Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 4. Integrate third-party policy controllers

Integrate third-party policies to create custom annotations within the policy templates to specify one or more compliance standards, control categories, and controls.

You can also use the third-party party policies from the policy-collection/community.

Learn to integrate the following third-party policies:

4.1. Policy Generator

The Policy Generator is a part of the Red Hat Advanced Cluster Management for Kubernetes application lifecycle subscription GitOps workflow that generates Red Hat Advanced Cluster Management policies using Kustomize. The Policy Generator builds Red Hat Advanced Cluster Management policies from Kubernetes manifest YAML files, which are provided through a PolicyGenerator manifest YAML file that is used to configure it. The Policy Generator is implemented as a Kustomize generator plug-in. For more information on Kustomize, read the Kustomize documentation.

View the following sections for more information:

4.1.1. Policy Generator capabilities

The Policy Generator and its integration with the Red Hat Advanced Cluster Management application lifecycle subscription GitOps workflow simplifies the distribution of Kubernetes resource objects to managed OpenShift Container Platform clusters, and Kubernetes clusters through Red Hat Advanced Cluster Management policies.

Use the Policy Generator to complete the following actions:

Convert any Kubernetes manifest files to Red Hat Advanced Cluster Management configuration policies, including manifests that are created from a Kustomize directory.
Patch the input Kubernetes manifests before they are inserted into a generated Red Hat Advanced Cluster Management policy.
Generate additional configuration policies so you can report on Gatekeeper policy violations through Red Hat Advanced Cluster Management for Kubernetes.
Generate policy sets on the hub cluster.

4.1.2. Policy Generator configuration structure

The Policy Generator is a Kustomize generator plug-in that is configured with a manifest of the PolicyGenerator kind and policy.open-cluster-management.io/v1 API version.

To use the plug-in, start by adding a generators section in a kustomization.yaml file. View the following example:

generators:
  - policy-generator-config.yaml

The policy-generator-config.yaml file that is referenced in the previous example is a YAML file with the instructions of the policies to generate. A simple PolicyGenerator configuration file might resemble the following example:

apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
  name: config-data-policies
policyDefaults:
  namespace: policies
  policySets: []
policies:
  - name: config-data
    manifests:
      - path: configmap.yaml

The configmap.yaml represents a Kubernetes manifest YAML file to be included in the policy. Alternatively, you can set the path to a Kustomize directory, or a directory with multiple Kubernetes manifest YAML files. View the following example:

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-config
  namespace: default
data:
  key1: value1
  key2: value2

The generated Policy, along with the generated Placement and PlacementBinding might resemble the following example:

apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: placement-config-data
  namespace: policies
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions: []
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-config-data
  namespace: policies
placementRef:
  apiGroup: cluster.open-cluster-management.io
  kind: Placement
  name: placement-config-data
subjects:
- apiGroup: policy.open-cluster-management.io
  kind: Policy
  name: config-data
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/description:
  name: config-data
  namespace: policies
spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: config-data
      spec:
        object-templates:
        - complianceType: musthave
          objectDefinition:
            apiVersion: v1
            data:
              key1: value1
              key2: value2
            kind: ConfigMap
            metadata:
              name: my-config
              namespace: default
        remediationAction: inform
        severity: low

4.1.3. Policy Generator configuration reference table

Note that all the fields in the policyDefaults section except for namespace can be overridden for each policy, and all the fields in the policySetDefaults section can be overridden for each policy set.

