查看支持的策略示例,了解如何在 Red Hat Advanced Cluster Management for Kubernetes 中创建和管理策略时如何在 hub 集群上定义规则、流程和控制。
查看以下示例配置策略:
Expand 表 2.6. 配置策略表列表 策略示例 描述
命名空间策略
确保环境与命名空间一致。请参阅 Kubernetes 命名空间文档 。
Pod 策略
确保集群工作负载配置。请参阅 Kubernetes Pod 文档 。
内存用量策略
使用限制范围限制工作负载资源使用情况。请参阅限制范围文档 。
Pod 安全策略(已弃用)
确保工作负载安全性一致。请参阅 Kubernetes Pod 安全策略文档 。
角色策略
使用角色和角色绑定管理角色绑定。请参阅 Kubernetes RBAC 文档 。
安全内容约束 (SCC) 策略
使用安全性上下文约束管理工作负载权限。请参阅 OpenShift Container Platform 文档中的管理安全性上下文约束文档 。
ETCD 加密策略
确保通过 etcd 加密的数据安全性。请参阅 OpenShift Container Platform 文档中的加密 etcd 数据 。
Compliance operator 策略
部署 Compliance Operator,以利用 OpenSCAP 扫描并强制实施集群的合规性状态。请参阅 OpenShift Container Platform 文档中的了解 Compliance Operator 部分。
Compliance operator E8 扫描
应用 Compliance operator 策略后,部署 Essential 8 (E8) 扫描来检查 E8 安全配置集的合规性。请参阅 OpenShift Container Platform 文档中的了解 Compliance Operator 部分。
Compliance operator CIS 扫描
应用 Compliance operator 策略后,部署互联网安全中心 (CIS) 扫描,以检查与 CIS 安全配置集的合规性。请参阅 OpenShift Container Platform 文档中的了解 Compliance Operator 部分。
镜像漏洞策略
部署 Container Security Operator,并检测集群中运行的 pod 中的已知镜像漏洞。请参阅 Container Security Operator GitHub 仓库。
Gatekeeper operator 部署
Gatekeeper 是一个准入 Webhook,它强制执行基于自定义资源定义的策略,由 Open Policy Agent (OPA)策略引擎运行。请参阅 Gatekeeper 文档。
Gatekeeper 合规策略
将 Gatekeeper 部署到集群后,部署此示例 Gatekeeper 策略以确保在集群中创建的命名空间标记为指定。
Red Hat OpenShift Platform Plus 策略集
Red Hat OpenShift Platform Plus 是混合云套件,用于为多个基础架构安全构建、部署、运行和管理应用程序。您可以使用通过 Red Hat Advanced Cluster Management 应用程序提供的 PolicySets 将 Red Hat OpenShift Platform Plus 部署到受管集群。如需有关 OpenShift Platform Plus 的详细信息,请参阅 OpenShift Platform Plus 文档。
Show more Expand 表 2.7. 支持列表 策略 Red Hat OpenShift Container Platform 3.11 Red Hat OpenShift Container Platform 4
内存用量策略
x
x
命名空间策略
x
x
镜像漏洞策略
x
x
Pod 策略
x
x
Pod 安全策略(已弃用)
角色策略
x
x
角色绑定策略
x
x
安全性上下文约束策略(SCC)
x
x
ETCD 加密策略
x
Gatekeeper 策略
x
Compliance operator 策略
x
E8 扫描策略
x
OpenShift CIS 扫描策略
x
策略设置
x
Show more
查看以下策略示例以查看如何应用特定策略:
更多主题,请参阅监管 。
Kubernetes 配置策略控制器负责监控命名空间策略的状态。应用命名空间策略来为您的命名空间定义特定规则。
在以下部分了解更多有关命名空间策略结构的详细信息:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
object-templates:
- complianceType:
objectDefinition:
kind: Namespace
apiVersion: v1
metadata:
name:
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
object-templates :
- complianceType :
objectDefinition :
kind : Namespace
apiVersion : v1
metadata :
name :
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。这个值是可选的,因为它会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
Kubernetes 配置策略控制器负责监控 Pod 策略的状态。应用 Pod 策略来为 Pod 定义容器规则。集群中必须存在 pod 才能使用此信息。
在以下部分了解更多有关 pod 策略结构的详细信息:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
namespaceSelector:
exclude:
include:
matchLabels:
matchExpressions:
object-templates:
- complianceType:
objectDefinition:
apiVersion: v1
kind: Pod
metadata:
name:
spec:
containers:
- image:
name:
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
namespaceSelector :
exclude :
include :
matchLabels :
matchExpressions :
object-templates :
- complianceType :
objectDefinition :
apiVersion : v1
kind : Pod
metadata :
name :
spec :
containers :
- image :
name :
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 表 2.8. 参数表 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。此值是可选的,因为该值会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
Kubernetes 配置策略控制器负责监控内存用量策略的状态。使用内存用量策略来限制或约束您的内存和计算用量。如需更多信息,请参阅 Kubernetes 文档中的限制范围
在以下部分了解更多有关内存用量策略结构的详细信息:
您的内存用量策略可能类似以下 YAML 文件:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
namespaceSelector:
exclude:
include:
matchLabels:
matchExpressions:
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
kind: LimitRange
metadata:
name:
spec:
limits:
- default:
memory:
defaultRequest:
memory:
type:
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
namespaceSelector :
exclude :
include :
matchLabels :
matchExpressions :
object-templates :
- complianceType : mustonlyhave
objectDefinition :
apiVersion : v1
kind : LimitRange
metadata :
name :
spec :
limits :
- default :
memory :
defaultRequest :
memory :
type :
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 表 2.9. 参数表 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。此值是可选的,因为该值会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
Kubernetes 配置策略控制器负责监控 Pod 安全策略的状态。应用 Pod 安全策略来保护 Pod 和容器。
在以下部分了解更多有关 Pod 安全策略结构的详细信息:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
namespaceSelector:
exclude:
include:
matchLabels:
matchExpressions:
object-templates:
- complianceType:
objectDefinition:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames:
spec:
privileged:
allowPrivilegeEscalation:
allowedCapabilities:
volumes:
hostNetwork:
hostPorts:
hostIPC:
hostPID:
runAsUser:
seLinux:
supplementalGroups:
fsGroup:
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
namespaceSelector :
exclude :
include :
matchLabels :
matchExpressions :
object-templates :
- complianceType :
objectDefinition :
apiVersion : policy/v1beta1
kind : PodSecurityPolicy
metadata :
name :
annotations :
seccomp.security.alpha.kubernetes.io/allowedProfileNames :
spec :
privileged :
allowPrivilegeEscalation :
allowedCapabilities :
volumes :
hostNetwork :
hostPorts :
hostIPC :
hostPID :
runAsUser :
seLinux :
supplementalGroups :
fsGroup :
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 表 2.10. 参数表 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。此值是可选的,因为该值会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
对 Pod 安全策略的支持已从 OpenShift Container Platform 4.12 及更新的版本中删除,并从 Kubernetes v1.25 及之后的版本中删除。如果应用 PodSecurityPolicy 资源,您可能会收到以下不合规的信息:
violation - couldn't find mapping resource with kind PodSecurityPolicy, please check if you have CRD deployed
violation - couldn't find mapping resource with kind PodSecurityPolicy, please check if you have CRD deployed
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Kubernetes 配置策略控制器负责监控角色策略的状态。在 object-template 中定义角色来为集群中的特定角色设置规则和权限。
在以下部分了解更多有关角色策略结构的详细信息:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
namespaceSelector:
exclude:
include:
matchLabels:
matchExpressions:
object-templates:
- complianceType:
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name:
rules:
- apiGroups:
resources:
verbs:
...
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-role
namespace:
placementRef:
name: placement-policy-role
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-role
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-role
namespace:
spec:
clusterConditions:
- type: ManagedClusterConditionAvailable
status: "True"
clusterSelector:
matchExpressions:
[]
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
namespaceSelector :
exclude :
include :
matchLabels :
matchExpressions :
object-templates :
- complianceType :
objectDefinition :
apiVersion : rbac.authorization.k8s.io/v1
kind : Role
metadata :
name :
rules :
- apiGroups :
resources :
verbs :
...
