition:
        apiVersion: compliance.openshift.io/v1alpha1
        kind: ComplianceCheckResult
        metadata:
          namespace: openshift-compliance
          labels:
            compliance.openshift.io/check-status: FAIL
            compliance.openshift.io/suite: cis
    Copy to Clipboard Toggle word wrap

For more information on creating policies, see Managing security policies.

4.14. Image vulnerability policy
Copy link

Apply the image vulnerability policy to detect if container images have vulnerabilities by leveraging the Container Security Operator. The policy installs the Container Security Operator on your managed cluster if it is not installed.

The image vulnerability policy is checked by the Kubernetes configuration policy controller. For more information about the Security Operator, see the Container Security Operator from the Quay repository.

Notes:

  • Image vulnerability policy is not functional during a disconnected installation.
  • The Image vulnerability policy is not supported on the ARM architecture.

View the following sections to learn more:

4.14.1. Image vulnerability policy YAML structure
Copy link

When you create the container security operator policy, it involves the following policies:

  • A policy that creates the subscription (container-security-operator) to reference the name and channel. This operator policy must have spec.remediationAction set to enforce to create the resources. View the following example: 

    apiVersion: policy.open-cluster-management.io/v1beta1
kind: OperatorPolicy
metadata:
  name: operatorpolicy-imagemanifestvuln
spec:
  remediationAction: enforce
  severity: high
  complianceType: musthave
  upgradeApproval: Automatic
  subscription:
    name: container-security-operator
    namespace: openshift-operators
    source: redhat-operators
    sourceNamespace: openshift-marketplace
    Copy to Clipboard Toggle word wrap

  • An inform configuration policy to audit whether any ImageManifestVuln objects were created by the image vulnerability scans. View the following example: 

    apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
  name: policy-imagemanifestvuln-example-imv
spec:
  remediationAction: inform  # will be overridden by remediationAction in parent policy
  severity: high
  namespaceSelector:
    exclude: ["kube-*"]
    include: ["*"]
  object-templates:
    - complianceType: mustnothave # mustnothave any ImageManifestVuln object
      objectDefinition:
        apiVersion: secscan.quay.redhat.com/v1alpha1
        kind: ImageManifestVuln # checking for a Kind
    Copy to Clipboard Toggle word wrap

4.14.2. Image vulnerability policy sample
Copy link

For more information, see:

4.15. Red Hat OpenShift Platform Plus policy set
Copy link

Configure and apply the OpenShift Platform Plus policy set (openshift-plus) to install Red Hat OpenShift Platform Plus.

The OpenShift Platform Plus policy set contains two PolicySets that are deployed. The OpenShift Plus policy set applies multiple policies that are set to install OpenShift Platform Plus products. The Red Hat Advanced Cluster Security secured cluster services and the Compliance Operator are deployed onto all of your OpenShift Container Platform managed clusters.

4.15.1. Prerequisites
Copy link

  • Install Red Hat OpenShift Container Platform on Amazon Web Services (AWS) environment.
  • Install Red Hat Advanced Cluster Management for Kubernetes.
  • Install the Policy Generator Kustomize plugin. See the Policy Generator documentation for more information.

When you apply the policy set to the hub cluster, the following OpenShift Platform Plus components are installed:

Expand
Table 4.7. Component table
ComponentPolicyDescription

Red Hat Advanced Cluster Security

policy-acs-central-ca-bundle

Policy used to install the central server onto the Red Hat Advanced Cluster Management for Kubernetes hub cluster and the managed clusters.

policy-acs-central-status

Deployments to receive Red Hat Advanced Cluster Security status.

policy-acs-operator-central

Configuration for the Red Hat Advanced Cluster Security central operator.

policy-acs-sync-resources

Policy used to verify that the Red Hat Advanced Cluster Security resources are created.

OpenShift Container Platform

policy-advanced-managed-cluster-status

The managed hub cluster. Manager of the managed cluster.

Compliance operator

policy-compliance-operator-install

Policy used to install the Compliance operator.

Red Hat Quay

policy-config-quay

Configuration policy for Red Hat Quay.

policy-install-quay

Policy used to install Red Hat Quay.

policy-quay-status

Installed onto the Red Hat Advanced Cluster Management hub cluster.

Red Hat Advanced Cluster Management

policy-ocm-observability

Sets up the Red Hat Advanced Cluster Management observability service.

