主页
产品
Red Hat Advanced Cluster Management for Kubernetes
2.5
监管
2.2. 策略概述

2.2. 策略概述

使用 Red Hat Advanced Cluster Management for Kubernetes 安全策略框架，以创建自定义策略控制器和其他策略。Kubernetes 自定义资源定义（CRD）实例用于创建策略。有关 CRD 的更多信息，请参阅使用 CustomResourceDefinitions 扩展 Kubernetes API。

每个 Red Hat Advanced Cluster Management for Kubernetes 策略可以至少有一个或多个模板。有关策略元素的更多详情，请参阅本页面的以下策略 YAML 表部分。

策略需要一个 PlacementRule 或 Placement，用于定义策略文档应用到的集群，以及将 Red Hat Advanced Cluster Management for Kubernetes 策略绑定到放置规则的 PlacementBinding。有关如何定义 PlacementRule 的更多信息，请参阅应用程序生命周期文档中的放置规则。有关如何定义 放置 的更多信息，请参阅集群生命周期文档中的放置概述。

重要：

您必须创建 PlacementBinding，并将它与 PlacementRule 或 Placement 关联。
最佳实践 ：在使用 Placement 资源时，使用命令行界面(CLI) 来更新策略。
除集群命名空间外，您可在 hub 集群上的任意命名空间中创建策略。如果在集群命名空间中创建策略，则 Red Hat Advanced Cluster Management for Kubernetes 会将其删除。
每个客户端和供应商负责确保其受管云环境满足适用于 Kubernetes 集群上托管的工作负载的内部软件工程、安全工程、弹性、安全性以及合规性企业安全标准。使用监管和安全功能来提高可见性并对配置进行修复，以满足标准。

在以下部分了解更多有关策略组件的详细信息：

2.2.1. 策略 YAML 结构
复制链接

创建策略时，必须包含所需的参数字段和值。根据您的策略控制器，您可能需要包含其他可选字段和值。查看解释的参数字段的以下 YAML 结构：

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
spec:
  policy-templates:
    - objectDefinition:
        apiVersion:
        kind:
        metadata:
          name:
        spec:
  remediationAction:
  disabled:

---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name:
placementRef:
  name:
  kind:
  apiGroup:
subjects:
- name:
  kind:
  apiGroup:
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name:
spec:
  clusterConditions:
  - type:
  clusterLabels:
    matchLabels:
      cloud:

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name:
  annotations:
    policy.open-cluster-management.io/standards:
    policy.open-cluster-management.io/categories:
    policy.open-cluster-management.io/controls:
spec:
  policy-templates:
    - objectDefinition:
        apiVersion:
        kind:
        metadata:
          name:
        spec:
  remediationAction:
  disabled:

---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name:
placementRef:
  name:
  kind:
  apiGroup:
subjects:
- name:
  kind:
  apiGroup:
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name:
spec:
  clusterConditions:
  - type:
  clusterLabels:
    matchLabels:
      cloud:

Copy to Clipboard

Toggle word wrap

2.2.2. 策略 YAML 表
复制链接

Expand

字段	描述
apiVersion	必需。将值设置为 `policy.open-cluster-management.io/v1`。
kind	必需。将值设为 `Policy` 以表示策略类型。
metadata.name	必需。用于标识策略资源的名称。
metadata.annotations	可选。用于指定一组描述策略试图验证的标准集合的安全详情。这里介绍的所有注解都以逗号分隔的字符串表示。注：您可以在控制台中根据您在策略页面上为策略定义的标准和类别查看策略违反。
annotations.policy.open-cluster-management.io/standards	与策略相关的安全标准的名称。例如，美国国家标准与技术研究院 (NIST) 和支付卡行业 (PCI)。
annotations.policy.open-cluster-management.io/categories	安全控制类别是针对一个或多个标准的具体要求。例如，系统和信息完整性类别可能表明您的策略包含一个数据传输协议来保护个人信息，符合 HIPAA 和 PCI 标准的要求。
annotations.policy.open-cluster-management.io/controls	正在接受检查的安全控制名称。例如，证书策略控制器。
spec.policy-templates	必需。用于创建一个或多个应用到受管集群的策略。
spec.disabled	必需。将值设为 `true` 或 `false`。`disabled` 参数提供启用和禁用策略的功能。
spec.remediationAction	可选。指定您的策略的修复。参数值是 `enforce` 和 `inform`。如果指定，定义的 `spec.remediationAction` 值会覆盖子策略中定义的 `remediationAction` 参数，从 `policy-templates` 部分。例如，如果将 `spec.remediationAction` 值部分设定为 `enforce`，那么 `policy-templates` 部分中的 `remediationAction` 会在运行时被设置为 `enforce`。重要：有些策略可能不支持 enforce 功能。

