| Upgrade OpenShift-Cluster Sample policy |
Use this policy as an example for upgrading OpenShift clusters with a policy. |
OpenShift 4.x is required. In the provided example, a version 4.7 cluster is upgraded to version 4.7.18. Change the channel and the desired version if you want to upgrade other versions. |
| Egress sample policy |
With the egress firewall you can define rules (per-project) to allow or deny traffic (TCP-or UDP) to the external network. |
OpenShift 4.x is required. See the OpenShift Security Guide. Use the OpenShift Security Guide to secure your OpenShift cluster. |
| Example of configuring a cluster-wide proxy with a policy |
Use this policy to configure a cluster-wide proxy. |
OpenShift 4.x is required. See the OpenShift Documentation. This policy is only valid for OpenShift 4.x and needs to be adjusted for the proper environment. You should not include passwords in a policy. Use the templatized policy feature in RHACM 2.3 to avoid including the proxy password in the policy. |
| Example of configuring DNS with a policy |
Use this policy to configure DNS in your OpenShift cluster. For example, you can remove public DNS. |
OpenShift 4.x is required. See the OpenShift Documentation This policy is only valid for OpenShift 4.x and needs to be adjusted for the proper environment. |
| Example of configuring the Cluster Network Operator with a policy |
Use this policy to configure the network of your OpenShift cluster. |
OpenShift 4.x is required. See the OpenShift Documentation. This policy is only valid for OpenShift 4.x and needs to be adjusted for the proper environment. |
| Example of creating a deployment object |
This example generates 3 replicas of `nginx-pods`. |
See the Kubernetes Documentation to learn more about Deployments. |
| Example of a policy used to configure GitHub-Authentication |
Use this policy to log in to your OpenShift cluster with GitHub-Authentication. |
OpenShift 4.x is required. See the OpenShift Documentation, Configuring a GitHub or GitHub Enterprise identify provider to learn more information about identity providers. You must modify the contents of this policy so that it is applicable to your environment. |
| Example of installing Performance Addon Operator |
Use this policy to install the Performance Addon Operator, which provides the ability to enable advanced node performance tunings on a set of nodes. |
OpenShift 4.x is required. See the RHACM & Performance Addon Operator repository documentation for more details. |
| Example of installing PTP Operator |
Use this policy to install the Precision Time Protocol (PTP) Operator, which creates and manages the linuxptp services on a set of OpenShift nodes. |
OpenShift 4.x is required. See the RHACM & PTP Operator repository documentation for more details. |
| Example of installing SR-IOV Network Operator |
Use this policy to install the Single Root I/O Virtualization (SR-IOV) Network Operator, which manages the SR-IOV network devices and network attachments in your clusters. |
OpenShift 4.x is required. See the RHACM & SR-IOV Network Operator repository documentation for more details. |
| Example of labeling nodes of a cluster |
Use this policy to label nodes in your managed clusters. Notice you must know the name of the node or nodes to label. |
OpenShift 4.x is required. See the OpenShift Documentation to learn more about labelling objects. |
| Example to configure an image policy |
Use the image policy to define the repositories from where OpenShift can pull images. |
OpenShift 4.x is required. Refer to the chapter named Container Image Security in the OpenShift Security Guide. for more information. You must customize the contents of this policy. |
| Gatekeeper operator policy |
Use the Gatekeeper operator policy to install the community version of Gatekeeper on a managed cluster. |
See the Gatekeeper Operator. |
| Gatekeeper config exclude namespaces |
Use the Gatekeeper policy to exclude namespaces from certain processes for all constraints in the cluster |
See the gatekeeper documentation exempting-namespaces-from-gatekeeper for more information. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper container image with the latest tag |
Use the Gatekeeper policy to enforce containers in deployable resources to not use images with the latest tag. |
See the Gatekeeper documentation. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper liveness probe not set |
Use this Gatekeeper policy to make sure pods have a liveness probe. |
See the Gatekeeper documentation. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper readiness probe not set |
Use this Gatekeeper policy to make sure pods have a readiness probe. |
See the Gatekeeper documentation. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper allowed external IPs |