Red Hat OpenShift Data Platform

policy-odf

Available storage for the hub cluster components that is used by Red Hat Advanced Cluster Management observability and Quay.

policy-odf-status

Policy used to configure the Red Hat OpenShift Data Platform status.

4.15.3. Additional resources
Copy link

4.16. Managing security policies
Copy link

Create a security policy to report and validate your cluster compliance based on your specified security standards, categories, and controls.

View the following sections:

4.16.1. Creating a security policy
Copy link

You can create a security policy from the command line or from the console.

Required access: Cluster administrator

Important: * You must define a placement and placement binding to apply your policy to a specific cluster. The PlacementBinding resource binds the placement. Enter a valid value for the cluster Label selector field to define a Placement and PlacementBinding resource. * In order to use a Placement resource, a ManagedClusterSet resource must be bound to the namespace of the Placement resource with a ManagedClusterSetBinding resource. Refer to Creating a ManagedClusterSetBinding resource for additional details.

Complete the following steps to create a policy from the command line:

  1. Create a policy by running the following command: 

    oc create -f policy.yaml -n <policy-namespace>
    Copy to Clipboard Toggle word wrap

  2. Define the template that the policy uses. Edit your YAML file by adding a policy-templates field to define a template. Your policy might resemble the following YAML file: 

    apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy1
spec:
  remediationAction: "enforce" # or inform
  disabled: false # or true
  namespaceSelector:
    include:
    - "default"
    - "my-namespace"
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: operator
          # namespace: # will be supplied by the controller via the namespaceSelector
        spec:
          remediationAction: "inform"
          object-templates:
          - complianceType: "musthave" # at this level, it means the role must exist and must have the following rules
            apiVersion: rbac.authorization.k8s.io/v1
            kind: Role
            metadata:
              name: example
            objectDefinition:
              rules:
                - complianceType: "musthave" # at this level, it means if the role exists the rule is a musthave
                  apiGroups: ["extensions", "apps"]
                  resources: ["deployments"]
                  verbs: ["get", "list", "watch", "create", "delete","patch"]
    Copy to Clipboard Toggle word wrap

  3. Define a PlacementBinding resource to bind your policy to your Placement resource. Your PlacementBinding resource might resemble the following YAML sample: 

    apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding1
placementRef:
  name: placement1
  apiGroup: cluster.open-cluster-management.io
  kind: Placement
subjects:
- name: policy1
  apiGroup: policy.open-cluster-management.io
  kind: Policy
    Copy to Clipboard Toggle word wrap

Complete the following steps to view your security policy from the command line:

  1. View details for a specific security policy by running the following command: 

    oc get policies.policy.open-cluster-management.io <policy-name> -n <policy-namespace> -o yaml
    Copy to Clipboard Toggle word wrap

  2. View a description of your security policy by running the following command: 

    oc describe policies.policy.open-cluster-management.io <policy-name> -n <policy-namespace>
    Copy to Clipboard Toggle word wrap

After you log in to your Red Hat Advanced Cluster Management, navigate to the Governance page and click Create policy. As you create your new policy from the console, a YAML file is also created in the YAML editor. To view the YAML editor, select the toggle at the beginning of the Create policy form to enable it.

  1. Complete the Create policy form, then select the Submit button. Your YAML file might resemble the following policy: 

    apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-pod
  annotations:
    policy.open-cluster-management.io/categories: 'SystemAndCommunicationsProtections,SystemAndInformationIntegrity'
    policy.open-cluster-management.io/controls: 'control example'
    policy.open-cluster-management.io/standards: 'NIST,HIPAA'
    policy.open-cluster-management.io/description:
spec:
  complianceType: musthave
  namespaces:
    exclude: ["kube*"]
    include: ["default"]
    pruneObjectBehavior: None
  object-templates:
  - complianceType: musthave
    objectDefinition:
      apiVersion: v1
      kind: Pod
      metadata:
        name: pod1
      spec:
        containers:
        - name: pod-name
          image: 'pod-image'
          ports:
          - containerPort: 80
  remediationAction: enforce
  disabled: false
    Copy to Clipboard Toggle word wrap

    See the following PlacementBinding example: 

    apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-pod
placementRef:
  name: placement-pod
  kind: Placement
  apiGroup: cluster.open-cluster-management.io
subjects:
- name: policy-pod
  kind: Policy
  apiGroup: policy.open-cluster-management.io
    Copy to Clipboard Toggle word wrap

    See the following Placement example: 

    apiVersion: cluster.open-cluster-management.io/v1beta1
 kind: Placement
 metadata:
   name: placement-pod
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchLabels:
          cloud: "IBM"
    tolerations:
        - key: cluster.open-cluster-management.io/unavailable
          operator: Exists
        - key: cluster.open-cluster-management.io/unreachable
          operator: Exists
    Copy to Clipboard Toggle word wrap
  2. Optional: Add a description for your policy.
  3. Click Create Policy. A security policy is created from the console.

View any security policy and the status from the console.

  1. Navigate to the Governance page to view a table list of your policies. Note: You can filter the table list of your policies by selecting the Policies tab or Cluster violations tab.
  2. Select one of your policies to view more details. The Details, Clusters, and Templates tabs are displayed. When the cluster or policy status cannot be determined, the following message is displayed: No status.
  3. Alternatively, select the Policies tab to view the list of policies. Expand a policy row to view the Description, Standards, Controls, and Categories details.

By default, the policy set is created with no policies or placements. You must create a placement for the policy set and have at least one policy that exists on your cluster. When you create a policy set, you can add numerous policies.

Run the following command to create a policy set from the command line: 

oc apply -f <policyset-filename>
Copy to Clipboard Toggle word wrap

4.16.1.4. Creating policy sets from the console
Copy link

  1. From the navigation menu, select Governance.
  2. Select the Policy sets tab.
  3. Select the Create policy set button and complete the form.
  4. Add the details for your policy set and select the Submit button.

Your policy is listed from the policy table.

4.16.2. Updating security policies
Copy link

Learn to update security policies.

  1. Run the following command to edit your policy set: 

    oc edit policysets <your-policyset-name>
    Copy to Clipboard Toggle word wrap
  2. Add the policy name to the list in the policies section of the policy set.
  3. Apply your added policy in the placement section of your policy set with the following command: 
oc apply -f <your-added-policy.yaml>
Copy to Clipboard Toggle word wrap

PlacementBinding and Placement are both created.

Note: If you delete the placement binding, the policy is still placed by the policy set.

  1. Add a policy to the policy set by selecting the Policy sets tab.
  2. Select the Actions icon and select Edit. The Edit policy set form appears.
  3. Navigate to the Policies section of the form to select a policy to add to the policy set.

4.16.2.3. Disabling security policies
Copy link

Your policy is enabled by default. Disable your policy from the console.

After you log in to your Red Hat Advanced Cluster Management for Kubernetes console, navigate to the Governance page to view a table list of your policies.

Select the Actions icon > Disable policy. The Disable Policy dialog box appears.

Click Disable policy. Your policy is disabled.

4.16.3. Deleting a security policy
Copy link

Delete a security policy from the command line or the console.

Use the following procedure to delete from the command line:

  1. Delete a security policy by running the following command: 

    oc delete policies.policy.open-cluster-management.io <policy-name> -n <policy-namespace>
    Copy to Clipboard Toggle word wrap
  2. Verify that your policy is removed by running the following command: oc get policies.policy.open-cluster-management.io <policy-name> -n <policy-namespace>

Use the following procedure to delete a security policy from the console.

  1. From the navigation menu, click Governance to view a table list of your policies.
  2. Click the Actions icon for the policy you want to delete in the policy violation table.
  3. Click Remove.
  4. From the Remove policy dialog box, click Remove policy.

4.16.3.1. Deleting policy sets from the console
Copy link

  1. From the Policy sets tab, select the Actions icon for the policy set. When you click Delete, the Permanently delete Policyset? dialogue box appears.
  2. Click the Delete button.

Use the pruneObjectBehavior parameter in a configuration policy to clean up resources that are created by the policy. When pruneObjectBehavior is set, the related objects are only cleaned up after the configuration policy (or parent policy) associated with them is deleted.

View the following descriptions of the values that can be used for the parameter:

  • DeleteIfCreated: Cleans up any resources created by the policy.
  • DeleteAll: Cleans up all resources managed by the policy.
  • None: This is the default value and maintains the same behavior from previous releases, where no related resources are deleted.

You can set the value directly in the YAML file as you create a policy from the command line.

From the console, you can select the value in the Prune Object Behavior section of the Policy templates step.

Notes:

  • If a policy that installs an operator has the pruneObjectBehavior parameter defined, then additional clean up is needed to complete the operator uninstall. You might need to delete the operator ClusterServiceVersion object as part of this cleanup.
  • As you disable the config-policy-addon resource on the managed cluster, the pruneObjbectBehavior is ignored. To automatically clean up the related resources on the policies, you must remove the policies from the managed cluster before the add-on is disabled.

