The IAM policy controller is a controller that watches IamPolicies created to monitor IAM cluster role bindings used within a Kubernetes cluster. It detects the number of users with cluster role bindings to a given clusterrole and reports whether or not a given IamPolicy is compliant or noncompliant.The controller can be run as a stand-alone program or as an integrated part of governing risk with the Open Cluster Management project.
| Field | Description |
|---|---|
| maxClusterRoleBindingUsers | Required: Maximum number of cluster role binding still valid before it is considered as non-compliant. |
| ClusterRole | Optional: Cluster role referenced in the cluster role bindings, default to cluster-admin. |
Following is an example spec of a IamPolicy resource:
apiVersion: policy.open-cluster-management.io/v1
kind: IamPolicy
metadata:
name: iam-grc-policy
labels:
category: "System-Integrity"
spec:
# Include are the namespaces for which you want to watch cluster administrator role and IAM rolebinings, while exclude are the namespaces you explicitly do not want to watch
namespaceSelector:
include: ["default","kube-*"]
exclude: ["kube-system"]
#labelSelector:
#env: "production"
# Can be enforce or inform, however enforce doesn't do anything with regards to this controller
remediationAction: inform # enforce or inform
severity: medium # low, medium, or high
# Maximum number of cluster role binding still valid before it is considered as non-compliant
maxClusterRoleBindingUsers: 5Go to the Contributing guide to learn how to get involved.
- Build code
make build
- Run controller locally against the Kubernetes cluster currently configured with
kubectl(export WATCH_NAMESPACE=<namespace> make run
WATCH_NAMESPACEcan be any namespace on the cluster that you want the controller to monitor for policies.)
-
Build container image
make build-images
- The image registry, name, and tag used in the image build, are configurable with:
export REGISTRY='' # (defaults to 'quay.io/stolostron') export IMG='' # (defaults to the repository name) export TAG='' # (defaults to 'latest')
- The image registry, name, and tag used in the image build, are configurable with:
-
Deploy controller to a cluster
The controller is deployed to a namespace defined in
KIND_NAMESPACEand monitors the namepace defined inWATCH_NAMESPACEforIamPolicyresources.- Create the deployment namespaces
The deployment namespaces are configurable with:
make create-ns
export KIND_NAMESPACE='' # (defaults to 'open-cluster-management-agent-addon') export WATCH_NAMESPACE='' # (defaults to 'managed')
- Deploy the controller and related resources
make deploy
NOTE: Please be aware of the community's deployment images special note.
- Create the deployment namespaces
- Code linting
make lint
- Unit tests
- Install prerequisites
make test-dependencies
- Run unit tests
make test
- Install prerequisites
- E2E tests (NOTE: Currently there are no E2E tests to run)
- Prerequisites:
- Start KinD cluster (make sure Docker is running first)
make kind-bootstrap-cluster-dev
- Start the controller locally (see Steps for development)
- Run E2E tests:
export WATCH_NAMESPACE=managed make e2e-test
- The
iam-policy-controlleris part of theopen-cluster-managementcommunity. For more information, visit: open-cluster-management.io. - Check the Security guide if you need to report a security issue.