Skip to content

Instantly share code, notes, and snippets.

@ralvares
Last active June 23, 2022 05:35
Show Gist options
  • Save ralvares/bae48bb7f9dcb7830e964cfe20923e47 to your computer and use it in GitHub Desktop.
Save ralvares/bae48bb7f9dcb7830e964cfe20923e47 to your computer and use it in GitHub Desktop.
policy-anyuid-enforce
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-anyuid-enforce
namespace: default
annotations:
policy.open-cluster-management.io/categories: AC Access Control
policy.open-cluster-management.io/controls: AC-3 Access Enforcement
policy.open-cluster-management.io/standards: NIST SP 800-53
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-rolebinding-anyuid-enforce
spec:
namespaceSelector:
exclude:
- kube-*
- openshift*
- open-management*
- rhacs*
- stackrox*
include:
- pacman
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:openshift:scc:anyuid
roleRef:
name: system:openshift:scc:anyuid
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- name: default
kind: ServiceAccount
remediationAction: inform
severity: high
remediationAction: inform
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: policy-anyuid-enforce-placement
namespace: default
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- key: env
operator: In
values:
- prod
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: policy-anyuid-enforce-placement
namespace: default
placementRef:
name: policy-anyuid-enforce-placement
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
subjects:
- name: policy-anyuid-enforce
apiGroup: policy.open-cluster-management.io
kind: Policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment