From dd54e2ea6168e982e8475da19f72613989b03a5c Mon Sep 17 00:00:00 2001 From: petrkotas Date: Fri, 15 Nov 2024 14:20:56 +0000 Subject: [PATCH] on push: make --- ...ERATED-osd-logging-unsupported.Policy.yaml | 156 +++- ...osd-openshift-operators-redhat.Policy.yaml | 64 +- ...naged-cluster-config-integration.yaml.tmpl | 685 ++++++++++++++---- ...anaged-cluster-config-production.yaml.tmpl | 685 ++++++++++++++---- ...osd-managed-cluster-config-stage.yaml.tmpl | 685 ++++++++++++++---- 5 files changed, 1755 insertions(+), 520 deletions(-) diff --git a/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml b/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml index 0b0b1c003e..36e460e933 100644 --- a/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml +++ b/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml @@ -21,67 +21,165 @@ spec: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: |- + { + "annotations": { + "openshift.io/node-selector": "" + }, + "labels": { + "openshift.io/cluster-logging": "true" + } + } + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: "" - labels: - openshift.io/cluster-logging: "true" name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - "" + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low diff --git a/deploy/acm-policies/50-GENERATED-osd-openshift-operators-redhat.Policy.yaml b/deploy/acm-policies/50-GENERATED-osd-openshift-operators-redhat.Policy.yaml index ddc9667bab..7b848e3265 100644 --- a/deploy/acm-policies/50-GENERATED-osd-openshift-operators-redhat.Policy.yaml +++ b/deploy/acm-policies/50-GENERATED-osd-openshift-operators-redhat.Policy.yaml @@ -32,42 +32,66 @@ spec: metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index b05481a48f..a7ea6963d8 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -6262,67 +6262,159 @@ objects: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\"\ + : \"\"\n },\n \"labels\": {\n \"openshift.io/cluster-logging\"\ + : \"true\"\n }\n}" + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -6448,42 +6540,66 @@ objects: metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -31399,56 +31515,127 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"managed.openshift.io/service-lb-quota-exempt\"\ + : \"true\"\n \"managed.openshift.io/storage-pv-quota-exempt\": \"true\"\ + \n \"openshift.io/cluster-logging\": \"true\"\n \"openshift.io/cluster-monitoring\"\ + : 'true'\n }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - managed.openshift.io/service-lb-quota-exempt: 'true' - managed.openshift.io/storage-pv-quota-exempt: 'true' - openshift.io/cluster-logging: 'true' - openshift.io/cluster-monitoring: 'true' - patches: - apiVersion: operators.coreos.com/v1 - applyMode: AlwaysApply kind: OperatorGroup - name: openshift-logging - namespace: openshift-logging - patchType: merge - patch: '{"annotations":{"olm.providedAPIs": "ClusterLogging.v1.logging.openshift.io"},"spec":{"targetNamespaces":["openshift-logging"]}}' + metadata: + annotations: + olm.providedAPIs: ClusterLogging.v1.logging.openshift.io + name: openshift-logging + namespace: openshift-logging + spec: + targetNamespaces: + - openshift-logging - apiVersion: v1 + data: + actions.yaml: '# --- + + # Remember, leave a key empty if there is no value. None will be a string, + + # not a Python "NoneType" + + # + + # Also remember that all examples have "disable_action" set to True. If + you + + # want to use this action as a template, be sure to set this to False after + + # copying it. + + # actions: + + # 1: + + # action: delete_indices + + # description: >- + + # Delete .operations indices older than 30 days. + + # Ignore the error if the filter does not + + # result in an actionable list of indices (ignore_empty_list). + + # See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html + + # options: + + # # Swallow curator.exception.NoIndices exception + + # ignore_empty_list: True + + # # In seconds, default is 300 + + # timeout_override: ${CURATOR_TIMEOUT} + + # # Don''t swallow any other exceptions + + # continue_if_exception: False + + # # Optionally disable action, useful for debugging + + # disable_action: False + + # # All filters are bound by logical AND + + # filters: + + # - filtertype: pattern + + # kind: regex + + # value: "^\.operations\..*$" + + # exclude: False + + # - filtertype: age + + # # Parse timestamp from index name + + # source: name + + # direction: older + + # timestring: "%Y.%m.