4.16.5. Policy command-line tool
Copy link

With the policytools command-line tool, you can interact with policies locally to help with creating and debugging. The policytools command-line tool is available for download from the hub cluster console. See Command line tools.

template-resolver

The template-resolver is a subcommand for policytools that resolves managed cluster and hub cluster templates that are embedded in policies. The template-resolver reads from either a file, or from standard input.

To resolve a policy with hub cluster templates, you must provide the --cluster-name argument with the name of a managed cluster that is imported into Red Hat Advanced Cluster Management, and you must provide the --hub-kubeconfig argument with the path to a kubeconfig file that references the hub cluster.

If the input policy uses the .ObjectName or .ObjectNamespace template variables, you need to set the values with the --object-name and --object-namespace arguments.

The template-resolver subcommand connects to the managed cluster and hub cluster to retrieve information that is necessary to resolve the templates. Provide paths by using the --save-resources and --save-hub-resources arguments to save the resources that the template-resolver retrieves. Those saved files can be used as inputs for the dryrun subcommand.

Technology Preview: The policytools command-line interface introduces a --lint argument for the template-resolver subcommand to print any linting issues, along with the resolved Go templates from the input policy.

dryrun

The dryrun is a subcommand for policytools that evaluates a ConfigurationPolicy resource locally by using static input resources for the cluster state.

To run a policy, add the path to the ConfigurationPolicy YAML by using the --policy flag. You can provide additional resource YAML files, which are used as the current cluster state. For example, if your policy defines a specific configuration for a namespace, provide the current namespace state to see what the policy does. Multiple resources can be in the same resource file.

To evaluate a policy against the current state of a live cluster, use the --from-cluster flag or set the DRYRUN_FROM_CLUSTER environment variable to true.

The dryrun subcommand reads the current state of resources directly from the cluster that you configured in your kubeconfig file or from the cluster that is specified by the KUBECONFIG environment variable. In both these scenarios, the dryun subcommand does not gather information from the resource files.

When you enable the --from-cluster flag, it ignores any YAML resource files that are provided as input. Enabling the --from-cluster flag allows you to test a policy against your actual cluster state without manually exporting and supporting resource files.

+ By default, dryrun prints the differences between the desired states of objects that are defined in the policy and the current state of those resources, as well as compliance messages that the ConfigurationPolicy creates.

To save the compliance messages to a separate file, use the --messages-path argument. To save the full policy status, including additional information about the related objects, use the --status-path argument.

+ If the policy is NonCompliant based on the input, the tool returns a non-zero exit code. To compare the resulting status against a known status, use the --desired-status argument. For example, to verify that the policy reports a missing resource, provide a YAML file with the missing resource inside a .relatedObjects list. To verify that the policy is NonCompliant, create a YAML file with the compliant: NonCompliant line.

4.16.6. Additional resources
Copy link

You might need to deploy Red Hat Advanced Cluster Management for Kubernetes policies on Red Hat OpenShift Container Platform clusters that are not connected to the internet (disconnected). If the policies you deploy are used to deploy policies that install an Operator Lifecycle Manager operator, you must follow the procedure for Mirroring an Operator catalog.

Complete the following steps to validate access to the operator images:

  1. See Verify required packages are available to validate that packages you require to use with policies are available. You must validate availability for each image registry used by any managed cluster that the following policies are deployed to:

    • container-security-operator
    • Deprecated: gatekeeper-operator-product
    • compliance-operator

  2. See Configure image content source policies to validate that the sources are available. The image content source policies must exist on each of the disconnected managed clusters and can be deployed using a policy to simplify the process. See the following table of image source locations:

    Expand
    Governance policy typeImage source location

    Container security

    registry.redhat.io/quay

    Compliance

    registry.redhat.io/compliance

    Gatekeeper

    registry.redhat.io/rhacm2

Continue reading for guidance to apply the Red Hat Openshift Platform Plus policy set. When you apply the Red Hat OpenShift policy set, the Red Hat Advanced Cluster Security secured cluster services and the Compliance Operator are deployed onto all of your OpenShift Container Platform managed clusters.

