From 0889c9eee4d86dee381c9fe06e6b9a87b5a77915 Mon Sep 17 00:00:00 2001 From: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> Date: Tue, 18 Feb 2025 16:29:18 -0500 Subject: [PATCH 1/5] Adopt policy best practices - Use fully qualified name for policy - Remove `ManagedClusterConditionAvailable` When dealing with policies, this setting is not recommended since it could introduce churn. - Add `tolerations` to `Placement` Not having these tolerations could introduce churn if the managed cluster becomes unavailable. Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> --- .../upgrade_cluster_disconnected_policies.adoc | 9 --------- gitops/gitops_policy_generator.adoc | 3 --- governance/generate_pol_operator_install.adoc | 5 +++++ governance/hub_policy_framework.adoc | 10 ++++++++++ governance/manage_policies.adoc | 5 +++++ governance/opp_policyset_install.adoc | 5 +++++ governance/policy_generator.adoc | 5 +++++ governance/policy_set_ctrl.adoc | 5 +++++ .../discover_hosted/acm_integrate_import_hcp.adoc | 2 +- .../discover_hosted/acm_integrate_import_rosa.adoc | 2 +- 10 files changed, 37 insertions(+), 14 deletions(-) diff --git a/clusters/install_upgrade/upgrade_cluster_disconnected_policies.adoc b/clusters/install_upgrade/upgrade_cluster_disconnected_policies.adoc index 8e8d2353ff..855b1df5d5 100644 --- a/clusters/install_upgrade/upgrade_cluster_disconnected_policies.adoc +++ b/clusters/install_upgrade/upgrade_cluster_disconnected_policies.adoc @@ -267,9 +267,6 @@ metadata: name: placement-policy-mirror namespace: default spec: - clusterConditions: - - status: "True" - type: ManagedClusterConditionAvailable clusterSelector: matchExpressions: [] <3> @@ -358,9 +355,6 @@ metadata: name: placement-policy-catalog namespace: default spec: - clusterConditions: - - status: "True" - type: ManagedClusterConditionAvailable clusterSelector: matchExpressions: [] <2> @@ -461,9 +455,6 @@ metadata: name: placement-policy-cluster-version namespace: default spec: - clusterConditions: - - status: "True" - type: ManagedClusterConditionAvailable clusterSelector: matchExpressions: [] <2> diff --git a/gitops/gitops_policy_generator.adoc b/gitops/gitops_policy_generator.adoc index 606cb140d3..42e85cad36 100644 --- a/gitops/gitops_policy_generator.adoc +++ b/gitops/gitops_policy_generator.adoc @@ -62,9 +62,6 @@ metadata: name: placement-install-openshift-gitops namespace: policies spec: - clusterConditions: - - status: "True" - type: ManagedClusterConditionAvailable clusterSelector: matchExpressions: - key: vendor diff --git a/governance/generate_pol_operator_install.adoc b/governance/generate_pol_operator_install.adoc index 2a7bdd7afe..078efd2b40 100644 --- a/governance/generate_pol_operator_install.adoc +++ b/governance/generate_pol_operator_install.adoc @@ -84,6 +84,11 @@ spec: operator: In values: - OpenShift + tolerations: + - key: cluster.open-cluster-management.io/unavailable + operator: Exists + - key: cluster.open-cluster-management.io/unreachable + operator: Exists --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding diff --git a/governance/hub_policy_framework.adoc b/governance/hub_policy_framework.adoc index da4c07e748..c343c9e062 100644 --- a/governance/hub_policy_framework.adoc +++ b/governance/hub_policy_framework.adoc @@ -26,6 +26,11 @@ spec: labelSelector: matchExpressions: - {key: environment, operator: In, values: ["dev"]} + tolerations: + - key: cluster.open-cluster-management.io/unavailable + operator: Exists + - key: cluster.open-cluster-management.io/unreachable + operator: Exists ---- + @@ -270,6 +275,11 @@ spec: labelSelector: matchExpressions: - {key: environment, operator: In, values: ["dev"]} + tolerations: + - key: cluster.open-cluster-management.io/unavailable + operator: Exists + - key: cluster.open-cluster-management.io/unreachable + operator: Exists ---- [#add-resources-policy-overview] diff --git a/governance/manage_policies.adoc b/governance/manage_policies.adoc index f7c1615709..7c158eb23a 100644 --- a/governance/manage_policies.adoc +++ b/governance/manage_policies.adoc @@ -182,6 +182,11 @@ spec: labelSelector: matchLabels: cloud: "IBM" + tolerations: + - key: cluster.open-cluster-management.io/unavailable + operator: Exists + - key: cluster.open-cluster-management.io/unreachable + operator: Exists ---- . *Optional:* Add a description for your policy. diff --git a/governance/opp_policyset_install.adoc