%d" + + # unit: days + + # unit_count: 30 + + # exclude: False + + ' + config.yaml: "# Logging example curator config file\n\n# uncomment and use\ + \ this to override the defaults from env vars\n#.defaults:\n# delete:\n\ + # days: 30\n.defaults:\n delete:\n days: 7\n\n# to keep ops logs\ + \ for a different duration:\n.operations:\n delete:\n days: 0\n\n# example\ + \ for a normal project\n#myapp:\n# delete:\n# weeks: 1\n" + curator5.yaml: "---\nclient:\n hosts:\n - ${ES_HOST}\n port: ${ES_PORT}\n\ + \ use_ssl: True\n certificate: ${ES_CA}\n client_cert: ${ES_CLIENT_CERT}\n\ + \ client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: ${CURATOR_TIMEOUT}\n\ + \ master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat:\ + \ default\n blacklist: ['elasticsearch', 'urllib3']\n \n" kind: ConfigMap - name: curator - namespace: openshift-logging - patchType: merge - patch: '{"data":{"actions.yaml":"# ---\n# Remember, leave a key empty if there - is no value. None will be a string,\n# not a Python \"NoneType\"\n#\n# Also - remember that all examples have \"disable_action\" set to True. If you\n# - want to use this action as a template, be sure to set this to False after\n# - copying it.\n# actions:\n# 1:\n# action: delete_indices\n# description: - >-\n# Delete .operations indices older than 30 days.\n# Ignore - the error if the filter does not\n# result in an actionable list of - indices (ignore_empty_list).\n# See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html\n# options:\n# # - Swallow curator.exception.NoIndices exception\n# ignore_empty_list: - True\n# # In seconds, default is 300\n# timeout_override: ${CURATOR_TIMEOUT}\n# # - Don not swallow any other exceptions\n# continue_if_exception: False\n# # - Optionally disable action, useful for debugging\n# disable_action: False\n# # - All filters are bound by logical AND\n# filters:\n# - filtertype: - pattern\n# kind: regex\n# value: \"^\\.operations\\..*$\"\n# exclude: - False\n# - filtertype: age\n# # Parse timestamp from index name\n# source: - name\n# direction: older\n# timestring: \"%Y.%m.%d\"\n# unit: - days\n# unit_count: 30\n# exclude: False\n","config.yaml":"# Logging - example curator config file\n\n# uncomment and use this to override the defaults - from env vars\n#.defaults:\n# delete:\n# days: 30\n.defaults:\n delete:\n days: - 7\n\n# to keep ops logs for a different duration:\n.operations:\n delete:\n days: - 0\n\n# example for a normal project\n#myapp:\n# delete:\n# weeks: 1\n","curator5.yaml":"---\nclient:\n hosts:\n - - ${ES_HOST}\n port: ${ES_PORT}\n use_ssl: True\n certificate: ${ES_CA}\n client_cert: - ${ES_CLIENT_CERT}\n client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: - ${CURATOR_TIMEOUT}\n master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat: - default\n blacklist: ["elasticsearch", "urllib3"]\n \n"}}' + metadata: + name: curator + namespace: openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31467,28 +31654,99 @@ objects: values: - 'true' resourceApplyMode: Sync - patches: + resources: - apiVersion: v1 kind: ResourceQuota - name: logging-storage-quota - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"spec":{"hard":{"requests.storage":"1500Gi"}}}' + metadata: + name: logging-storage-quota + namespace: openshift-logging + spec: + hard: + requests.storage: 1500Gi - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"},{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"dedicated-admins-openshift-logging"}}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dedicated-admins-openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31507,51 +31765,141 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"openshift.io/cluster-logging\": \"true\"\n \ + \ }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -32200,35 +32548,58 @@ objects: kind: Namespace metadata: name: openshift-operators-redhat - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-operators-redhat-dedicated-admins - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-operators-redhat-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-operators-redhat:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-operators-redhat:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index b05481a48f..a7ea6963d8 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -6262,67 +6262,159 @@ objects: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\"\ + : \"\"\n },\n \"labels\": {\n \"openshift.io/cluster-logging\"\ + : \"true\"\n }\n}" + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -6448,42 +6540,66 @@ objects: metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -31399,56 +31515,127 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"managed.openshift.io/service-lb-quota-exempt\"\ + : \"true\"\n \"managed.openshift.io/storage-pv-quota-exempt\": \"true\"\ + \n \"openshift.io/cluster-logging\": \"true\"\n \"openshift.io/cluster-monitoring\"\ + : 'true'\n }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - managed.openshift.io/service-lb-quota-exempt: 'true' - managed.openshift.io/storage-pv-quota-exempt: 'true' - openshift.io/cluster-logging: 'true' - openshift.io/cluster-monitoring: 'true' - patches: - apiVersion: operators.coreos.com/v1 - applyMode: AlwaysApply kind: OperatorGroup - name: openshift-logging - namespace: openshift-logging - patchType: merge - patch: '{"annotations":{"olm.providedAPIs": "ClusterLogging.v1.logging.openshift.io"},"spec":{"targetNamespaces":["openshift-logging"]}}' + metadata: + annotations: + olm.providedAPIs: ClusterLogging.v1.logging.openshift.io + name: openshift-logging + namespace: openshift-logging + spec: + targetNamespaces: + - openshift-logging - apiVersion: v1 + data: + actions.yaml: '# --- + + # Remember, leave a key empty if there is no value. None will be a string, + + # not a Python "NoneType" + + # + + # Also remember that all examples have "disable_action" set to True. If + you + + # want to use this action as a template, be sure to set this to False after + + # copying it. + + # actions: + + # 1: + + # action: delete_indices + + # description: >- + + # Delete .operations indices older than 30 days. + + # Ignore the error if the filter does not + + # result in an actionable list of indices (ignore_empty_list). + + # See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html + + # options: + + # # Swallow curator.exception.NoIndices exception + + # ignore_empty_list: True + + # # In seconds, default is 300 + + # timeout_override: ${CURATOR_TIMEOUT} + + # # Don''t swallow any other exceptions + + # continue_if_exception: False + + # # Optionally disable action, useful for debugging + + # disable_action: False + + # # All filters are bound by logical AND + + # filters: + + # - filtertype: pattern + + # kind: regex + + # value: "^\.operations\..*$" + + # exclude: False + + # - filtertype: age + + # # Parse timestamp from index name + + # source: name + + # direction: older + + # timestring: "%Y.%m.%d" + + # unit: days + + # unit_count: 30 + + # exclude: False + + ' + config.yaml: "# Logging example curator config file\n\n# uncomment and use\ + \ this to override the defaults from env vars\n#.defaults:\n# delete:\n\ + # days: 30\n.defaults:\n delete:\n days: 7\n\n# to keep ops logs\ + \ for a different duration:\n.operations:\n delete:\n days: 0\n\n# example\ + \ for a normal project\n#myapp:\n# delete:\n# weeks: 1\n" + curator5.yaml: "---\nclient:\n hosts:\n - ${ES_HOST}\n port: ${ES_PORT}\n\ + \ use_ssl: True\n certificate: ${ES_CA}\n client_cert: ${ES_CLIENT_CERT}\n\ + \ client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: ${CURATOR_TIMEOUT}\n\ + \ master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat:\ + \ default\n blacklist: ['elasticsearch', 'urllib3']\n \n" kind: ConfigMap - name: curator - namespace: openshift-logging - patchType: merge - patch: '{"data":{"actions.yaml":"# ---\n# Remember, leave a key empty if there - is no value. None will be a string,\n# not a Python \"NoneType\"\n#\n# Also - remember that all examples have \"disable_action\" set to True. If you\n# - want to use this action as a template, be sure to set this to False after\n# - copying it.\n# actions:\n# 1:\n# action: delete_indices\n# description: - >-\n# Delete .operations indices older than 30 days.\n# Ignore - the error if the filter does not\n# result in an actionable list of - indices (ignore_empty_list).\n# See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html\n# options:\n# # - Swallow curator.exception.NoIndices exception\n# ignore_empty_list: - True\n# # In seconds, default is 300\n# timeout_override: ${CURATOR_TIMEOUT}\n# # - Don not swallow any other exceptions\n# continue_if_exception: False\n# # - Optionally disable action, useful for debugging\n# disable_action: False\n# # - All filters are bound by logical AND\n# filters:\n# - filtertype: - pattern\n# kind: regex\n# value: \"^\\.operations\\..*$\"\n# exclude: - False\n# - filtertype: age\n# # Parse timestamp from index name\n# source: - name\n# direction: older\n# timestring: \"%Y.%m.