---
apiVersion : policy.open- cluster- management.io/v1
kind : PlacementBinding
metadata :
name : binding- policy- role
namespace :
placementRef :
name : placement- policy- role
kind : PlacementRule
apiGroup : apps.open- cluster- management.io
subjects :
- name : policy- role
kind : Policy
apiGroup : policy.open- cluster- management.io
---
apiVersion : apps.open- cluster- management.io/v1
kind : PlacementRule
metadata :
name : placement- policy- role
namespace :
spec :
clusterConditions :
- type : ManagedClusterConditionAvailable
status : "True"
clusterSelector :
matchExpressions :
[ ]
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 表 2.11. 参数表 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。此值是可选的,因为该值会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
Kubernetes 配置策略控制器负责监控角色绑定策略的状态。应用角色绑定策略,将策略绑定到受管集群中的命名空间。
在以下部分了解更多有关命名空间策略结构的详细信息:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
namespaceSelector:
exclude:
include:
matchLabels:
matchExpressions:
object-templates:
- complianceType:
objectDefinition:
kind: RoleBinding # role binding must exist
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name:
subjects:
- kind:
name:
apiGroup:
roleRef:
kind:
name:
apiGroup:
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
namespaceSelector :
exclude :
include :
matchLabels :
matchExpressions :
object-templates :
- complianceType :
objectDefinition :
kind : RoleBinding
apiVersion : rbac.authorization.k8s.io/v1
metadata :
name :
subjects :
- kind :
name :
apiGroup :
roleRef :
kind :
name :
apiGroup :
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。这个值是可选的,因为它会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
Kubernetes 配置策略控制器负责监控安全性上下文约束 (SCC) 策略的状态。应用安全性上下文约束 (SCC) 策略,通过在策略中定义条件来控制 Pod 的权限。
在以下部分了解更多有关 SCC 策略的详细信息:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
namespaceSelector:
exclude:
include:
matchLabels:
matchExpressions:
object-templates:
- complianceType:
objectDefinition:
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name:
allowHostDirVolumePlugin:
allowHostIPC:
allowHostNetwork:
allowHostPID:
allowHostPorts:
allowPrivilegeEscalation:
allowPrivilegedContainer:
fsGroup:
readOnlyRootFilesystem:
requiredDropCapabilities:
runAsUser:
seLinuxContext:
supplementalGroups:
users:
volumes:
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
namespaceSelector :
exclude :
include :
matchLabels :
matchExpressions :
object-templates :
- complianceType :
objectDefinition :
apiVersion : security.openshift.io/v1
kind : SecurityContextConstraints
metadata :
name :
allowHostDirVolumePlugin :
allowHostIPC :
allowHostNetwork :
allowHostPID :
allowHostPorts :
allowPrivilegeEscalation :
allowPrivilegedContainer :
fsGroup :
readOnlyRootFilesystem :
requiredDropCapabilities :
runAsUser :
seLinuxContext :
supplementalGroups :
users :
volumes :
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。这个值是可选的,因为它会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
有关 SCC 策略内容的解释,请参阅 OpenShift Container Platform 文档中的管理安全性上下文约束 。
应用 etcd-encryption 策略,在 ETCD 数据存储中检测或启用敏感数据的加密。Kubernetes 配置策略控制器负责监控 etcd-encryption 策略的状态。如需更多信息,请参阅 OpenShift Container Platform 文档中的加密 etcd 数据 。注
在以下部分了解更多有关 etcd-encryption 策略结构的详细信息:
etcd-encryption 策略可能类似以下 YAML 文件:
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name:
namespace:
annotations:
policy.open-cluster-management.io/standards:
policy.open-cluster-management.io/categories:
policy.open-cluster-management.io/controls:
policy.open-cluster-management.io/description:
spec:
remediationAction:
disabled:
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name:
spec:
remediationAction:
severity:
object-templates:
- complianceType:
objectDefinition:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name:
spec:
encryption:
...
apiVersion : policy.open- cluster- management.io/v1
kind : Policy
metadata :
name :
namespace :
annotations :
policy.open-cluster-management.io/standards :
policy.open-cluster-management.io/categories :
policy.open-cluster-management.io/controls :
policy.open-cluster-management.io/description :
spec :
remediationAction :
disabled :
policy-templates :
- objectDefinition :
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name :
spec :
remediationAction :
severity :
object-templates :
- complianceType :
objectDefinition :
apiVersion : config.openshift.io/v1
kind : APIServer
metadata :
name :
spec :
encryption :
...
