IBM Multicloud Manager compliance and policy example

An IBM Multicloud Manager policy is defined within a compliance. Each compliance can have at least one or multiple policies. The compliance includes a clusterSelector that defines the clusters the compliance is applied to. See the following sample of an entire YAML sample for a policy.

Compliance policy elements

A compliance document contains the following elements:

• A spec with a clusterSelector that determines which clusters the compliance is applied to.

• The runtime-rules, which is a list of policies within the compliance.

Each policy within the compliance contains the following elements:

• A namespace selector that specifies which namespaces within the cluster that the policy is applied to.

• A list of templates, such as role-templates, or roleBinding-templates within the policy that describes how a resource in Kubernetes should be defined, and whether it is allowed to exist.

Compliance policy example:

apiVersion: compliance.mcm.ibm.com/v1alpha1
kind: Compliance
metadata:
  name: compliance1
  namespace: mcm
  description: Instance descriptor for compliance resource
spec:
  clusterSelector:
    #matchLabels:
    #  - hippa=true
    matchNames:
      - "icp1"
      - "icp2"
  runtime-rules:
    - apiVersion: policy.mcm.ibm.com/v1alpha1
      kind: Policy
      metadata:
        name: policy01
        description: Instance descriptor for policy resource
      spec:
        remediationAction: "enforce" #or "inform"
        namespaces:
          include: ["default"]
          exclude: ["kube*"]
        role-templates:
          - kind: RoleTemplate
            apiVersion: roletemplate.mcm.ibm.com/v1alpha1
            complianceType: "musthave" # at this level, it means the role must exist with the rules that it musthave below
            metadata:
              namespace: "" # will be inferred
              name: dev
            selector:
              # matchLabels:
              # hipaa: "true"
            rules:
              - complianceType: "musthave" # at this level, it means if the role exists the rule is a musthave
                policyRule:
                  apiGroups: ["extensions", "apps"]
                  resources: ["deployments"]
                  verbs: ["get", "list", "watch", "create", "delete","patch"]
    - apiVersion: policy.mcm.ibm.com/v1alpha1
      kind: Policy
      metadata:
        name: policy02
        description: Instance descriptor for policy resource
      spec:
        remediationAction: "enforce" # or inform
        namespaces:
          include: ["default"]
          exclude: ["kube*"]
        role-templates:
          - kind: RoleTemplate
            apiVersion: roletemplate.mcm.ibm.com/v1alpha1
            complianceType: "musthave" # at this level, it means the role must exist with the rules that it musthave below
            metadata:
              namespace: "" # will be inferred
              name: operator
            selector:
              matchLabels:
                hipaa: "true"
            rules:
              - complianceType: "musthave" # at this level, it means if the role exists the rule is a musthave
                policyRule:
                  apiGroups: ["extensions", "apps"]
                  resources: ["deployments"]
                  verbs: ["get", "list", "watch", "delete"]
              - complianceType: "mustnothave" # at this level, it means if the role exists the rule is a mustnothave  
                policyRule:
                  apiGroups: ["core"]
                  resources: ["pods"]
                  verbs: ["create", "update", "patch"]
              - policyRule:
                  apiGroups: ["core"]
                  resources: ["secrets"]
                  verbs: ["get", "watch", "list", "create", "delete", "update", "patch"]

See Working with IBM Multicloud Manager compliance for more compliance topics.