Table 4.1. Parameter table
Field	Optional or required	Description
`apiVersion`	Required	Set the value to `policy.open-cluster-management.io/v1`.
`kind`	Required	Set the value to `PolicyGenerator` to indicate the type of policy.
`metadata.name`	Required	The name for identifying the policy resource.
`placementBindingDefaults.name`	Optional	If multiple policies use the same placement, this name is used to generate a unique name for the resulting `PlacementBinding`, binding the placement with the array of policies that reference it.
`policyDefaults`	Required	Any default value listed here is overridden by an entry in the policies array except for `namespace`.
`policyDefaults.namespace`	Required	The namespace of all the policies.
`policyDefaults.complianceType`	Optional	Determines the policy controller behavior when comparing the manifest to objects on the cluster. The values that you can use are `musthave`, `mustonlyhave`, or `mustnothave`. The default value is `musthave`.
`policyDefaults.metadataComplianceType`	Optional	Overrides `complianceType` when comparing the manifest metadata section to objects on the cluster. The values that you can use are `musthave`, and `mustonlyhave`. The default value is empty (`{}`) to avoid overriding the `complianceType` for metadata.
`policyDefaults.categories`	Optional	Array of categories to be used in the `policy.open-cluster-management.io/categories` annotation. The default value is `CM Configuration Management`.
`policyDefaults.controls`	Optional	Array of controls to be used in the `policy.open-cluster-management.io/controls` annotation. The default value is `CM-2 Baseline Configuration`.
`policyDefaults.standards`	Optional	An array of standards to be used in the `policy.open-cluster-management.io/standards` annotation. The default value is `NIST SP 800-53`.
`policyDefaults.policyAnnotations`	Optional	Annotations that the policy includes in the `metadata.annotations` section. It is applied for all policies unless specified in the policy. The default value is empty (`{}`).
`policyDefaults.configurationPolicyAnnotations`	Optional	Key-value pairs of annotations to set on generated configuration policies. For example, you can disable policy templates by defining the following parameter: `{"policy.open-cluster-management.io/disable-templates": "true"}`. The default value is empty (`{}`).
`policyDefaults.copyPolicyMetadata`	Optional	Copies the labels and annotations for all policies and adds them to a replica policy. Set to `true` by default. If set to `false`, only the policy framework specific policy labels and annotations are copied to the replicated policy.
`policyDefaults.severity`	Optional	The severity of the policy violation. The default value is `low`.
`policyDefaults.disabled`	Optional	Whether the policy is disabled, meaning it is not propagated and no status as a result. The default value is `false` to enable the policy.
`policyDefaults.remediationAction`	Optional	The remediation mechanism of your policy. The parameter values are `enforce` and `inform`. The default value is `inform`.
`policyDefaults.namespaceSelector`	Required for namespaced objects that do not have a namespace specified	Determines namespaces in the managed cluster that the object is applied to. The `include` and `exclude` parameters accept file path expressions to include and exclude namespaces by name. The `matchExpressions` and `matchLabels` parameters specify namespaces to include by label. Read the Kubernetes labels and selectors documentation. The resulting list is compiled by using the intersection of results from all parameters.
`policyDefaults.evaluationInterval`	Optional	Use the parameters `compliant` and `noncompliant` to specify the frequency for a policy to be evaluated when in a particular compliance state. When managed clusters have low CPU resources, the evaluation interval can be increased to reduce CPU usage on the Kubernetes API. These are in the format of durations. For example, `"1h25m3s"` represents 1 hour, 25 minutes, and 3 seconds. These can also be set to "never" to avoid evaluating the policy after it has become a particular compliance state.
`policyDefaults.pruneObjectBehavior`	Optional	Determines whether objects created or monitored by the policy should be deleted when the policy is deleted. Pruning only takes place if the remediation action of the policy has been set to `enforce`. Example values are `DeleteIfCreated`, `DeleteAll`, or `None`. The default value is `None`.
`policyDefaults.recordDiff`	Optional	Specifies if and where to log the difference between the object on the cluster and the `objectDefinition` in the policy. Set to `Log` to log the difference in the controller logs or `None` to not log the difference. By default, this parameter is empty to not log the difference.
`policyDefaults.dependencies`	Optional	A list of objects that must be in specific compliance states before this policy is applied. Cannot be specified when `policyDefaults.orderPolicies` is set to `true`.
`policyDefaults.dependencies[].name`	Required	The name of the object being depended on.