b/governance/opp_policyset_install.adoc index 81b77d9d38..871da7d0af 100644 --- a/governance/opp_policyset_install.adoc +++ b/governance/opp_policyset_install.adoc @@ -101,6 +101,11 @@ spec: labelSelector: matchExpressions: - {key: name, operator: In, values: ["local-cluster"]} + tolerations: + - key: cluster.open-cluster-management.io/unavailable + operator: Exists + - key: cluster.open-cluster-management.io/unreachable + operator: Exists ---- + . To apply the previous YAML from the command line interface, run the following command: diff --git a/governance/policy_generator.adoc b/governance/policy_generator.adoc index 2f7d6e1d5e..fc0207c9da 100644 --- a/governance/policy_generator.adoc +++ b/governance/policy_generator.adoc @@ -120,6 +120,11 @@ spec: - requiredClusterSelector: labelSelector: matchExpressions: [] + tolerations: + - key: cluster.open-cluster-management.io/unavailable + operator: Exists + - key: cluster.open-cluster-management.io/unreachable + operator: Exists --- apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding diff --git a/governance/policy_set_ctrl.adoc b/governance/policy_set_ctrl.adoc index 6504cb0717..ada380b47d 100644 --- a/governance/policy_set_ctrl.adoc +++ b/governance/policy_set_ctrl.adoc @@ -58,6 +58,11 @@ spec: operator: In values: - local-cluster + tolerations: + - key: cluster.open-cluster-management.io/unavailable + operator: Exists + - key: cluster.open-cluster-management.io/unreachable + operator: Exists ---- diff --git a/mce_acm_integration/discover_hosted/acm_integrate_import_hcp.adoc b/mce_acm_integration/discover_hosted/acm_integrate_import_hcp.adoc index a21f81f80d..e8ae8278c2 100644 --- a/mce_acm_integration/discover_hosted/acm_integrate_import_hcp.adoc +++ b/mce_acm_integration/discover_hosted/acm_integrate_import_hcp.adoc @@ -206,7 +206,7 @@ subjects: + [source,bash] ---- -oc get policy policy-mce-hcp-autoimport -n +oc get policies.policy.open-cluster-management.io policy-mce-hcp-autoimport -n ---- *Important:* You can _detach_ a hosted cluster from {acm-short} by using the *Detach* option in the {acm-short} console, or by removing the corresponding `ManagedCluster` custom resource from the command line. diff --git a/mce_acm_integration/discover_hosted/acm_integrate_import_rosa.adoc b/mce_acm_integration/discover_hosted/acm_integrate_import_rosa.adoc index 19652458e6..6cdfdc1ed6 100644 --- a/mce_acm_integration/discover_hosted/acm_integrate_import_rosa.adoc +++ b/mce_acm_integration/discover_hosted/acm_integrate_import_rosa.adoc @@ -193,5 +193,5 @@ subjects: + ---- -oc get policy policy-rosa-autoimport -n +oc get policies.policy.open-cluster-management.io policy-rosa-autoimport -n ---- From f554e496895cf0db8add085f75a81426c5c31ae7 Mon Sep 17 00:00:00 2001 From: swope Date: Wed, 26 Feb 2025 11:27:25 -0500 Subject: [PATCH 2/5] Update generate_pol_operator_install.adoc format --- governance/generate_pol_operator_install.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/governance/generate_pol_operator_install.adoc b/governance/generate_pol_operator_install.adoc index 078efd2b40..0761539cdd 100644 --- a/governance/generate_pol_operator_install.adoc +++ b/governance/generate_pol_operator_install.adoc @@ -6,6 +6,7 @@ Generate a policy that installs the Compliance Operator onto your clusters. For Complete the following steps: . Create a YAML file with a `Namespace`, a `Subscription`, and an `OperatorGroup` manifest called `compliance-operator.yaml`. The following example installs these manifests in the `compliance-operator` namespace. Replace `` with the correct channel: + + [source,yaml] ---- @@ -36,6 +37,7 @@ spec: ---- . Create a `PolicyGenerator` configuration file. View the following `PolicyGenerator` policy example that installs the Compliance Operator on all {ocp-short} managed clusters: + + [source,yaml] ---- @@ -59,6 +61,7 @@ policies: ---- . Add the policy generator to your `kustomization.yaml` file. The `generators` section might resemble the following configuration: + + [source,yaml] ---- @@ -67,6 +70,7 @@ generators: ---- + As a result, the generated policy resembles the following file: + + [source,yaml] ---- From 1733e36b53b03e3530235d6b86b69e5ae53a11b5 Mon Sep 17 00:00:00 2001 From: swope Date: Wed, 26 Feb 2025 11:28:49 -0500 Subject: [PATCH 3/5] Update manage_policies.adoc --- governance/manage_policies.