diff --git a/community/CM-Configuration-Management/policy-rosa-autoimport.yaml b/community/CM-Configuration-Management/policy-rosa-autoimport.yaml new file mode 100644 index 00000000..25476cb5 --- /dev/null +++ b/community/CM-Configuration-Management/policy-rosa-autoimport.yaml @@ -0,0 +1,101 @@ +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: policy-rosa-autoimport + annotations: + policy.open-cluster-management.io/standards: NIST SP 800-53 + policy.open-cluster-management.io/categories: CM Configuration Management + policy.open-cluster-management.io/controls: CM-2 Baseline Configuration + policy.open-cluster-management.io/description: Discovered clusters that are of + type ROSA can be automatically imported into ACM as managed clusters. This + policy helps you select those managed clusters and configure them so the import + will happen. If you do not want all of your ROSA clusters to be automatically + imported, you can configure filters or add an annotation. +spec: + remediationAction: inform + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: policy-rosa-autoimport + spec: + remediationAction: inform + severity: low + object-templates-raw: | + - complianceType: musthave + objectDefinition: + apiVersion: v1 + kind: ConfigMap + metadata: + name: discovery-config + namespace: open-cluster-management-global-set + data: + rosa-filter: "" + {{- /* find the ROSA DiscoveredClusters */ -}} + {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }} + {{- /* Check for the flag that indicates the import should be skipped */ -}} + {{- $skip := "false" -}} + {{- range $key, $value := $dc.metadata.annotations }} + {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported") + (eq $value "true") }} + {{- $skip = "true" }} + {{- end }} + {{- end }} + {{- /* if the type is ROSA and the status is Active */ -}} + {{- if and (eq $dc.spec.status "Active") + (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName) + (eq $dc.spec.type "ROSA") + (eq $skip "false") }} + - complianceType: musthave + objectDefinition: + apiVersion: discovery.open-cluster-management.io/v1 + kind: DiscoveredCluster + metadata: + name: {{ $dc.metadata.name }} + namespace: {{ $dc.metadata.namespace }} + spec: + importAsManagedCluster: true + {{- end }} + {{- end }} + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: policy-rosa-managedcluster-status + spec: + remediationAction: inform + severity: low + object-templates-raw: | + {{- /* Use the same DiscoveredCluster list to check ManagedCluster status */ -}} + {{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }} + {{- /* Check for the flag that indicates the import should be skipped */ -}} + {{- $skip := "false" -}} + {{- range $key, $value := $dc.metadata.annotations }} + {{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported") + (eq $value "true") }} + {{- $skip = "true" }} + {{- end }} + {{- end }} + {{- /* if the type is ROSA and the status is Active */ -}} + {{- if and (eq $dc.spec.status "Active") + (contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName) + (eq $dc.spec.type "ROSA") + (eq $skip "false") }} + - complianceType: musthave + objectDefinition: + apiVersion: cluster.open-cluster-management.io/v1 + kind: ManagedCluster + metadata: + name: {{ $dc.spec.displayName }} + namespace: {{ $dc.spec.displayName }} + annotations: + cluster.open-cluster-management.io/clusterset: default + status: + conditions: + - type: ManagedClusterAvailable + status: "True" + {{- end }} + {{- end }} + diff --git a/community/README.md b/community/README.md index 5c17067f..99d9ac91 100644 --- a/community/README.md +++ b/community/README.md @@ -181,6 +181,7 @@ Policy | Description | Prerequisites [Policy to install and configure OADP operator for stateful application backup](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-install.yaml) | First of 3 policies, used to backup or restore stateful applications on managed clusters. Used to install OADP on managed clusters and configure the connection to the storage location and installed on both backup and restore operations. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md) [Policy to backup a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml) | Second of 3 policies, used to backup stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md) [Policy to restore a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-restore.yaml) | Last of 3 policies, used to restore stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md) +[Policy to automatically import ROSA clusters](./CM-Configuration-Management/policy-rosa-autoimport.yaml) | Use this policy to automatically import discovered ROSA clusters as a managed cluster. | By default this policy will configure ROSA discovered clusters to be automatically imported as a managed cluster. Edit the ConfigMap to adjust the discovered cluster filter. Edit the managed cluster resource to change the default ManagedClusterSet the mananged cluster is added to. ### Contingency Planning