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
Expand 表 2.12. 参数表 字段 可选或必需的 描述
apiVersion
必填
将值设置为 policy.open-cluster-management.io/v1。
kind
必填
将值设为 Policy 以表示策略类型。
metadata.name
必填
用于标识策略资源的名称。
metadata.namespace
必填
策略的命名空间。
spec.remediationAction
选填
指定您的策略的修复。参数值是 enforce 和 inform。这个值是可选的,因为它会覆盖 spec.policy-templates 中提供的任何值。
spec.disabled
必填
将值设为 true 或 false。disabled 参数提供启用和禁用策略的功能。
spec.policy-templates[].objectDefinition
必填
用于列出包含必须接受评估或应用到受管集群的 Kubernetes 对象的配置策略。
Show more
您可以使用 Compliance Operator 自动检查许多技术实施,并将其与行业标准、基准和基准的某些方面进行比较。Compliance Operator 不是一个审核员(auditor)。要符合这些各种标准,您需要与授权的审核员(如限定安全评估器(QSA)、联合授权局(JAB)或其他行业认可的规范机构)合作来评估您的环境。
来自 Compliance Operator 生成的建议基于有关此类标准的一般信息和实践,并可能帮助您进行补救,但实际的合规性是您的责任。与授权的审核员合作来实现符合标准的合规性。
有关最新更新,请参阅 Compliance Operator 发行注记 。
您可以使用 Compliance Operator 策略在受管集群上安装 Compliance Operator。Compliance Operator 策略在 Red Hat Advanced Cluster Management 中作为 Kubernetes 配置策略创建。OpenShift Container Platform 支持 Compliance Operator 策略。
注: Compliance operator 策略 依赖于 OpenShift Container Platform Compliance Operator,它不受 IBM Power 或 IBM Z 架构的支持。如需有关 Compliance Operator 的更多信息,请参阅 OpenShift Container Platform 文档中的了解 Compliance Operator 。
在创建 Compliance Operator 策略时,会创建以下资源:
Operator 安装的 Compliance Operator 命名空间(openshift-compliance):
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-ns
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: openshift-compliance
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : comp- operator- ns
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : v1
kind : Namespace
metadata :
name : openshift- compliance
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
用于指定目标命名空间的 operator 组(compliance-operator):
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-operator-group
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: compliance-operator
namespace: openshift-compliance
spec:
targetNamespaces:
- openshift-compliance
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : comp- operator- operator- group
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : operators.coreos.com/v1
kind : OperatorGroup
metadata :
name : compliance- operator
namespace : openshift- compliance
spec :
targetNamespaces :
- openshift- compliance
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
用于引用名称和频道的订阅(comp-operator-subscription)。订阅会拉取配置集作为一个容器,它支持:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: comp-operator-subscription
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: compliance-operator
namespace: openshift-compliance
spec:
channel: "4.7"
installPlanApproval: Automatic
name: compliance-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : comp- operator- subscription
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : operators.coreos.com/v1alpha1
kind : Subscription
metadata :
name : compliance- operator
namespace : openshift- compliance
spec :
channel : "4.7"
installPlanApproval : Automatic
name : compliance- operator
source : redhat- operators
sourceNamespace : openshift- marketplace
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
一个 Essential 8(E8)扫描策略会部署一个扫描,检查 master 和 worker 节点是否满足 E8 安全配置集。您必须安装 Compliance Operator 以应用 E8 扫描策略。
E8 扫描策略在 Red Hat Advanced Cluster Management 中作为 Kubernetes 配置策略创建。OpenShift Container Platform 4.7 和 4.6 支持 E8 扫描策略。如需更多信息,请参阅 OpenShift Container Platform 文档中的了解 Compliance Operator
当您创建 E8 扫描策略时,会创建以下资源:
ScanSettingBinding 资源 (e8) 用于识别要扫描的配置集:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: compliance-suite-e8
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave # this template checks if scan has completed by checking the status field
objectDefinition:
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: e8
namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-e8
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: rhcos4-e8
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : compliance- suite- e8
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : compliance.openshift.io/v1alpha1
kind : ScanSettingBinding
metadata :
name : e8
namespace : openshift- compliance
profiles :
- apiGroup : compliance.openshift.io/v1alpha1
kind : Profile
name : ocp4- e8
- apiGroup : compliance.openshift.io/v1alpha1
kind : Profile
name : rhcos4- e8
settingsRef :
apiGroup : compliance.openshift.io/v1alpha1
kind : ScanSetting
name : default
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
一个 ComplianceSuite 资源 (compliance-suite-e8),用于通过检查 status 字段来验证扫描是否已完成:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: compliance-suite-e8
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave # this template checks if scan has completed by checking the status field
objectDefinition:
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceSuite
metadata:
name: e8
namespace: openshift-compliance
status:
phase: DONE
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : compliance- suite- e8
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : compliance.openshift.io/v1alpha1
kind : ComplianceSuite
metadata :
name : e8
namespace : openshift- compliance
status :
phase : DONE
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
一个 ComplianceCheckResult 资源 (compliance-suite-e8-results),它通过检查 ComplianceCheckResult 自定义资源 (CR) 来报告扫描套件的结果:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: compliance-suite-e8-results
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: mustnothave # this template reports the results for scan suite: e8 by looking at ComplianceCheckResult CRs
objectDefinition:
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceCheckResult
metadata:
namespace: openshift-compliance
labels:
compliance.openshift.io/check-status: FAIL
compliance.openshift.io/suite: e8
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : compliance- suite- e8- results
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : mustnothave
objectDefinition :
apiVersion : compliance.openshift.io/v1alpha1
kind : ComplianceCheckResult
metadata :
namespace : openshift- compliance
labels :
compliance.openshift.io/check-status : FAIL
compliance.openshift.io/suite : e8
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
注: enforce 以创建 ScanSettingBinding 资源。
请参阅 policy-compliance-operator-e8-scan.yaml管理安全策略 。注:
OpenShift CIS 扫描策略会部署一个扫描来检查 master 和 worker 节点是否与 OpenShift CIS 安全基准相符。您必须安装 Compliance operator 以应用 OpenShift CIS 策略。
OpenShift CIS 扫描策略在 Red Hat Advanced Cluster Management 中作为 Kubernetes 配置策略创建。OpenShift Container Platform 4.9、4.7 和 4.6 支持 OpenShift CIS 扫描策略。如需更多信息,请参阅 OpenShift Container Platform 文档中的 了解 Compliance Operator 部分以了解更多详细信息。
创建 OpenShift CIS 扫描策略时,会创建以下资源:
用于识别要扫描的配置集的 ScanSettingBinding 资源 (cis):
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: compliance-cis-scan
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave # this template creates ScanSettingBinding:cis
objectDefinition:
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: cis
namespace: openshift-compliance
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis
- apiGroup: compliance.openshift.io/v1alpha1
kind: Profile
name: ocp4-cis-node
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : compliance- cis- scan
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : compliance.openshift.io/v1alpha1
kind : ScanSettingBinding
metadata :
name : cis
namespace : openshift- compliance
profiles :
- apiGroup : compliance.openshift.io/v1alpha1
kind : Profile
name : ocp4- cis
- apiGroup : compliance.openshift.io/v1alpha1
kind : Profile
name : ocp4- cis- node
settingsRef :
apiGroup : compliance.openshift.io/v1alpha1
kind : ScanSetting
name : default
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
一个 ComplianceSuite 资源 (compliance-suite-cis),用于通过检查 status 字段来验证扫描是否已完成:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: compliance-suite-cis
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave # this template checks if scan has completed by checking the status field
objectDefinition:
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceSuite
metadata:
name: cis
namespace: openshift-compliance
status:
phase: DONE
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : compliance- suite- cis
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : compliance.openshift.io/v1alpha1
kind : ComplianceSuite
metadata :
name : cis
namespace : openshift- compliance
status :
phase : DONE
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
一个 ComplianceCheckResult 资源 (compliance-suite-cis-results),它通过检查 ComplianceCheckResult 自定义资源 (CR) 来报告扫描套件的结果:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: compliance-suite-cis-results
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: mustnothave # this template reports the results for scan suite: cis by looking at ComplianceCheckResult CRs
objectDefinition:
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceCheckResult
metadata:
namespace: openshift-compliance
labels:
compliance.openshift.io/check-status: FAIL
compliance.openshift.io/suite: cis
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : compliance- suite- cis- results
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : mustnothave
objectDefinition :
apiVersion : compliance.openshift.io/v1alpha1
kind : ComplianceCheckResult
metadata :
namespace : openshift- compliance
labels :
compliance.openshift.io/check-status : FAIL
compliance.openshift.io/suite : cis
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
请参阅 policy-compliance-operator-cis-scan.yaml管理安全策略 。
应用镜像漏洞策略,以利用 Container Security Operator 来检测容器镜像是否有漏洞。如果没有安装 Container Security Operator,该策略会在受管集群上安装它。
镜像漏洞策略由 Kubernetes 配置策略控制器负责检查。有关 Security Operator 的更多信息,请参阅 Quay 存储库 中的 Container Security Operator
备注:
查看以下部分以了解更多信息:
在创建容器安全 Operator 策略时,它会涉及以下策略:
创建订阅的策略 (container-security-operator) 来引用名称和频道。此配置策略必须将 spec.remediationAction 设置为 enforce 来创建资源。订阅会拉取配置集,作为订阅支持的容器。查看以下示例:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-imagemanifestvuln-example-sub
spec:
remediationAction: enforce # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: container-security-operator
namespace: openshift-operators
spec:
# channel: quay-v3.3 # specify a specific channel if desired
installPlanApproval: Automatic
name: container-security-operator
source: redhat-operators
sourceNamespace: openshift-marketplace
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : policy- imagemanifestvuln- example- sub
spec :
remediationAction : enforce
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : operators.coreos.com/v1alpha1
kind : Subscription
metadata :
name : container- security- operator
namespace : openshift- operators
spec :
installPlanApproval : Automatic
name : container- security- operator
source : redhat- operators
sourceNamespace : openshift- marketplace
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
一个 inform 配置策略来审核 ClusterServiceVersion,以确保容器安全 Operator 安装成功。查看以下示例:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-imagemanifestvuln-status
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-operators
spec:
displayName: Red Hat Quay Container Security Operator
status:
phase: Succeeded # check the CSV status to determine if operator is running or not
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : policy- imagemanifestvuln- status
spec :
remediationAction : inform
severity : high
object-templates :
- complianceType : musthave
objectDefinition :
apiVersion : operators.coreos.com/v1alpha1
kind : ClusterServiceVersion
metadata :
namespace : openshift- operators
spec :
displayName : Red Hat Quay Container Security Operator
status :
phase : Succeeded
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
一个 inform 配置策略,用于审核镜像漏洞扫描创建的任何 ImageManifestVuln 对象。查看以下示例:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-imagemanifestvuln-example-imv
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
namespaceSelector:
exclude: ["kube-*"]
include: ["*"]
object-templates:
- complianceType: mustnothave # mustnothave any ImageManifestVuln object
objectDefinition:
apiVersion: secscan.quay.redhat.com/v1alpha1
kind: ImageManifestVuln # checking for a Kind
apiVersion : policy.open- cluster- management.io/v1
kind : ConfigurationPolicy
metadata :
name : policy- imagemanifestvuln- example- imv
spec :
remediationAction : inform
severity : high
namespaceSelector :
exclude : [ "kube-*" ]
include : [ "*" ]
object-templates :
- complianceType : mustnothave
objectDefinition :
apiVersion : secscan.quay.redhat.com/v1alpha1
kind : ImageManifestVuln
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
配置并应用 OpenShift Platform Plus 策略集 (openshift-plus) 来安装 Red Hat OpenShift Platform Plus。
OpenShift Platform Plus 策略集包含两个部署的 PolicySets。OpenShift Plus 策略集应用设置为安装 OpenShift Platform Plus 产品的多个策略。Red Hat Advanced Cluster Security 安全集群服务和 Compliance Operator 部署到所有 OpenShift Container Platform 受管集群。
在 Amazon Web Services (AWS) 环境中安装 Red Hat OpenShift Container Platform 4.12 或更高版本。
安装 Red Hat Advanced Cluster Management for Kubernetes 2.7 或更高版本。
安装策略生成器 Kustomize 插件。如需更多信息,请参阅策略生成器 文档。
当您将策略设置为 hub 集群时,会安装以下 OpenShift Platform Plus 组件:
Expand 表 2.13. 组件表 组件 策略 描述
Red Hat Advanced Cluster Security
policy-acs-central-ca-bundle
用于将中央服务器安装到 Red Hat Advanced Cluster Management for Kubernetes hub 集群和受管集群的策略。
policy-acs-central-status
用于接收 Red Hat Advanced Cluster Security 状态的部署。
policy-acs-operator-central
配置 Red Hat Advanced Cluster Security central operator。
policy-acs-sync-resources
用于验证 Red Hat Advanced Cluster Security 资源是否已创建的策略。
OpenShift Container Platform
policy-advanced-managed-cluster-status
受管 hub 集群。受管集群的管理器。
Compliance operator
policy-compliance-operator-install
用于安装 Compliance operator 的策略。
Red Hat Quay
policy-config-quay
Red Hat Quay 的配置策略。
policy-install-quay
用于安装 Red Hat Quay 的策略。
policy-quay-status
安装到 Red Hat Advanced Cluster Management hub 集群中。
Red Hat Advanced Cluster Management
policy-ocm-observability
设置 Red Hat Advanced Cluster Management observability 服务。
Red Hat OpenShift Data Platform
policy-odf
Red Hat Advanced Cluster Management observability 和 Quay 使用的 hub 集群组件的可用存储。
policy-odf-status
用于配置 Red Hat OpenShift Data Platform 状态的策略。
Show more 
红帽全球峰会
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}