%d\"\n# unit: - days\n# unit_count: 30\n# exclude: False\n","config.yaml":"# Logging - example curator config file\n\n# uncomment and use this to override the defaults - from env vars\n#.defaults:\n# delete:\n# days: 30\n.defaults:\n delete:\n days: - 7\n\n# to keep ops logs for a different duration:\n.operations:\n delete:\n days: - 0\n\n# example for a normal project\n#myapp:\n# delete:\n# weeks: 1\n","curator5.yaml":"---\nclient:\n hosts:\n - - ${ES_HOST}\n port: ${ES_PORT}\n use_ssl: True\n certificate: ${ES_CA}\n client_cert: - ${ES_CLIENT_CERT}\n client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: - ${CURATOR_TIMEOUT}\n master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat: - default\n blacklist: ["elasticsearch", "urllib3"]\n \n"}}' + metadata: + name: curator + namespace: openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31467,28 +31654,99 @@ objects: values: - 'true' resourceApplyMode: Sync - patches: + resources: - apiVersion: v1 kind: ResourceQuota - name: logging-storage-quota - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"spec":{"hard":{"requests.storage":"1500Gi"}}}' + metadata: + name: logging-storage-quota + namespace: openshift-logging + spec: + hard: + requests.storage: 1500Gi - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"},{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"dedicated-admins-openshift-logging"}}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dedicated-admins-openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31507,51 +31765,141 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"openshift.io/cluster-logging\": \"true\"\n \ + \ }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -32200,35 +32548,58 @@ objects: kind: Namespace metadata: name: openshift-operators-redhat - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-operators-redhat-dedicated-admins - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-operators-redhat-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-operators-redhat:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-operators-redhat:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index b05481a48f..a7ea6963d8 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -6262,67 +6262,159 @@ objects: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\"\ + : \"\"\n },\n \"labels\": {\n \"openshift.io/cluster-logging\"\ + : \"true\"\n }\n}" + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -6448,42 +6540,66 @@ objects: metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat-dedicated-admins - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-operators-redhat:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-operators-redhat:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -31399,56 +31515,127 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"managed.openshift.io/service-lb-quota-exempt\"\ + : \"true\"\n \"managed.openshift.io/storage-pv-quota-exempt\": \"true\"\ + \n \"openshift.io/cluster-logging\": \"true\"\n \"openshift.io/cluster-monitoring\"\ + : 'true'\n }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - managed.openshift.io/service-lb-quota-exempt: 'true' - managed.openshift.io/storage-pv-quota-exempt: 'true' - openshift.io/cluster-logging: 'true' - openshift.io/cluster-monitoring: 'true' - patches: - apiVersion: operators.coreos.com/v1 - applyMode: AlwaysApply kind: OperatorGroup - name: openshift-logging - namespace: openshift-logging - patchType: merge - patch: '{"annotations":{"olm.providedAPIs": "ClusterLogging.v1.logging.openshift.io"},"spec":{"targetNamespaces":["openshift-logging"]}}' + metadata: + annotations: + olm.providedAPIs: ClusterLogging.v1.logging.openshift.io + name: openshift-logging + namespace: openshift-logging + spec: + targetNamespaces: + - openshift-logging - apiVersion: v1 + data: + actions.yaml: '# --- + + # Remember, leave a key empty if there is no value. None will be a string, + + # not a Python "NoneType" + + # + + # Also remember that all examples have "disable_action" set to True. If + you + + # want to use this action as a template, be sure to set this to False after + + # copying it. + + # actions: + + # 1: + + # action: delete_indices + + # description: >- + + # Delete .operations indices older than 30 days. + + # Ignore the error if the filter does not + + # result in an actionable list of indices (ignore_empty_list). + + # See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html + + # options: + + # # Swallow curator.exception.NoIndices exception + + # ignore_empty_list: True + + # # In seconds, default is 300 + + # timeout_override: ${CURATOR_TIMEOUT} + + # # Don''t swallow any other exceptions + + # continue_if_exception: False + + # # Optionally disable action, useful for debugging + + # disable_action: False + + # # All filters are bound by logical AND + + # filters: + + # - filtertype: pattern + + # kind: regex + + # value: "^\.operations\..