Policy example

Each IBM Cloud Pak for Multicloud Management policy can have at least one or multiple templates. For more details about the policy elements, see IBM Cloud Pak for Multicloud Management policy overview.

The policy requires a PlacementRule that defines the clusters that the policy document is applied to, and a PlacementBinding that binds the IBM Cloud Pak for Multicloud Management policy to the PlacementRule. You can create vulnerability and mutation policies for multiple namespaces on your hub cluster, and only can view the policies, violations, and security findings associated with your cluster and namespace. View the example placement policy and placement binding:

• Example placement policy that selects clusters based on a label:

   apiVersion: apps.open-cluster-management.io/v1
   kind: PlacementRule
   metadata:
     name: placement1
     namespace: mcm
   spec:
     clusterLabels:
       matchLabels:
         cloud: IBM
  

• Example placement binding that binds the placement policy and the policy document:

  apiVersion: policy.open-cluster-management.io/v1
  kind: PlacementBinding
  metadata:
    name: binding1
    namespace: mcm
  placementRef:
    name: placement1
    kind: PlacementRule
    apiGroup: apps.open-cluster-management.io/v1
  subjects:
  - name: policy1
    kind: Policy
    apiGroup: policy.open-cluster-management.io/v1
  

  Important: The PlacementRule and PlacementBinding can be included in the same .yaml file or separate .yaml files.

• Example policy:

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy1
  annotations:
    policy.mcm.ibm.com/standards: NIST
    policy.mcm.ibm.com/categories: SystemAndInformationIntegrity, RBAC
    policy.mcm.ibm.com/controls: MutationAdvisor
  namespace: mcm
spec:
  remediationAction: "enforce" # enforce or inform
  disabled: "false" # or true 
  complianceType: musthave # used as default, when missing in a particular sub-template
  namespaces:
    include: ["default"]
    exclude: ["kube*"]
  role-templates:
    - apiVersion: policy.open-cluster-management.io/v1
      metadata:
        namespace: "" # will be inferred
        name: operator-role
      selector:
        matchLabels:
          dev: "true"
      complianceType: musthave # at this level, it means the role must exist with the rules that it must have below
      rules:
        - complianceType: mustnothave # at this level, it means if the role exists the rule is a mustnothave  
          policyRule:
            apiGroups: ["core"]
            resources: ["secrets"]
            verbs: ["get", "list", "watch","delete", "create", "update", "patch"]
        - complianceType: musthave # at this level, it means if the role exists the rule is a musthave
          policyRule:
            apiGroups: ["core"]
            resources: ["pods"]
            verbs: ["get", "list", "watch"]
  policy-templates:
    - complianceType: musthave
      objectDefinition:
        kind: RoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: operate-pods-rolebinding
          namespace: default
        subjects:
        - kind: User
          name: admin # Name is case sensitive
          apiGroup: rbac.authorization.k8s.io
        roleRef:
          kind: Role #this must be Role or ClusterRole
          name: operator # this must match the name of the Role or ClusterRole you wish to bind to
          apiGroup: rbac.authorization.k8s.io
    - complianceType: musthave
      objectDefinition:
        apiVersion: policy/v1beta1
        kind: PodSecurityPolicy
        metadata:
          name: restricted-mcm
          annotations:
            seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
        spec:
          privileged: false # no privileged pods
          allowPrivilegeEscalation: false 
          allowedCapabilities:
          - '*'
          volumes:
          - '*'
          hostNetwork: true
          hostPorts:
          - min: 1000 # ports < 1000 are reserved 
            max: 65535
          hostIPC: false
          hostPID: false
          runAsUser:
            rule: 'RunAsAny'
          seLinux:
            rule: 'RunAsAny'
          supplementalGroups:
            rule: 'RunAsAny'
          fsGroup:
            rule: 'RunAsAny'
    - complianceType: musthave
      objectDefinition:
        kind: NetworkPolicy
        apiVersion: networking.k8s.io/v1
        metadata:
          namespace: default
          name: deny-from-other-namespaces
        spec:
          podSelector:
            matchLabels:
          ingress:
          - from:
            - podSelector: {} # accept ingress from all pods within this namespace only
    - complianceType: musthave
      objectDefinition:
        apiVersion: v1    
        kind: LimitRange  
        metadata:  
          name: mem-limit-range  
        spec:  
          limits:  
          - default:  
              memory: 512Mi  
            defaultRequest:  
              memory: 256Mi  
            type: Container

See IBM Cloud Pak for Multicloud Management Governance and risk for more policy topics.