Skip to content

Commit

Permalink
Updating Trilio install policy for version 4.0.x
Browse files Browse the repository at this point in the history 
Signed-off-by: Sachin Kulkarni <[email protected]>

(cherry picked from commit f289ea6)
  • Loading branch information
@magic-mirror-bot
sachin-trilio authored and magic-mirror-bot[bot] committed Jan 26, 2024
1 parent 036c558 commit 9fdf7b6
Show file tree
Hide file tree
Showing 2 changed files with 139 additions and 126 deletions.
263 changes: 138 additions & 125 deletions community/CM-Configuration-Management/policy-install-triliovault-for-kubernetes.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,149 +1,163 @@
# This policy deploys Triliovault for Kubernetes (TVK) to all OpenShift managed clusters
# with a label "protected-by=triliovault". It also deploys a basic (trial) license.
# This policy deploys Triliovault for Kubernetes (T4K) to all OpenShift managed clusters
# with a label "protected-by=triliovault".
# It will also deploy a license that you provide in a ConfigMap
# Please conact [email protected] for further support.
#
# Note that it is set to enforce by default.
#
# Please refer product documentation at https://docs.trilio.io/kubernetes/overview/readme
#
# IMPORTANT: Please follow below instructions for the policy to work
# 1. On the hub cluster, create a configmap trilio-license in the namespace
# where this policy is placed. The configmap has Trilio License which is
# needed to use Trilio.
#
# 2. ConfigMap Example yaml (replace the values)
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: trilio-license
# Data:
# key: <<REPLACE THIS WITH ACTUAL KEY>>
#
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: install-tvk
name: install-trilio
annotations:
policy.open-cluster-management.io/categories: CA Security Assessment and Authorization
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/controls: CA-2 Security Assessments, CA-7 Continuous Monitoring
spec:
disabled: false
remediationAction: inform
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: check-ns-openshift-operators
spec:
remediationAction: inform
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: openshift-operators
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: tvk-operator-subscription
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: k8s-triliovault
namespace: openshift-operators
spec:
name: k8s-triliovault
channel: stable
installPlanApproval: Automatic
source: certified-operators
sourceNamespace: openshift-marketplace
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: tvk-operator-status
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: openshift-operators
spec:
displayName: TrilioVault for Kubernetes
status:
phase: Succeeded
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: tvk-manager-cr
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: triliovault.trilio.io/v1
kind: TrilioVaultManager
metadata:
name: triliovault-manager
namespace: openshift-operators
spec:
applicationScope: Cluster
componentConfiguration:
ingress-controller:
enabled: false
dataJobResources:
limits:
cpu: 1500m
memory: 5Gi
requests:
cpu: 100m
memory: 800Mi
logLevel: Info
metadataJobResources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 10m
memory: 10Mi
tvkInstanceName: tvk-instance
status:
status: Deployed
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: tvk-license
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: triliovault.trilio.io/v1
kind: License
metadata:
name: triliovault-license
namespace: openshift-operators
spec:
key: xYsNDgwKD3jajZFPj4IwEMXv/RRN9tyEUlxgEw6KzYbIohFwz0M77DZRJPwx67df1MMaMGbn0ENf573pb14+UdN5/0WpoJy/2fabY1Hbsm0SNgidOVZL6JD+VXARmeUxSxCpzeUFHVWwgNYoAqozJ6QTtWt6JHujsGpxh0177xDY5ANM1WEFlUL5U5vmfBvgkutec10SHg81VOeJc7aN4mjNVvlCbhOZyZTFUSiTVLJ3mbDFPI1CkvSHApt1mbdD9F0v4yTF5oRNtBzblgIKbTsuA1cgc7gHzHN8l5VKixJnjnacoVkm9EEFwz3zZ4V2PB8ZF3w4OGpWCBADQiV0wX3kIEh8IzKOD7LdPI+zm4dvw1OPKzCY7OSe3aZv1De0+GStqTrW+OArat+33UDtImuy6gvMJ7D+SSuEGpTpxisM+KtFw03e/gL3OqHJMC0CFHH459/Qe76ztoGQGLcHHWb1X1zYAhUAj0X1sX2KJDgewP/aaCML+WiMJwE=X02gc
status:
status: Active
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: check-ns-trilio-system
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
name: trilio-system
remediationAction: inform
severity: high
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: trilio-operator-subscription
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: k8s-triliovault
namespace: trilio-system
spec:
name: k8s-triliovault
channel: 4.0.x
installPlanApproval: Automatic
source: certified-operators
sourceNamespace: openshift-marketplace
remediationAction: inform
severity: high
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: trilio-operator-status
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
namespace: trilio-system
spec:
displayName: Trilio for Kubernetes
status:
phase: Succeeded
remediationAction: inform
severity: high
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: trilio-manager-configuration
spec:
remediationAction: enforce
severity: high
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: triliovault.trilio.io/v1
kind: TrilioVaultManager
metadata:
name: triliovault-manager
namespace: trilio-system
spec:
applicationScope: Cluster
componentConfiguration:
ingress-controller:
enabled: false
dataJobResources:
limits:
cpu: 1500m
memory: 5Gi
requests:
cpu: 100m
memory: 800Mi
logLevel: Info
metadataJobResources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 10m
memory: 10Mi
tvkInstanceName: >
{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").status.infrastructureName }}
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: trilio-license
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: triliovault.trilio.io/v1
kind: License
metadata:
name: trilio-license
namespace: trilio-system
spec:
key: '{{hub fromConfigMap "" "trilio-license" "key" hub}}'
status:
status: Active
remediationAction: inform
severity: high
remediationAction: enforce
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: install-tvk-placement
name: install-trilio-placement
spec:
clusterSelector:
matchExpressions:
- key: protected-by
operator: In
values:
- triliovault
- trilio
- key: vendor
operator: In
values:
Expand All @@ -152,13 +166,12 @@ spec:
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: install-tvk-placement
name: install-trilio-placement
placementRef:
name: install-tvk-placement
name: install-trilio-placement
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
subjects:
- name: install-tvk
- name: install-trilio
apiGroup: policy.open-cluster-management.io
kind: Policy

2 changes: 1 addition & 1 deletion community/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ Policy | Description | Prerequisites
[Policy to configure a `ManagedClusterSetBinding`](./CM-Configuration-Management/policy-managedclustersetbinding.yaml) | Use this policy to create a namespace named `policies` and bind it to the `ClusterSet` named `default`. This allows policies created in that namespace to use the cluster placement with any managed clusters in the default cluster set. | This policy should only be placed on the hub cluster.
[Policy to install the Red Hat Web Terminal Operator](./CM-Configuration-Management/policy-web-terminal-operator.yaml) | OpenShift 4.10 or newer is required. See [About the web terminal in the web console](https://docs.openshift.com/container-platform/4.10/web_console/odc-about-web-terminal.html) for more details.
[Policy to configure proxy protocol](./CM-Configuration-Management/policy-proxy-protocol.yaml) | See [Configuring the PROXY protocol](https://docs.openshift.com/container-platform/4.10/networking/ingress-operator.html#nw-ingress-controller-configuration-proxy-protocol_configuring-ingress) for more details.
[Policy to install Triliovault for Kubernetes Operator](./CM-Configuration-Management/policy-install-triliovault-for-kubernetes.yaml) | Use this policy to install Triliovault for Kubernetes Operator and a trial license on Openshift clusters with label "protected-by=triliovault" | Requires OpenShift 4.8 or later. Needs CSI Driver with snapshot capabilities, storageClass and volumeSnapshotClass. For more information, refer [documentation](https://docs.trilio.io/kubernetes/getting-started-3/getting-started#prerequisites-for-tvk)
[Policy to install Trilio for Kubernetes Operator](./CM-Configuration-Management/policy-install-triliovault-for-kubernetes.yaml) | Use this policy to install Trilio for Kubernetes Operator on Openshift clusters with label "protected-by=triliovault" | Requires OpenShift 4.8 or later. Needs CSI Driver with snapshot capabilities, storageClass and volumeSnapshotClass. For more information, refer [documentation](https://docs.trilio.io/kubernetes/getting-started-3/getting-started#prerequisites-for-tvk)
[Policy to create namespace based backup using Triliovault for Kubernetes](./CM-Configuration-Management/policy-create-ns-backup-triliovault-for-kubernetes.yaml) | Use this policy to create namespace based backup using Triliovault for Kubernetes on Openshift clusters with label "protected-by=triliovault" | Requires OpenShift 4.8 or later. **Note**: Triliovault for Kubernetes must be installed to use this policy. See the [Policy to install Triliovault for Kubernetes Operator](./CM-Configuration-Management/policy-install-triliovault-for-kubernetes.yaml). On the hub cluster, create a secret "aws-s3-secret" with S3 credentials and a configmap "aws-s3-configmap" with S3 bucket name, region name, thresholdCapacity & namespace name for backup in the namespace on the hub cluster where this policy is created (details given in the policy). For more information, refer [documentation](https://docs.trilio.io/kubernetes/getting-started-3/getting-started#prerequisites-for-tvk)
[Policy to create namespace based backup using Triliovault for Kubernetes and kyverno template](./CM-Configuration-Management/policy-create-ns-backup-triliovault-for-kubernetes-templatized.yaml) | Use this policy to create namespace based backup using Triliovault for Kubernetes and kyverno template on Openshift clusters with label "protected-by=triliovault". It creates backup of the namespaces having a label "protected-by=tvk-ns-backup" | Requires OpenShift 4.8 or later. **Note**: Kyverno controller must be installed to use the kyverno policy. See the [Policy to install Kyverno](./CM-Configuration-Management/policy-install-kyverno.yaml). Triliovault for Kubernetes must be installed to use this policy. See the [Policy to install Triliovault for Kubernetes Operator](./CM-Configuration-Management/policy-install-triliovault-for-kubernetes.yaml). On the hub cluster, create a secret "aws-s3-secret" with S3 credentials and a configmap "aws-s3-configmap" with S3 bucket name, region name & thresholdCapacity in the namespace where this policy is created (details given in the policy). For more information, refer [documentation](https://docs.trilio.io/kubernetes/getting-started-3/getting-started#prerequisites-for-tvk)
[policy-pod-placement](./CM-Configuration-Management/policy-pod-placement.yaml) | Ensures that a pod exists as specified. This policy uses the `Placement` kind rather than a `PlacementRule` to select managed clusters to deploy to. |
Expand Down

0 comments on commit 9fdf7b6

Please sign in to comment.