-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change Kustomize so that policies can be enforced as groups #141
Draft
galshi
wants to merge
7
commits into
openshift-4-compliance:master
Choose a base branch
from
galshi:add_labels_to_policies
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+162
−19
Draft
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
a5f618b
Changed kustomize so that policies could be enforced policies as groups
galshi 6294185
Added documentation about using the new kustomize
galshi 7070c77
Added documentation about enforcing specific policies uisng kustomize
galshi ca6aa7c
Added doc for removing or enforcing specific policies or groups of po…
galshi c4baff4
Added include all policies and corrected section about removal of pol…
galshi 59f58ac
Added doc about including policies in dry run as policy groups, clari…
galshi 2beaea9
Fixed phrasing in documentation
galshi File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 changes: 13 additions & 0 deletions
13
open-policy-agent/authentication-user-management/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./delete-kubeadmin/template.yaml | ||
| - ./delete-kubeadmin/constraint.yaml | ||
| - ./shorten-tokens/template.yaml | ||
| - ./shorten-tokens/constraint.yaml | ||
| - ./oauth-secured-identity-providers-only/template.yaml | ||
| - ./oauth-secured-identity-providers-only/constraint.yaml | ||
| - ./disallow-anonymous-users/template.yaml | ||
| - ./disallow-anonymous-users/constraint.yaml | ||
| commonLabels: | ||
| policy-group: authentication-user-management |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./disallow-privileged-scc-usage/template.yaml | ||
| - ./disallow-privileged-scc-usage/constraint.yaml | ||
| - ./prevent-default-serviceaccount-usage/template.yaml | ||
| - ./prevent-default-serviceaccount-usage/constraint.yaml | ||
| - ./disallow-host-network/template.yaml | ||
| - ./disallow-host-network/constraint.yaml | ||
| - ./disallow-host-namespaces/template.yaml | ||
| - ./disallow-host-namespaces/constraint.yaml | ||
| - ./disallow-cluster-admin/template.yaml | ||
| - ./disallow-cluster-admin/constraint.yaml | ||
| - ./disallow-scc-runasany/template.yaml | ||
| - ./disallow-scc-runasany/constraint.yaml | ||
| commonLabels: | ||
| policy-group: authorization |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./verify-etcd-encryption/template.yaml | ||
| - ./verify-etcd-encryption/constraint.yaml | ||
| commonLabels: | ||
| policy-group: etcd-security |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,10 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./authentication-user-management/delete-kubeadmin/template.yaml | ||
| - ./authentication-user-management/shorten-tokens/template.yaml | ||
| - ./authentication-user-management/oauth-secured-identity-providers-only/template.yaml | ||
| - ./authorization/disallow-privileged-scc-usage/template.yaml | ||
| - ./authorization/prevent-default-serviceaccount-usage/template.yaml | ||
| - ./etcd-security/verify-etcd-encryption/template.yaml | ||
| - ./networking/block-nodeport-services/template.yaml | ||
| - ./networking/external-ips/template.yaml | ||
| - ./networking/httpsonly/template.yaml | ||
| - ./resource-exhaustion/disallow-self-provisioner/template.yaml | ||
| - ./trusted-image-sources/disallowedtags/template.yaml | ||
| - ./trusted-image-sources/disallowed-registries/template.yaml | ||
| - ./resource-exhaustion/pod-resource-limits/template.yaml | ||
| - ./authorization/disallow-host-network/template.yaml | ||
| - ./authorization/disallow-host-namespaces/template.yaml | ||
| - ./authorization/disallow-cluster-admin/template.yaml | ||
| - ./authorization/disallow-scc-runasany/template.yaml | ||
| - ./authentication/disallow-anonymous-users/template.yaml | ||
| - ./storage/disallow-emptydir/template.yaml | ||
| - ./authentication-user-management | ||
| - ./authorization | ||
| - ./etcd-security | ||
| - ./networking | ||
| - ./resource-exhaustion | ||
| - ./storage | ||
| - ./trusted-image-sources |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./block-nodeport-services/template.yaml | ||
| - ./block-nodeport-services/constraint.yaml | ||
| - ./external-ips/template.yaml | ||
| - ./external-ips/constraint.yaml | ||
| - ./httpsonly/template.yaml | ||
| - ./httpsonly/constraint.yaml | ||
| commonLabels: | ||
| policy-group: networking |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./disallow-self-provisioner/template.yaml | ||
| - ./disallow-self-provisioner/constraint.yaml | ||
| - ./pod-resource-limits/template.yaml | ||
| - ./pod-resource-limits/constraint.yaml | ||
| commonLabels: | ||
| policy-group: resource-exhaustion |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./disallow-emptydir/template.yaml | ||
| - ./disallow-emptydir/constraint.yaml | ||
| commonLabels: | ||
| policy-group: storage |
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - ./disallowed-registries/template.yaml | ||
| - ./disallowed-registries/constraint.yaml | ||
| - ./disallowed-tags/template.yaml | ||
| - ./disallowed-tags/constraint.yaml | ||
| commonLabels: | ||
| policy-group: trusted-image-sources |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@galshi I'd add an example of implementation using ArgoCD at the end - which configurations should be applied in the
Applicationfor bothtemplateandconstraintresources to be created and not result inconstraintcreation failure due to kustomization issues.I know it might be an overkill, but as for now, if a simple user tries to use the examples we provide, it'll fail. The issue should be covered, and a solution needs to be provided for a complete GitOps solution.