Use the Gatekeeper allowed external IPs policy to define external IPs that can be specified by Services. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper sample policy |
Use the Gatekeeper sample policy to view an example of how a gatekeeper policy can be applied to a managed cluster. This sample requires a gatekeeper label to be applied to a list of namespaces. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. |
| Gatekeeper mutation policy (owner annotation) |
Use the Gatekeeper mutation policy to set the owner annotation on pods. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. You must enable mutatingWebhook to use the gatekeeper mutation feature. |
| Gatekeeper mutation policy (image pull policy) |
Use the Gatekeeper mutation policy to set or update image pull policy on pods. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. You must enable mutatingWebhook to use the gatekeeper mutation feature. |
| Gatekeeper mutation policy (termination GracePeriodSeconds) |
Use the Gatekeeper mutation policy to set or update the termination grace period seconds on pods. |
See the Gatekeeper. Note: Gatekeeper controllers must be installed to use the gatekeeper policy. See the Gatekeeper operator policy. You must enable mutatingWebhook to use the gatekeeper mutation feature. |
| MachineConfig Chrony sample policy |
Use the MachineConfig Chrony policy to configure /etc/chrony.conf on certain machines. |
OpenShift 4.x is required. For more information see, Modifying node configurations in OpenShift 4.x blog. |
| Network-Policy-Samples |
Use the Network policy to specify how groups of pods are allowed to communicate with each other and with other network endpoints. |
See the OpenShift Security Guide. Note: The policy might be modified to the actual usecases. |
| OPA sample policy |
Use the Open Policy Agent (OPA) Sample policy to view an example of how an OPA policy can be created. You can also view an example of adding a REGO script into a ConfigMap, which is evaluated by the OPA. |
See the OPA example repository. Note: OPA must be installed to use the OPA ConfigMap policy. |
| Trusted Container policy |
Use the trusted container policy to detect if running pods are using trusted images. |
This policy requires a custom controller to be deployed. See the Trusted Container Policy Controller for details on the custom controller. |
| Trusted Node policy |
Use the trusted node policy to detect if there are untrusted or unattested nodes in the cluster. |
This policy requires a custom controller to be deployed. See the Trusted Node Policy Controller for details on the custom controller. |
| ETCD Backup |
Use the ETCD Backup policy to receive the last six backup snapshots for etcd. This policy uses the etcd container image in the policy because it contains all required tools like etcdctl. |
OpenShift 4.x is required. For more information, see OpenShift 4 with default storage class. |
| Integrity Shield |
Use the Integrity Shield to protect the integrity of Kubernetes resources in a cluster (e.g. OpenShift). |
See the Integrity Shield documentation. |
| Integrity Shield Events |
Use the Integrity Shield Events policy to show a status, which represents whether Integrity Shield has denied some requests in a cluster or not. |
See the Integrity Shield documentation. |
| Integrity Shield Observer |
Integrity Shield Observer continuously verifies Kubernetes resource on cluster according ManifestIntegrityConstraint resources and exports the results to resources called ManifestIntegrityState. This policy is used to alert on any resource signature violations that have been identified by the observer. |
This policy does not install Integrity Shield. This policy does require Integrity Shield to already be installed. See the Integrity Shield documentation. |
| v1alpha2 PolicyReport failures |
This policy searches for any PolicyReport resources that contain failures in the results. |
An example of a tool that creates PolicyReports is Kyverno. Be aware that the PolicyReports API is an alpha API and multiple versions may be available. A policy using the v1alpha1 API is v1alpha1 PolicyReport failures. |
| Kyverno sample policy |
Use the Kyverno sample policy to view an example of how a kyverno policy can be applied to a managed cluster. This policy is evaluated by the kyverno controller on a managed cluster. This policy requires all pods to have a certain label defined. Note that you cannot create pods that do not have this label if you apply this policy. |
See the Installation instructions and How to write Kyverno policies. Note: Kyverno must be installed on the managed clusters to use the Kyverno policy. |
| OpenShift Kernel Configuration |
Use this policy to create OpenShift 4 machine configurations that install kernel development packages. The kernel development packages are needed for the Sysdig and Falco agents to integrate into the host kernel. |
