Skip to content

Commit

Permalink
on push: make
Browse files Browse the repository at this point in the history
  • Loading branch information
@petrkotas
petrkotas committed Nov 15, 2024
1 parent 7d99654 commit dd54e2e
Show file tree
Hide file tree
Showing 5 changed files with 1,755 additions and 520 deletions.
156 changes: 127 additions & 29 deletions deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,67 +21,165 @@ spec:
compliant: 2h
noncompliant: 45s
object-templates:
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: v1
applyMode: AlwaysApply
kind: Namespace
name: openshift-logging
patch: |-
{
"annotations": {
"openshift.io/node-selector": ""
},
"labels": {
"openshift.io/cluster-logging": "true"
}
}
patchType: merge
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/node-selector: ""
labels:
openshift.io/cluster-logging: "true"
name: openshift-logging
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: Role
name: dedicated-admins-openshift-logging
namespace: openshift-logging
patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}'
patchType: merge
metadata:
name: dedicated-admins-openshift-logging
namespace: openshift-logging
rules:
- apiGroups:
- ""
resources:
- events
- namespaces
- persistentvolumeclaims
- persistentvolumes
- pods
- pods/log
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- '*'
- apiGroups:
- logging.openshift.io
resources:
- clusterloggings
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- operators.coreos.com
resources:
- subscriptions
- clusterserviceversions
verbs:
- '*'
- apiGroups:
- operators.coreos.com
resources:
- installplans
verbs:
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- '*'
- apiGroups:
- apps
- extensions
resources:
- daemonsets
verbs:
- get
- list
- patch
- update
- watch
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: admin-dedicated-admins
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}'
patchType: merge
metadata:
name: admin-dedicated-admins
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dedicated-admins
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: admin-system:serviceaccounts:dedicated-admin
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}'
patchType: merge
metadata:
name: admin-system:serviceaccounts:dedicated-admin
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:dedicated-admin
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: openshift-logging-dedicated-admins
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}'
patchType: merge
metadata:
name: openshift-logging-dedicated-admins
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dedicated-admins-project
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dedicated-admins
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: openshift-logging:serviceaccounts:dedicated-admin
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}'
patchType: merge
metadata:
name: openshift-logging:serviceaccounts:dedicated-admin
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dedicated-admins-project
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:dedicated-admin
pruneObjectBehavior: DeleteIfCreated
remediationAction: enforce
severity: low
Expand Down
64 changes: 44 additions & 20 deletions deploy/acm-policies/50-GENERATED-osd-openshift-operators-redhat.Policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,42 +32,66 @@ spec:
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: admin-dedicated-admins
namespace: openshift-operators-redhat
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}'
patchType: merge
metadata:
name: admin-dedicated-admins
namespace: openshift-operators-redhat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dedicated-admins
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: admin-system:serviceaccounts:dedicated-admin
namespace: openshift-operators-redhat
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}'
patchType: merge
metadata:
name: admin-system:serviceaccounts:dedicated-admin
namespace: openshift-operators-redhat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:dedicated-admin
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: openshift-operators-redhat-dedicated-admins
namespace: openshift-operators-redhat
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}'
patchType: merge
metadata:
name: openshift-operators-redhat-dedicated-admins
namespace: openshift-operators-redhat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dedicated-admins-project
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dedicated-admins
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: openshift-operators-redhat:serviceaccounts:dedicated-admin
namespace: openshift-operators-redhat
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}'
patchType: merge
metadata:
name: openshift-operators-redhat:serviceaccounts:dedicated-admin
namespace: openshift-operators-redhat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dedicated-admins-project
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:dedicated-admin
pruneObjectBehavior: DeleteIfCreated
remediationAction: enforce
severity: low
Expand Down
Loading

0 comments on commit dd54e2e

Please sign in to comment.