4.16.8.1. Prerequisites
Copy link

Complete the following steps before you apply the policy set:

  1. To allow for subscriptions to be applied to your cluster, you must apply the policy-configure-subscription-admin-hub.yaml policy and set the remediation action to enforce. Copy and paste the following YAML into the YAML editor of the console: 

    apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-configure-subscription-admin-hub
  annotations:
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
spec:
  remediationAction: inform
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-configure-subscription-admin-hub
        spec:
          remediationAction: inform
          severity: low
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: ClusterRole
                metadata:
                  name: open-cluster-management:subscription-admin
                rules:
                - apiGroups:
                  - app.k8s.io
                  resources:
                  - applications
                  verbs:
                  - '*'
                - apiGroups:
                  - apps.open-cluster-management.io
                  resources:
                  - '*'
                  verbs:
                  - '*'
                - apiGroups:
                  - ""
                  resources:
                  - configmaps
                  - secrets
                  - namespaces
                  verbs:
                  - '*'
            - complianceType: musthave
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: ClusterRoleBinding
                metadata:
                  name: open-cluster-management:subscription-admin
                roleRef:
                  apiGroup: rbac.authorization.k8s.io
                  kind: ClusterRole
                  name: open-cluster-management:subscription-admin
                subjects:
                - apiGroup: rbac.authorization.k8s.io
                  kind: User
                  name: kube:admin
                - apiGroup: rbac.authorization.k8s.io
                  kind: User
                  name: system:admin
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-policy-configure-subscription-admin-hub
placementRef:
  name: placement-policy-configure-subscription-admin-hub
  kind: Placement
  apiGroup: cluster.open-cluster-management.io
subjects:
- name: policy-configure-subscription-admin-hub
  kind: Policy
  apiGroup: policy.open-cluster-management.io
---
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: placement-policy-configure-subscription-admin-hub
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions:
        - {key: name, operator: In, values: ["local-cluster"]}
    tolerations:
        - key: cluster.open-cluster-management.io/unavailable
          operator: Exists
        - key: cluster.open-cluster-management.io/unreachable
          operator: Exists
    Copy to Clipboard Toggle word wrap

  2. To apply the previous YAML from the command line interface, run the following command: 

    oc apply -f policy-configure-subscription-admin-hub.yaml
    Copy to Clipboard Toggle word wrap
  3. Install the Policy Generator kustomize plugin. Use Kustomize v4.5 or newer. See Generating a policy to install an Operator.

  4. Policies are installed to the policies namespace. You must bind that namespace to a ClusterSet. For example, copy and apply the following example YAML to bind the namespace to the default ClusterSet: 

    apiVersion: cluster.open-cluster-management.io/v1beta2
kind: ManagedClusterSetBinding
metadata:
    name: default
    namespace: policies
spec:
    clusterSet: default
    Copy to Clipboard Toggle word wrap

  5. Run the following command to apply the ManagedClusterSetBinding resource from the command line interface: 

    oc apply -f managed-cluster.yaml
    Copy to Clipboard Toggle word wrap

After you meet the prerequisite requirements, you can apply the policy set.

  1. Use the openshift-plus/policyGenerator.yaml file that includes the prerequisite configuration for Red Hat OpenShift Plus.

  2. Apply the policies to your hub cluster by using the kustomize command: 

    kustomize build --enable-alpha-plugins  | oc apply -f -
    Copy to Clipboard Toggle word wrap

    Note: For any components of OpenShift Platform Plus that you do not want to install, edit the policyGenerator.yaml file and remove or comment out the policies for those components.

4.16.8.3. Additional resources
Copy link

To install Operator Lifecycle Manager (OLM) managed operators on your managed clusters, use an OperatorPolicy policy template in a Policy definition.

See the following operator policy sample that installs the latest Quay operator in the stable channel using the Red Hat operator catalog: 

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: install-quay
  namespace: open-cluster-management-global-set
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1beta1
        kind: OperatorPolicy
        metadata:
          name: install-quay
        spec:
          remediationAction: enforce
          severity: critical
          complianceType: musthave
          upgradeApproval: None
          subscription:
            channel: <stable-version>
            name: quay-operator
            source: redhat-operators
            sourceNamespace: openshift-marketplace
Copy to Clipboard Toggle word wrap

After you add the OperatorPolicy policy template, the operatorGroup and subscription objects are created on the cluster by using the controller. As a result, the rest of the installation is completed by OLM. You can view the health of owned resources in the .status.Conditions and .status.relatedObjects fields of the OperatorPolicy resource on your managed cluster.

To verify the operator policy status, run the following command on your managed cluster: 

oc -n <managed cluster namespace> get operatorpolicy install-quay
Copy to Clipboard Toggle word wrap

4.16.9.2. Additional resources
Copy link

See Operator policy controller

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top