*$" + + # exclude: False + + # - filtertype: age + + # # Parse timestamp from index name + + # source: name + + # direction: older + + # timestring: "%Y.%m.%d" + + # unit: days + + # unit_count: 30 + + # exclude: False + + ' + config.yaml: "# Logging example curator config file\n\n# uncomment and use\ + \ this to override the defaults from env vars\n#.defaults:\n# delete:\n\ + # days: 30\n.defaults:\n delete:\n days: 7\n\n# to keep ops logs\ + \ for a different duration:\n.operations:\n delete:\n days: 0\n\n# example\ + \ for a normal project\n#myapp:\n# delete:\n# weeks: 1\n" + curator5.yaml: "---\nclient:\n hosts:\n - ${ES_HOST}\n port: ${ES_PORT}\n\ + \ use_ssl: True\n certificate: ${ES_CA}\n client_cert: ${ES_CLIENT_CERT}\n\ + \ client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: ${CURATOR_TIMEOUT}\n\ + \ master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat:\ + \ default\n blacklist: ['elasticsearch', 'urllib3']\n \n" kind: ConfigMap - name: curator - namespace: openshift-logging - patchType: merge - patch: '{"data":{"actions.yaml":"# ---\n# Remember, leave a key empty if there - is no value. None will be a string,\n# not a Python \"NoneType\"\n#\n# Also - remember that all examples have \"disable_action\" set to True. If you\n# - want to use this action as a template, be sure to set this to False after\n# - copying it.\n# actions:\n# 1:\n# action: delete_indices\n# description: - >-\n# Delete .operations indices older than 30 days.\n# Ignore - the error if the filter does not\n# result in an actionable list of - indices (ignore_empty_list).\n# See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html\n# options:\n# # - Swallow curator.exception.NoIndices exception\n# ignore_empty_list: - True\n# # In seconds, default is 300\n# timeout_override: ${CURATOR_TIMEOUT}\n# # - Don not swallow any other exceptions\n# continue_if_exception: False\n# # - Optionally disable action, useful for debugging\n# disable_action: False\n# # - All filters are bound by logical AND\n# filters:\n# - filtertype: - pattern\n# kind: regex\n# value: \"^\\.operations\\..*$\"\n# exclude: - False\n# - filtertype: age\n# # Parse timestamp from index name\n# source: - name\n# direction: older\n# timestring: \"%Y.%m.%d\"\n# unit: - days\n# unit_count: 30\n# exclude: False\n","config.yaml":"# Logging - example curator config file\n\n# uncomment and use this to override the defaults - from env vars\n#.defaults:\n# delete:\n# days: 30\n.defaults:\n delete:\n days: - 7\n\n# to keep ops logs for a different duration:\n.operations:\n delete:\n days: - 0\n\n# example for a normal project\n#myapp:\n# delete:\n# weeks: 1\n","curator5.yaml":"---\nclient:\n hosts:\n - - ${ES_HOST}\n port: ${ES_PORT}\n use_ssl: True\n certificate: ${ES_CA}\n client_cert: - ${ES_CLIENT_CERT}\n client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: - ${CURATOR_TIMEOUT}\n master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat: - default\n blacklist: ["elasticsearch", "urllib3"]\n \n"}}' + metadata: + name: curator + namespace: openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31467,28 +31654,99 @@ objects: values: - 'true' resourceApplyMode: Sync - patches: + resources: - apiVersion: v1 kind: ResourceQuota - name: logging-storage-quota - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"spec":{"hard":{"requests.storage":"1500Gi"}}}' + metadata: + name: logging-storage-quota + namespace: openshift-logging + spec: + hard: + requests.storage: 1500Gi - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"},{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"dedicated-admins-openshift-logging"}}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dedicated-admins-openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31507,51 +31765,141 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"openshift.io/cluster-logging\": \"true\"\n \ + \ }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -32200,35 +32548,58 @@ objects: kind: Namespace metadata: name: openshift-operators-redhat - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-operators-redhat-dedicated-admins - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-operators-redhat-dedicated-admins + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-operators-redhat:serviceaccounts:dedicated-admin - namespace: openshift-operators-redhat - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-operators-redhat:serviceaccounts:dedicated-admin + namespace: openshift-operators-redhat + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: