2.4.3.3. 镜像漏洞策略示例
apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: name: policy-imagemanifestvulnpolicy namespace: default annotations: policy.open-cluster-management.io/standards: NIST-CSF policy.open-cluster-management.io/categories: DE.CM Security Continuous Monitoring policy.open-cluster-management.io/controls: DE.CM-8 Vulnerability Scans spec: remediationAction: inform disabled: false policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: policy-imagemanifestvulnpolicy-example-sub spec: remediationAction: inform # will be overridden by remediationAction in parent policy severity: high object-templates: - complianceType: musthave objectDefinition: apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: container-security-operator namespace: openshift-operators spec: channel: quay-v3.3 installPlanApproval: Automatic name: container-security-operator source: redhat-operators sourceNamespace: openshift-marketplace - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: name: policy-imagemanifestvulnpolicy-example-imv spec: remediationAction: inform # will be overridden by remediationAction in parent policy severity: high namespaceSelector: exclude: ["kube-*"] include: ["*"] object-templates: - complianceType: mustnothave # mustnothave any ImageManifestVuln object objectDefinition: apiVersion: secscan.quay.redhat.com/v1alpha1 kind: ImageManifestVuln # checking for a kind --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding metadata: name: binding-policy-imagemanifestvulnpolicy namespace: default placementRef: name: placement-policy-imagemanifestvulnpolicy kind: PlacementRule apiGroup: apps.open-cluster-management.io subjects: - name: policy-imagemanifestvulnpolicy kind: Policy apiGroup: policy.open-cluster-management.io --- apiVersion: apps.open-cluster-management.io/v1 kind: PlacementRule metadata: name: placement-policy-imagemanifestvulnpolicy namespace: default spec: clusterConditions: - status: "True" type: ManagedClusterConditionAvailable clusterSelector: matchExpressions: [] # selects all clusters if not specified
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-imagemanifestvulnpolicy
namespace: default
annotations:
policy.open-cluster-management.io/standards: NIST-CSF
policy.open-cluster-management.io/categories: DE.CM Security Continuous Monitoring
policy.open-cluster-management.io/controls: DE.CM-8 Vulnerability Scans
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-imagemanifestvulnpolicy-example-sub
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: container-security-operator
namespace: openshift-operators
spec:
channel: quay-v3.3
installPlanApproval: Automatic
name: container-security-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-imagemanifestvulnpolicy-example-imv
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
namespaceSelector:
exclude: ["kube-*"]
include: ["*"]
object-templates:
- complianceType: mustnothave # mustnothave any ImageManifestVuln object
objectDefinition:
apiVersion: secscan.quay.redhat.com/v1alpha1
kind: ImageManifestVuln # checking for a kind
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-imagemanifestvulnpolicy
namespace: default
placementRef:
name: placement-policy-imagemanifestvulnpolicy
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-imagemanifestvulnpolicy
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-imagemanifestvulnpolicy
namespace: default
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
[] # selects all clusters if not specified
有关更多信息,请参阅管理镜像漏洞策略。查看由配置控制器监控的其他配置策略,请参阅 Kubernetes 配置策略控制器。