`policyDefaults.dependencies[].namespace`	Optional	The namespace of the object being depended on. The default is the namespace of policies set for the Policy Generator.
`policyDefaults.dependencies[].compliance`	Optional	The compliance state the object needs to be in. The default value is `Compliant`.
`policyDefaults.dependencies[].kind`	Optional	The kind of the object. By default, the kind is set to `Policy`, but can also be other kinds that have compliance state, such as `ConfigurationPolicy`.
`policyDefaults.dependencies[].apiVersion`	Optional	The API version of the object. The default value is `policy.open-cluster-management.io/v1`.
`policyDefaults.description`	Optional	The description of the policy you want to create.
`policyDefaults.extraDependencies`	Optional	A list of objects that must be in specific compliance states before this policy is applied. The dependencies that you define are added to each policy template (for example, `ConfigurationPolicy`) separately from the `dependencies` list. Cannot be specified when `policyDefaults.orderManifests` is set to `true`.
`policyDefaults.extraDependencies[].name`	Required	The name of the object being depended on.
`policyDefaults.extraDependencies[].namespace`	Optional	The namespace of the object being depended on. By default, the value is set to the namespace of policies set for the Policy Generator.
`policyDefaults.extraDependencies[].compliance`	Optional	The compliance state the object needs to be in. The default value is `Compliant`.
`policyDefaults.extraDependencies[].kind`	Optional	The kind of the object. The default value is to `Policy`, but can also be other kinds that have a compliance state, such as `ConfigurationPolicy`.
`policyDefaults.extraDependencies[].apiVersion`	Optional	The API version of the object. The default value is `policy.open-cluster-management.io/v1`.
`policyDefaults.ignorePending`	Optional	Bypass compliance status checks when the Policy Generator is waiting for its dependencies to reach their desired states. The default value is `false`.
`policyDefaults.orderPolicies`	Optional	Automatically generate `dependencies` on the policies so they are applied in the order you defined in the policies list. By default, the value is set to `false`. Cannot be specified at the same time as `policyDefaults.dependencies`.
`policyDefaults.orderManifests`	Optional	Automatically generate `extraDependencies` on policy templates so that they are applied in the order you defined in the manifests list for that policy. Cannot be specified when `policyDefaults.consolidateManifests` is set to `true`. Cannot be specified at the same time as `policyDefaults.extraDependencies`.
`policyDefaults.consolidateManifests`	Optional	This determines if a single configuration policy is generated for all the manifests being wrapped in the policy. If set to `false`, a configuration policy per manifest is generated. The default value is `true`.
`policyDefaults.informGatekeeperPolicies` (Deprecated)	Optional	Set `informGatekeeperPolicies` to false to use Gatekeeper manifests directly without defining it in a configuration policy. When the policy references a violated Gatekeeper policy manifest, an additional configuration policy is generated in order to receive policy violations in Red Hat Advanced Cluster Management. The default value is `true`.
`policyDefaults.informKyvernoPolicies`	Optional	When the policy references a Kyverno policy manifest, this determines if an additional configuration policy is generated to receive policy violations in Red Hat Advanced Cluster Management, when the Kyverno policy is violated. The default value is `true`.
`policyDefaults.policyLabels`	Optional	Labels that the policy includes in its `metadata.labels` section. The `policyLabels` parameter is applied for all policies unless specified in the policy.
`policyDefaults.policySets`	Optional	Array of policy sets that the policy joins. Policy set details can be defined in the `policySets` section. When a policy is part of a policy set, a placement binding is not generated for the policy since one is generated for the set. Set `policies[].generatePlacementWhenInSet` or `policyDefaults.generatePlacementWhenInSet` to override `policyDefaults.policySets`.
`policyDefaults.generatePolicyPlacement`	Optional	Generate placement manifests for policies. Set to `true` by default. When set to `false`, the placement manifest generation is skipped, even if a placement is specified.
`policyDefaults.generatePlacementWhenInSet`	Optional	When a policy is part of a policy set, by default, the generator does not generate the placement for this policy since a placement is generated for the policy set. Set `generatePlacementWhenInSet` to `true` to deploy the policy with both policy placement and policy set placement. The default value is `false`.
`policyDefaults.placement`	Optional	The placement configuration for the policies. This defaults to a placement configuration that matches all clusters.
`policyDefaults.placement.name`	Optional	Specifying a name to consolidate placements that contain the same cluster label selectors.
