apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-limitrange
namespace: default
annotations:
policy.open-cluster-management.io/standards: NIST-CSF
policy.open-cluster-management.io/categories: PR.IP Information Protection Processes and Procedures
policy.open-cluster-management.io/controls: PR.IP-1 Baseline Configuration
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-limitrange-container-mem-limit-range
spec:
remediationAction: inform
severity: medium
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: LimitRange
metadata:
name: container-mem-limit-range
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-role
namespace: default
placementRef:
name: placement-policy-role
kind: Placement
apiGroup: cluster.open-cluster-management.io
subjects:
- name: policy-limitrange
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
name: placement-policy-role
namespace: default
spec:
clusterSets:
- default
# predicates:
# - requiredClusterSelector:
# labelSelector:
# matchLabels:
# global-policy: test
# ---
# apiVersion: v1
# kind: Namespace
# metadata:
# name: ns1
# ---
# apiVersion: cluster.open-cluster-management.io/v1beta1
# kind: ManagedClusterSet
# metadata:
# name: clusterset1
# spec:
# clusterSelector:
# selectorType: LegacyClusterSetLabel
# ---
# apiVersion: cluster.open-cluster-management.io/v1beta1
# kind: ManagedClusterSetBinding
# metadata:
# name: clusterset1
# namespace: ns1
# spec:
# clusterSet: clusterset1
---
apiVersion: cluster.open-cluster-management.io/v1beta2
kind: ManagedClusterSetBinding
metadata:
name: default
namespace: default
spec:
clusterSet: default
---
apiVersion: cluster.open-cluster-management.io/v1beta2
kind: ManagedClusterSet
metadata:
name: default
Policy with placementrule apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: mem-limit
namespace: default
annotations:
policy.open-cluster-management.io/categories: SC System and Communications Protection
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/controls: SC-6 Resource Availability
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-limitrange-1
spec:
remediationAction: inform
severity: medium
namespaceSelector:
exclude:
- kube-*
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
kind: LimitRange
metadata:
name: mem-limit-range
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: mem-limit-placement
namespace: default
spec:
clusterConditions:
- type: ManagedClusterConditionAvailable
status: "True"
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: mem-limit-placement
namespace: default
placementRef:
name: mem-limit-placement
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
subjects:
- name: mem-limit
apiGroup: policy.open-cluster-management.io
kind: Policy