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/governance/manage_policies.adoc b/governance/manage_policies.adoc index 7c158eb23a..11c02dccce 100644 --- a/governance/manage_policies.adoc +++ b/governance/manage_policies.adoc @@ -73,6 +73,7 @@ spec: ---- . Define a `PlacementBinding` resource to bind your policy to your `Placement` resource. Your `PlacementBinding` resource might resemble the following YAML sample: + + [source,yaml] ---- @@ -169,6 +170,7 @@ subjects: ---- + See the following `Placement` example: + + [source,yaml] ---- @@ -281,6 +283,7 @@ Delete a security policy from the CLI or the console. * Delete a security policy from the CLI: .. Delete a security policy by running the following command: + + ---- oc delete policies.policy.open-cluster-management.io -n From 45e2314948eb099d150b9acc5725606f04e6b013 Mon Sep 17 00:00:00 2001 From: swope Date: Wed, 26 Feb 2025 11:29:58 -0500 Subject: [PATCH 4/5] Update opp_policyset_install.adoc --- governance/opp_policyset_install.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/governance/opp_policyset_install.adoc b/governance/opp_policyset_install.adoc index 871da7d0af..73a5609b13 100644 --- a/governance/opp_policyset_install.adoc +++ b/governance/opp_policyset_install.adoc @@ -9,6 +9,7 @@ Continue reading for guidance to apply the Red Hat Openshift Platform Plus polic Complete the following steps before you apply the policy set: . To allow for subscriptions to be applied to your cluster, you must apply the `policy-configure-subscription-admin-hub.yaml` policy and set the remediation action to `enforce`. Copy and paste the following YAML into the YAML editor of the console: + + [source,yaml] ---- @@ -109,12 +110,14 @@ spec: ---- + . To apply the previous YAML from the command line interface, run the following command: + + ---- oc apply -f policy-configure-subscription-admin-hub.yaml ---- . Install the Policy Generator kustomize plugin. Use Kustomize v4.5 or newer. See link:../gitops/gitops_policy__operator.adoc#gitops-policy-operator[Generating a policy to install an Operator]. . Policies are installed to the `policies` namespace. You must bind that namespace to a `ClusterSet`. For example, copy and apply the following example YAML to bind the namespace to the default `ClusterSet`: + + [source,yaml] ---- @@ -128,6 +131,7 @@ spec: ---- + . Run the following command to apply the `ManagedClusterSetBinding` resource from the command line interface: + + ---- oc apply -f managed-cluster.yaml From 036985c24e3f2a13537255b6b55883d4308573d6 Mon Sep 17 00:00:00 2001 From: swope Date: Wed, 26 Feb 2025 11:35:23 -0500 Subject: [PATCH 5/5] Update manage_policies.adoc format wrong, needed to be clear steps --- governance/manage_policies.adoc | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/governance/manage_policies.adoc b/governance/manage_policies.adoc index 11c02dccce..0b96520136 100644 --- a/governance/manage_policies.adoc +++ b/governance/manage_policies.adoc @@ -281,21 +281,26 @@ Click *Disable policy*. Your policy is disabled. Delete a security policy from the CLI or the console. -* Delete a security policy from the CLI: -.. Delete a security policy by running the following command: +Use the following procedure to delete from the CLI: + +. Delete a security policy by running the following command: + ---- oc delete policies.policy.open-cluster-management.io -n ---- -+ -After your policy is deleted, it is removed from your target cluster or clusters. Verify that your policy is removed by running the following command: `oc get policies.policy.open-cluster-management.io -n ` -* Delete a security policy from the console: -+ -From the navigation menu, click *Governance* to view a table list of your policies. Click the *Actions* icon for the policy you want to delete in the policy violation table. -+ -Click *Remove*. From the _Remove policy_ dialog box, click *Remove policy*. +. Verify that your policy is removed by running the following command: `oc get policies.policy.open-cluster-management.io -n ` + +Use the following procedure to delete a security policy from the console. + +. From the navigation menu, click *Governance* to view a table list of your policies. + +. Click the *Actions* icon for the policy you want to delete in the policy violation table. + +. Click *Remove*. + +. From the _Remove policy_ dialog box, click *Remove policy*. [#deleting-policy-sets] === Deleting policy sets from the console