`policyDefaults.placement.labelSelector`	Optional	Specify a placement by defining a cluster label selector using either `key:value`, or providing a `matchExpressions`, `matchLabels`, or both, with appropriate values. See `placementPath` to specify an existing file.
`policyDefaults.placement.placementName`	Optional	Define this parameter to use a placement that already exists on the cluster. A `Placement` is not created, but a `PlacementBinding` binds the policy to this `Placement`.
`policyDefaults.placement.placementPath`	Optional	To reuse an existing placement, specify the path relative to the location of the `kustomization.yaml` file. If provided, this placement is used by all policies by default. See `labelSelector` to generate a new `Placement`.
`policyDefaults.placement.clusterSelector` (Deprecated)	Optional	`PlacementRule` is deprecated. Use `labelSelector` instead to generate a placement. Specify a placement rule by defining a cluster selector using either `key:value` or by providing `matchExpressions`, `matchLabels`, or both, with appropriate values. See `placementRulePath` to specify an existing file.
`policyDefaults.placement.placementRuleName` (Deprecated)	Optional	`PlacementRule` is deprecated. Alternatively, use `placementName` to specify a placement. To use an existing placement rule on the cluster, specify the name for this parameter. A `PlacementRule` is not created, but a `PlacementBinding` binds the policy to the existing `PlacementRule`.
`policyDefaults.placement.placementRulePath` (Deprecated)	Optional	`PlacementRule` is deprecated. Alternatively, use `placementPath` to specify a placement. To reuse an existing placement rule, specify the path relative to the location of the `kustomization.yaml` file. If provided, this placement rule is used by all policies by default. See `clusterSelector` to generate a new `PlacementRule`.
`policySetDefaults`	Optional	Default values for policy sets. Any default value listed for this parameter is overridden by an entry in the `policySets` array.
`policySetDefaults.placement`	Optional	The placement configuration for the policies. This defaults to a placement configuration that matches all clusters. See `policyDefaults.placement` for description of this field.
`policySetDefaults.generatePolicySetPlacement`	Optional	Generate placement manifests for policy sets. Set to `true` by default. When set to `false` the placement manifest generation is skipped, even if a placement is specified.
`policies`	Required	The list of policies to create along with overrides to either the default values, or the values that are set in `policyDefaults`. See `policyDefaults` for additional fields and descriptions.
`policies.description`	Optional	The description of the policy you want to create.
`policies[].name`	Required	The name of the policy to create.
`policies[].manifests`	Required	The list of Kubernetes object manifests to include in the policy, along with overrides to either the default values, the values set in this `policies` item, or the values set in `policyDefaults`. See `policyDefaults` for additional fields and descriptions. When `consolidateManifests` is set to `true`, only `complianceType`, `metadataComplianceType`, and `recordDiff` can be overridden at the `policies[].manifests` level.
`policies[].manifests[].path`	Required	Path to a single file, a flat directory of files, or a Kustomize directory relative to the `kustomization.yaml` file. If the directory is a Kustomize directory, the generator runs Kustomize against the directory before generating the policies. If there is a requirement to process Helm charts for the Kustomize directory, set `POLICY_GEN_ENABLE_HELM` to `"true"` in the environment where the policy generator is running to enable Helm for the policy generator.
`policies[].manifests[].patches`	Optional	A list of Kustomize patches to apply to the manifest at the path. If there are multiple manifests, the patch requires the `apiVersion`, `kind`, `metadata.name`, and `metadata.namespace` (if applicable) fields to be set so Kustomize can identify the manifest that the patch applies to. If there is a single manifest, the `metadata.name` and `metadata.namespace` fields can be patched.
`policies.policyLabels`	Optional	Labels that the policy includes in its `metadata.labels` section. The `policyLabels` parameter is applied for all policies unless specified in the policy.
`policySets`	Optional	The list of policy sets to create, along with overrides to either the default values or the values that are set in `policySetDefaults`. To include a policy in a policy set, use `policyDefaults.policySets`, `policies[].policySets`, or `policySets.policies`. See `policySetDefaults` for additional fields and descriptions.
`policySets[].name`	Required	The name of the policy set to create.
`policySets[].description`	Optional	The description of the policy set to create.
`policySets[].policies`	Optional	The list of policies to be included in the policy set. If `policyDefaults.policySets` or `policies[].policySets` is also specified, the lists are merged.

