From 05442379530b236421850e0194ba23a1177938ea Mon Sep 17 00:00:00 2001 From: yiraeChristineKim Date: Fri, 5 Jul 2024 14:49:11 -0400 Subject: [PATCH] Delete placementrule and placementbinding under configurationPolicy Signed-off-by: yiraeChristineKim --- .../policy-argocd-kubernetes.yaml | 42 ------------- .../policy-install-external-secrets.yaml | 50 --------------- .../policy-install-kyverno.yaml | 42 ------------- ...triliovault-for-kubernetes-using-helm.yaml | 63 +------------------ .../policy-sriovnetwork-templatized.yaml | 51 --------------- .../policy-falco-helm.yaml | 59 +---------------- 6 files changed, 2 insertions(+), 305 deletions(-) diff --git a/community/CM-Configuration-Management/policy-argocd-kubernetes.yaml b/community/CM-Configuration-Management/policy-argocd-kubernetes.yaml index a6024126e..cc1cdf06f 100644 --- a/community/CM-Configuration-Management/policy-argocd-kubernetes.yaml +++ b/community/CM-Configuration-Management/policy-argocd-kubernetes.yaml @@ -57,23 +57,6 @@ spec: packageOverrides: - packageAlias: argo-cd packageName: argo-cd - placement: - placementRef: - name: helmchartargo-placement-1 - kind: PlacementRule - - complianceType: musthave - objectDefinition: - apiVersion: apps.open-cluster-management.io/v1 - kind: PlacementRule - metadata: - name: helmchartargo-placement-1 - namespace: argocd - labels: - app: helmchartargo - spec: - clusterSelector: - matchLabels: - environment: dev - complianceType: musthave objectDefinition: apiVersion: apps.open-cluster-management.io/v1 @@ -86,28 +69,3 @@ spec: spec: pathname: https://charts.wener.tech type: HelmRepo ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: binding-argocd-kubernetes -placementRef: - name: placement-argocd-kubernetes - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: policy-argocd-kubernetes - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: placement-argocd-kubernetes -spec: - clusterSelector: - matchExpressions: - - key: local-cluster - operator: In - values: - - 'true' diff --git a/community/CM-Configuration-Management/policy-install-external-secrets.yaml b/community/CM-Configuration-Management/policy-install-external-secrets.yaml index 987855087..430d7850d 100644 --- a/community/CM-Configuration-Management/policy-install-external-secrets.yaml +++ b/community/CM-Configuration-Management/policy-install-external-secrets.yaml @@ -1,7 +1,5 @@ # This policy deploys the external secrets helm chart by creating application resources on the # Open Cluster Management hub. The policy must be deployed to the Open Cluster Management hub, -# but update the embedded PlacementRule resource in this -# policy to configure which managed clusters the application will be placed on. apiVersion: policy.open-cluster-management.io/v1 kind: Policy @@ -100,53 +98,5 @@ spec: packageOverrides: - packageAlias: kubernetes-external-secrets packageName: kubernetes-external-secrets - placement: - placementRef: - kind: PlacementRule - name: external-secrets-placement remediationAction: enforce severity: low - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: external-secrets-replication-placement - spec: - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: apps.open-cluster-management.io/v1 - kind: PlacementRule - metadata: - name: external-secrets-placement - namespace: external-secrets-system - labels: - app: external-secrets - spec: - clusterSelector: - matchLabels: - environment: dev - remediationAction: enforce - severity: high ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: binding-external-secrets-policy-app -placementRef: - apiGroup: apps.open-cluster-management.io - kind: PlacementRule - name: placement-external-secrets-policy-app -subjects: - - apiGroup: policy.open-cluster-management.io - kind: Policy - name: external-secrets-policy ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: placement-external-secrets-policy-app -spec: - clusterSelector: - matchLabels: - name: local-cluster diff --git a/community/CM-Configuration-Management/policy-install-kyverno.yaml b/community/CM-Configuration-Management/policy-install-kyverno.yaml index bf6136663..cf8b3f60a 100644 --- a/community/CM-Configuration-Management/policy-install-kyverno.yaml +++ b/community/CM-Configuration-Management/policy-install-kyverno.yaml @@ -110,23 +110,6 @@ spec: initialDelaySeconds: 35 periodSeconds: 20 securityContext: null - placement: - placementRef: - name: kyverno-placement-1 - kind: PlacementRule - - complianceType: mustonlyhave - objectDefinition: - apiVersion: apps.open-cluster-management.io/v1 - kind: PlacementRule - metadata: - name: kyverno-placement-1 - namespace: kyverno - labels: - app: kyverno - spec: - clusterSelector: - matchLabels: - environment: dev - complianceType: musthave objectDefinition: apiVersion: apps.open-cluster-management.io/v1 @@ -139,28 +122,3 @@ spec: spec: pathname: https://kyverno.github.io/kyverno type: HelmRepo ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: binding-policy-install-kyverno -placementRef: - name: placement-policy-install-kyverno - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: policy-install-kyverno - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: placement-policy-install-kyverno -spec: - clusterSelector: - matchExpressions: - - key: local-cluster - operator: In - values: - - 'true' diff --git a/community/CM-Configuration-Management/policy-install-triliovault-for-kubernetes-using-helm.yaml b/community/CM-Configuration-Management/policy-install-triliovault-for-kubernetes-using-helm.yaml index eb1e42234..b9c7ed1b4 100644 --- a/community/CM-Configuration-Management/policy-install-triliovault-for-kubernetes-using-helm.yaml +++ b/community/CM-Configuration-Management/policy-install-triliovault-for-kubernetes-using-helm.yaml @@ -4,10 +4,6 @@ # ./CM-Configuration-Management/policy-create-license-triliovault-for-kubernetes-upstream.yaml. # Please conact sales@trilio.io for further support. # -# You must make sure the PlacementRule for the Policy installs the policy on the -# Open Cluster Management hub. The PlacementRule inside the Policy is what determines which clusters -# TVK will be installed on. -# # Note that it is set to enforce by default. # # Please refer product documentation at https://docs.trilio.io/kubernetes/overview/readme @@ -127,61 +123,4 @@ spec: packageOverrides: - packageName: k8s-triliovault-operator packageAlias: k8s-triliovault-operator - placement: - placementRef: - name: placement-policy-tvk-1 - kind: PlacementRule - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: policy-tvk-placement - spec: - remediationAction: enforce - severity: high - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: apps.open-cluster-management.io/v1 - kind: PlacementRule - metadata: - name: placement-policy-tvk-1 - namespace: trilio-system - labels: - app: tvk - spec: - clusterSelector: - matchExpressions: - - key: vendor - operator: NotIn - values: - - OpenShift - - key: protected-by - operator: In - values: - - triliovault ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: install-tvk-placement -spec: - clusterSelector: - matchExpressions: - - key: name - operator: In - values: - - local-cluster ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: install-tvk-placement -placementRef: - name: install-tvk-placement - apiGroup: apps.open-cluster-management.io - kind: PlacementRule -subjects: - - name: install-tvk-helm - apiGroup: policy.open-cluster-management.io - kind: Policy + \ No newline at end of file diff --git a/community/CM-Configuration-Management/policy-sriovnetwork-templatized.yaml b/community/CM-Configuration-Management/policy-sriovnetwork-templatized.yaml index 1ed93786a..97b661d48 100644 --- a/community/CM-Configuration-Management/policy-sriovnetwork-templatized.yaml +++ b/community/CM-Configuration-Management/policy-sriovnetwork-templatized.yaml @@ -38,31 +38,6 @@ spec: vlan: '{{hub fromConfigMap "" "site-config" (printf "%s-vlan" .ManagedClusterName) | toInt hub}}' --- apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: binding-policy-site-nw-templatized-common -placementRef: - name: placement-policy-site-nw-templatized-common - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: policy-site-nw-templatized - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: placement-policy-site-nw-templatized-common -spec: - clusterSelector: - matchExpressions: - - key: local-cluster - operator: In - values: - - 'true' ---- -apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: name: policy-site-nw-templatized-config @@ -99,30 +74,4 @@ spec: cluster0002-phc2sysOpts: "-a -r -n 24" cluster0002-resourceName: "du_mh" cluster0002-vlan: "3621" ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: binding-policy-site-nw-templatized-config -placementRef: - name: placement-policy-site-nw-templatized-config - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: policy-site-nw-templatized-config - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: placement-policy-site-nw-templatized-config -spec: - clusterSelector: - matchExpressions: - - key: local-cluster - operator: In - values: - - 'true' ---- diff --git a/community/SI-System-and-Information-Integrity/policy-falco-helm.yaml b/community/SI-System-and-Information-Integrity/policy-falco-helm.yaml index ef8ad0b2d..ce5cdcffd 100644 --- a/community/SI-System-and-Information-Integrity/policy-falco-helm.yaml +++ b/community/SI-System-and-Information-Integrity/policy-falco-helm.yaml @@ -1,9 +1,5 @@ # Install falco using helm instead of using the operator. -# You must make sure the PlacementRule for the Policy installs the policy on the -# Open Cluster Management hub. The PlacementRule inside the Policy is what determines which clusters -# falco will be installed on. - # Edit the parameters for the helm chart inside the Subscription resource to # customize falco for your needs. If installing falco on openshift, be aware of # the following: @@ -215,57 +211,4 @@ spec: create: true tolerations: - effect: NoSchedule - key: node-role.kubernetes.io/master - placement: - placementRef: - name: placement-policy-falco-1 - kind: PlacementRule - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: ConfigurationPolicy - metadata: - name: policy-falco-placement - spec: - remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. - severity: high - namespaceSelector: - exclude: ["kube-*"] - include: ["*"] - object-templates: - - complianceType: musthave - objectDefinition: - apiVersion: apps.open-cluster-management.io/v1 - kind: PlacementRule - metadata: - name: placement-policy-falco-1 - namespace: falco - labels: - app: falco - spec: - clusterSelector: - matchLabels: - environment: dev ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: binding-policy-falco-app -placementRef: - name: placement-policy-falco-app - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: -- name: policy-falco-app - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: placement-policy-falco-app - labels: - app: falco -spec: - clusterSelector: - matchLabels: - name: local-cluster + key: node-role.kubernetes.io/master \ No newline at end of file