2.2.3. 策略示例文件
复制链接

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-role
  annotations:
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/categories: AC Access Control
    policy.open-cluster-management.io/controls: AC-3 Access Enforcement
spec:
  remediationAction: inform
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-role-example
        spec:
          remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
          severity: high
          namespaceSelector:
            include: ["default"]
          object-templates:
            - complianceType: mustonlyhave # role definition should exact match
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: Role
                metadata:
                  name: sample-role
                rules:
                  - apiGroups: ["extensions", "apps"]
                    resources: ["deployments"]
                    verbs: ["get", "list", "watch", "delete","patch"]
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-policy-role
placementRef:
  name: placement-policy-role
  kind: PlacementRule
  apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-role
  kind: Policy
  apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name: placement-policy-role
spec:
  clusterConditions:
  - status: "True"
    type: ManagedClusterConditionAvailable
  clusterSelector:
    matchExpressions:
      - {key: environment, operator: In, values: ["dev"]}

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-role
  annotations:
    policy.open-cluster-management.io/standards: NIST SP 800-53
    policy.open-cluster-management.io/categories: AC Access Control
    policy.open-cluster-management.io/controls: AC-3 Access Enforcement
spec:
  remediationAction: inform
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-role-example
        spec:
          remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
          severity: high
          namespaceSelector:
            include: ["default"]
          object-templates:
            - complianceType: mustonlyhave # role definition should exact match
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: Role
                metadata:
                  name: sample-role
                rules:
                  - apiGroups: ["extensions", "apps"]
                    resources: ["deployments"]
                    verbs: ["get", "list", "watch", "delete","patch"]
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-policy-role
placementRef:
  name: placement-policy-role
  kind: PlacementRule
  apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-role
  kind: Policy
  apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name: placement-policy-role
spec:
  clusterConditions:
  - status: "True"
    type: ManagedClusterConditionAvailable
  clusterSelector:
    matchExpressions:
      - {key: environment, operator: In, values: ["dev"]}

Copy to Clipboard

Toggle word wrap

2.2.4. 放置 YAML 示例文件
复制链接

PlacementBinding 和 Placement 资源可以与上一策略示例结合使用，以使用集群 Placement API 而非 PlacementRule API 部署策略。

---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-policy-role
placementRef:
  name: placement-policy-role
  kind: Placement
  apiGroup: cluster.open-cluster-management.io
subjects:
- name: policy-role
  kind: Policy
  apiGroup: policy.open-cluster-management.io
---
//Depends on if governance would like to use v1beta1
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: placement-policy-role
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions:
          - {key: environment, operator: In, values: ["dev"]}

---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-policy-role
placementRef:
  name: placement-policy-role
  kind: Placement
  apiGroup: cluster.open-cluster-management.io
subjects:
- name: policy-role
  kind: Policy
  apiGroup: policy.open-cluster-management.io
---
//Depends on if governance would like to use v1beta1
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: placement-policy-role
spec:
  predicates:
  - requiredClusterSelector:
      labelSelector:
        matchExpressions:
          - {key: environment, operator: In, values: ["dev"]}

Copy to Clipboard

Toggle word wrap

请参阅管理安全策略以创建和更新策略。您还可以启用和更新 Red Hat Advanced Cluster Management 策略控制器，以验证您的策略合规性。请参阅策略控制器。

要了解更多策略主题，请参阅监管。

返回顶部

2.2. 策略概述

2.2.1. 策略 YAML 结构
复制链接

2.2.2. 策略 YAML 表
复制链接

2.2.3. 策略示例文件
复制链接

2.2.4. 放置 YAML 示例文件
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.2. 策略概述

2.2.1. 策略 YAML 结构复制链接链接已复制到粘贴板!

2.2.2. 策略 YAML 表复制链接链接已复制到粘贴板!

2.2.3. 策略示例文件复制链接链接已复制到粘贴板!

2.2.4. 放置 YAML 示例文件复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.2.1. 策略 YAML 结构
复制链接

2.2.2. 策略 YAML 表
复制链接

2.2.3. 策略示例文件
复制链接

2.2.4. 放置 YAML 示例文件
复制链接