4.1.4. Additional resources

Read Generating a policy to install GitOps Operator.
Read to Policy set controller for more details.
Read Applying Kustomize for more information.
Read the Governance documentation for more topics.
See an example of a kustomization.yaml file.
Refer to the Kubernetes labels and selectors documentation.
Refer Gatekeeper for more details.
Refer to the Kustomize documentation.
Return to the Integrate third-party policy controllers documentation.

4.2. Generating a policy that installs the Compliance Operator

Generate a policy that installs the Compliance Operator onto your clusters. For an operator that uses the namespaced installation mode, such as the Compliance Operator, an OperatorGroup manifest is also required.

Complete the following steps:

Create a YAML file with a Namespace, a Subscription, and an OperatorGroup manifest called compliance-operator.yaml. The following example installs these manifests in the compliance-operator namespace:

apiVersion: v1
kind: Namespace
metadata:
  name: openshift-compliance
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  targetNamespaces:
    - openshift-compliance
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: compliance-operator
  namespace: openshift-compliance
spec:
  channel: release-0.1
  name: compliance-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace

Create a PolicyGenerator configuration file. View the following PolicyGenerator policy example that installs the Compliance Operator on all OpenShift Container Platform managed clusters:

apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
  name: install-compliance-operator
policyDefaults:
  namespace: policies
  placement:
    labelSelector:
      matchExpressions:
        - key: vendor
          operator: In
          values:
            - "OpenShift"
policies:
  - name: install-compliance-operator
    manifests:
      - path: compliance-operator.yaml

Add the policy generator to your kustomization.yaml file. The generators section might resemble the following configuration:

generators:
  - policy-generator-config.yaml

As a result, the generated policy resembles the following file:

apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: placement-install-compliance-operator
  namespace: policies
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions:
        - key: vendor
          operator: In
          values:
          - OpenShift
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-install-compliance-operator
  namespace: policies
placementRef:
  apiGroup: cluster.open-cluster-management.io
  kind: Placement
  name: placement-install-compliance-operator
subjects:
  - apiGroup: policy.open-cluster-management.io
    kind: Policy
    name: install-compliance-operator
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  annotations:
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/description:
  name: install-compliance-operator
  namespace: policies
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: install-compliance-operator
        spec:
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: v1
                kind: Namespace
                metadata:
                  name: openshift-compliance
            - complianceType: musthave
              objectDefinition:
                apiVersion: operators.coreos.com/v1alpha1
                kind: Subscription
                metadata:
                  name: compliance-operator
                  namespace: openshift-compliance
                spec:
                  channel: release-0.1
                  name: compliance-operator
                  source: redhat-operators
                  sourceNamespace: openshift-marketplace
            - complianceType: musthave
              objectDefinition:
                apiVersion: operators.coreos.com/v1
                kind: OperatorGroup
                metadata:
                  name: compliance-operator
                  namespace: openshift-compliance
                spec:
                  targetNamespaces:
                    - compliance-operator
          remediationAction: enforce
          severity: low

As a result, the generated policy is displayed.

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 4. Integrate third-party policy controllers

4.1. Policy Generator

4.1.1. Policy Generator capabilities

4.1.2. Policy Generator configuration structure

4.1.3. Policy Generator configuration reference table

4.1.4. Additional resources

4.2. Generating a policy that installs the Compliance Operator

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Rendre l’open source plus inclusif

À propos de Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links