-
Notifications
You must be signed in to change notification settings - Fork 254
/
policy-configure-appworkloads-rbac-sample.yaml
165 lines (164 loc) · 6.39 KB
/
policy-configure-appworkloads-rbac-sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# This is a sample policy to demonstrate configuring RBAC for application workloads
# running on managedclusters.
# NOTE* This policy is not rbac for administering applications or policies through Open Cluster Management hub,
# it is rbac for directly accessing and working with applications on the managedclusters.
#
# This Policy considers the following example scenario
# Two different applications X and Y are running on the Cluster.
# Application X is deployed in namespace project-x
# Application Y is deployed in namespace project-y
#
# This Policy Configures the following rbac model for the above scenario
# UsersGroups: SreAdminGrp, AppX-AdminGrp, AppX-ViewGrp, AppY-AdminGrp, AppY-ViewGrp
# Rolebindings:
# SreAdminGrp has cluster-admin access to the Cluster
# AppX-AdminGrp has admin access to the namespace project-x where AppX is deployed
# AppY-ViewGrp has view access to the namespace project-x where AppX is deployed
# AppX-AdminGrp has admin access to the namespace project-y where AppY is deployed
# AppY-ViewGrp has view access to the namespace project-y where AppY is deployed
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-configure-appworkloads-rbac
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: AC Access Control
policy.open-cluster-management.io/controls: AC-3 Access Enforcement
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-configure-appworkloads-rbac-example
spec:
remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction.
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: SreAdminGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppX-AdminGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppX-ViewGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppY-AdminGrp
users: null
- complianceType: musthave
objectDefinition:
kind: Group
apiVersion: user.openshift.io/v1
metadata:
name: AppY-ViewGrp
users: null
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: project-x
labels:
purpose: namespace-for-sample-AppX-artifacts
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: project-y
labels:
purpose: namespace-for-sample-AppY-artifacts
- complianceType: musthave
objectDefinition:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: SreAdmin-Binding
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: SreAdminGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppX-Admin-Binding
namespace: project-x
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppX-AdminGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppX-View-Binding
namespace: project-x
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppX-ViewGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppY-Admin-Binding
namespace: project-y
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppY-AdminGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
- complianceType: musthave
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: AppY-View-Binding
namespace: project-y
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: AppY-ViewGrp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view