IBM Multicloud Manager compliance and policy example
An IBM Multicloud Manager policy is defined within a compliance. Each compliance can have at least one or multiple policies. The compliance includes a clusterSelector
that defines the clusters the compliance is applied to. See the following
sample of an entire YAML sample for a policy.
Compliance policy elements
A compliance document contains the following elements:
-
A
spec
with aclusterSelector
that determines which clusters the compliance is applied to. -
The
runtime-rules
, which is a list of policies within the compliance.
Each policy within the compliance contains the following elements:
-
A
namespace
selector that specifies which namespaces within the cluster that the policy is applied to. -
A list of
templates
, such asrole-templates
, orroleBinding-templates
within the policy that describes how a resource in Kubernetes should be defined, and whether it is allowed to exist.
Compliance policy example:
apiVersion: compliance.mcm.ibm.com/v1alpha1
kind: Compliance
metadata:
name: compliance1
namespace: mcm
description: Instance descriptor for compliance resource
spec:
clusterSelector:
#matchLabels:
# - hippa=true
matchNames:
- "icp1"
- "icp2"
runtime-rules:
- apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy01
description: Instance descriptor for policy resource
spec:
remediationAction: "enforce" #or "inform"
namespaces:
include: ["default"]
exclude: ["kube*"]
role-templates:
- kind: RoleTemplate
apiVersion: roletemplate.mcm.ibm.com/v1alpha1
complianceType: "musthave" # at this level, it means the role must exist with the rules that it musthave below
metadata:
namespace: "" # will be inferred
name: dev
selector:
# matchLabels:
# hipaa: "true"
rules:
- complianceType: "musthave" # at this level, it means if the role exists the rule is a musthave
policyRule:
apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "delete","patch"]
- apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy02
description: Instance descriptor for policy resource
spec:
remediationAction: "enforce" # or inform
namespaces:
include: ["default"]
exclude: ["kube*"]
role-templates:
- kind: RoleTemplate
apiVersion: roletemplate.mcm.ibm.com/v1alpha1
complianceType: "musthave" # at this level, it means the role must exist with the rules that it musthave below
metadata:
namespace: "" # will be inferred
name: operator
selector:
matchLabels:
hipaa: "true"
rules:
- complianceType: "musthave" # at this level, it means if the role exists the rule is a musthave
policyRule:
apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "delete"]
- complianceType: "mustnothave" # at this level, it means if the role exists the rule is a mustnothave
policyRule:
apiGroups: ["core"]
resources: ["pods"]
verbs: ["create", "update", "patch"]
- policyRule:
apiGroups: ["core"]
resources: ["secrets"]
verbs: ["get", "watch", "list", "create", "delete", "update", "patch"]
See Working with IBM Multicloud Manager compliance for more compliance topics.