This policy is only valid for OpenShift 4.x. |
| Volsync Persistent Data Replication |
Use this policy to deploy the Volsync controller. Once the controller has been deployed, replication source and replication destination objects can be created allowing for persistent volume claims to be replicated. |
See the VolSync Replication documentation for more information. |
| Setup-Subscription-Admin |
Use this policy to activate the Subscription-Admin feature in RHACM |
See this Solution for more information about this feature https://access.redhat.com/solutions/6010251 |
| Configure-Logforwarding |
Use this policy to configure Logforwarding. |
OpenShift 4.x is required. See this blog for more information about this example |
| Install OpenShift-Update-Service |
Use this policy to install the OpenShift Update Service. |
This policy is only valid for OpenShift 4.6+. Read the documentation for more information |
| Install OpenShift-Gitops |
Use this policy to install the Red Hat OpenShift GitOps operator which can be used to install and configure Gitops, Tekton and ArgoCD |
Requires OpenShift 4.x. Check the documentation for more information. |
| Configure OpenShift Image-Pruner |
Use this policy to configure the OpenShift Image-Pruner |
OpenShift 4.x is required. Check the documentation for more information |
| Policy to configure a POD Disruption Budget |
use this policy to configure a Pod Disruption Budget |
Check Kubernetes documentation for more information |
| Policy to configure a cluster autoscaler |
Use this policy to configure a ClusterAutoscaler. |
OpenShift 4.x is required. Check the OpenShift documentation for more information. |
| Policy to configure Ingress Controller |
Use this policy to configure the IngressController |
OpenShift 4.x is required. Check the OpenShift documentation for more information on how to customize this policy. |
| Policy to configure the Scheduler |
Use this policy to configure the OpenShift Scheduler |
OpenShift 4.x is required. Check OpenShift documentation for more information |
| Policy to install the Red Hat Single Sign-On Operator |
Use this policy to install the Red Hat Single Sign-On Operator |
OpenShift 4.x is required. Check the documentation for more information |
| Policy to install External-Secrets |
Use this policy to install External Secrets. Kubernetes External Secrets allows you to use external secret management systems, like AWS Secrets Manager or HashiCorp Vault, to securely add secrets in Kubernetes. |
Check the documentation and this solution for more information. |
| Policy to install the Red Hat Advanced Cluster Security Central Server |
Use this policy to install the Red Hat Advanced Cluster Security operator to the Open Cluster Management hub and install the Central Server to the stackrox namespace. |
OpenShift 4.x is required. For more information on Red Hat Advanced Cluster Security, visit Red Hat Advanced Cluster Security for Kubernetes |
| Policy to install the Red Hat Advanced Cluster Security Secure Cluster Services |
Use this policy to install the Red Hat Advanced Cluster Security operator to all OpenShift managed clusters and install the Secure Cluster Services to the stackrox namespace. |
OpenShift 4.x is required. For more information on Red Hat Advanced Cluster Security, visit Red Hat Advanced Cluster Security for Kubernetes. This policy requires policy template support to be available in Red Hat Advanced Cluster Management for Kubernetes version 2.3. See advanced-cluster-security for additional prerequisites needed for installing this policy. |
Policy to install cert-manager |
Use this policy to deploy the community operator for cert-manager which installs cert-manager on OpenShift clusters. |
For more information on cert-manager visit Cloud native certificate management |
| Policy to label a Managed-Cluster |
Use this policy to label a Managed-Cluster |
Open Cluster Management is required. This policy needs to be applied on the Managing-Cluster, adjust the labels to your needs |
| Policy to set a Config-Map with properties for different environments |
Use this policy to configure a policy for different environments |
Adjust this example for your needs |
| Policy to install Local Storage Operator |
Use this policy to install and configure the Local Storage Operator |
adjust the LocalVolumeSet and StorageClass for your needs |
| Policy to define a Custom CatalogSource |
Use this policy to configure or patch a Custom CatalogSource |
OpenShift 4.x is required. Consult the documentation for more information |
| Policy to install the ansible-awx-operator |
Use this policy to configure the ansible-awx-operator to allow AnsibleJobs to be processed. |
Archived: This policy is needed for Ansible integration on OpenShift 4.8 and older. Use the Ansible Automation Platform operator policy as a replacement for this operator. |
| Policy to install the Ansible Automation Platform operator |
Use this policy to install Ansible Automation Platform |
Requires OpenShift 4.x. This operator is needed to process AnsibleJobs. See the Red Hat Ansible Automation Platform for more details. |
| Policy to configure ClusterLogForwarding using Template-Feature |
Use this policy to configure ClusterLogForwarding to send audit logs to a Kafka-Topic. |
Every Cluster gets it's own topic because of the new Templatized-Feature. To validate the configuration, run the following command: oc get ClusterLogForwarder instance -n openshift-logging -oyaml. The minimum prerequisites are OpenShift 4.6 and RHACM 2.3 |
| Policy to setup ODF |
Use this policy to install and configure the OpenShift Data Foundation |
making it work would require e.g. on AWS m5 instances would be required. Requires OpenShift 4.6 or later. |
| Policy to install Kyverno |
Use this policy to install Kyverno |
Consult the following link to get more information about Kyverno. |
| Kyverno config exclude resources |
Use this Kyverno policy to exclude resources from certain processes for all constraints in the cluster |
See the Resource Filters from the Kyverno documentation. Note: Kyverno controller must be installed to use the kyverno policy. See Policy to install Kyverno. |
| Kyverno mutation policy (image pull policy) |
Use the Kyverno mutation policy to set or update the image pull policy on pods |
See the Kyverno project. Note: Kyverno controller must be installed to use the kyverno policy. See the Policy to install Kyverno. |
| Kyverno mutation policy (termination GracePeriodSeconds) |
Use the Kyverno mutation policy to set or update the termination grace period seconds on pods |
See the Kyverno project. Note: Kyverno controller must be installed to use the kyverno policy. See the Policy to install Kyverno. |
| Policy to install ArgoCD on Non-OpenShift Clusters |
Use this policy to install ArgoCD on Kubernetes. |
This policy deploys ArgoCD as a Helm Chart and can be applied to non OpenShift clusters. |
| Policy to create a CronJob installing oc-client |
Use this policy to execute custom commands using oc-client |
There are several examples where you might need to setup custom commands. You must customize the commands you want to run in the policy. To learn more visit Kubernetes CronJob documentation |
| Scan your cluster with the OpenShift Moderate security profile |
This example creates a ScanSettingBinding that the Compliance Operator uses to scan the cluster for compliance with the OpenShift FedRAMP Moderate benchmark. |
The Compliance Operator can only scan OpenShift nodes. For more details, visit: Understanding the Compliance Operator. |
| Scan control plane components of HyperShift hosted cluster using tailored CIS Benchmark for OpenShift profile |
This example creates a TailoredProfile designed to scan control plane components of a HyperShift hosted cluster in addition to ScanSetting and ScanSettingBinding to invoke a scan using the TailoredProfile. |
The Compliance Operator can only scan OpenShift nodes. For more details, visit: Understanding the Compliance Operator. |
| Policy to customize OpenShift OAuth tokens |
Use this policy to configure the OpenShift tokens to expire after a set period of inactivity. |
OpenShift 4.x is required. For more information on configuring the OAuth clients, see the OpenShift documentation: Configurating the internal oauth Server |
| Policy to install IDP operator |
Use this policy to install Identity configuration management operator. |
For more information on this operator, see the IDP documentation. NOTE: See the IDP requirements and recommendations before using this policy. |
| Policy to configure Github identity provider in IDP |
Use this policy to apply Github OAuth to managed clusters through IDP . |
For more information on this operator, see the IDP documentation: Identity configuration management for Kubernetes. NOTE: IDP Operator must be installed before using this policy. |
| Policy to install the OpenShift File Integrity operator |
Use the File Integrity Operator to continually run file integrity checks on the cluster nodes. This policy becomes NonCompliant when a FileIntegrityNodeStatus returns a status of Failed, which indicates files on the nodes have changed. |
OpenShift 4.x is required. See Understanding the File Integrity Operator for more details. |
| Policy to install AWS MachineSets on OpenShift |
This policy creates 3 OpenShift MachineSets that are intended for installing OpenShift Cluster Storage on AWS. |
OpenShift 4.x is required. These MachineSets also require AWS and contain image IDs that are specific to OpenShift 4.9. Update the AMI ids in the policy prior to use. See the comments in the policy for additional details. |