IBM Multicloud Manager compliance and policy overview

An IBM Multicloud Manager policy is defined within a compliance. Each compliance can have at least one or multiple policies. To define the clusters that the compliance is applied to, you need to define a PlacementPolicy, which is bound to a compliance policy by PlacementBinding.

Compliance policies are created with CustomResourceDefinitions. See Extend the Kubernetes API with CustomResourceDefinitions to learn more about CustomResourceDefinition (CRD).

Compliance policy elements

A compliance document contains a specification with runtime-rules, which is a list of policies within the compliance. Each policy within the compliance contains the following elements:

• A namespace selector that specifies which namespaces within the cluster that the policy is applied to.

• A list of templates, such as role-templates, or object-templates within the policy that describes how a resource in Kubernetes should be defined, and whether it is allowed to exist.

• A role-templates is used to list RBAC roles that must be evaluated or applied to the managed-clusters. Role templates are treatead as a special category of templates, as they have rules inside that can be analyzed and compared to evaluate the compliance of a cluster.

• An object-template is used to list any other kubernetes object that must be evaluated or applied to the managed-clusters. An example of object can be a pod security policy, an image policy, or a limit range.

Compliance policy template examples

Example of role-templates and object-templates: See the .yaml file example of the definition for a roletemplate. Edit the spec section of your YAML to define your policy.

  apiVersion: compliance.mcm.ibm.com/v1alpha1
  kind: Compliance
  metadata:
    name: compliance1
  spec:
    runtime-rules:
      - apiVersion: policy.mcm.ibm.com/v1alpha1
        kind: Policy
        metadata:
          name: policy1
          labels:
            cis-docker: "true"
        spec:
          remediationAction: "enforce" # enforce or inform 
          complianceType: "musthave" # used as default, when missing in a particular sub-template
          namespaces:
            include: ["default"]
            exclude: ["kube*"]
          role-templates:
            - apiVersion: roletemplate.mcm.ibm.com/v1alpha1
              metadata:
                namespace: "" # will be inferred
                name: operator-role
              selector:
                matchLabels:
                  dev: "true"
              complianceType: "musthave" # at this level, it means the role must exist with the rules that it musthave below
              rules:
                - complianceType: "mustnothave" # at this level, it means if the role exists the rule is a mustnothave  
                  policyRule:
                    apiGroups: ["core"]
                    resources: ["secrets"]
                    verbs: ["get", "list", "watch","delete", "create", "update", "patch"]
                - complianceType: "musthave" # at this level, it means if the role exists the rule is a musthave
                  policyRule:
                    apiGroups: ["core"]
                    resources: ["pods"]
                    verbs: ["get", "list", "watch"]
          object-templates:
            - complianceType: "musthave"
              objectDefinition:
                kind: RoleBinding
                apiVersion: rbac.authorization.k8s.io/v1
                metadata:
                  name: operate-pods-rolebinding
                  namespace: default
                subjects:
                - kind: User
                  name: admin # Name is case sensitive
                  apiGroup: rbac.authorization.k8s.io
                roleRef:
                  kind: Role #this must be Role or ClusterRole
                  name: operator # this must match the name of the Role or ClusterRole you wish to bind to
                  apiGroup: rbac.authorization.k8s.io
            - complianceType: "musthave"
              objectDefinition:
                apiVersion: policy/v1beta1
                kind: PodSecurityPolicy
                metadata:
                  name: restricted-mcm
                  annotations:
                    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
                spec:
                  privileged: false # no priviliedged pods
                  allowPrivilegeEscalation: false 
                  allowedCapabilities:
                  - '*'
                  volumes:
                  - '*'
                  hostNetwork: true
                  hostPorts:
                  - min: 1000 # ports < 1000 are reserved 
                    max: 65535
                  hostIPC: false
                  hostPID: false
                  runAsUser:
                    rule: 'RunAsAny'
                  seLinux:
                    rule: 'RunAsAny'
                  supplementalGroups:
                    rule: 'RunAsAny'
                  fsGroup:
                    rule: 'RunAsAny'
            - complianceType: "musthave"
              objectDefinition:
                kind: NetworkPolicy
                apiVersion: networking.k8s.io/v1
                metadata:
                  namespace: default
                  name: deny-from-other-namespaces
                spec:
                  podSelector:
                    matchLabels:
                  ingress:
                  - from:
                    - podSelector: {} # accept ingress from all pods within this namespace only
            - complianceType: "musthave"
              objectDefinition:
                apiVersion: v1    
                kind: LimitRange  
                metadata:  
                  name: mem-limit-range  
                spec:  
                  limits:  
                  - default:  
                      memory: 512Mi  
                    defaultRequest:  
                      memory: 256Mi  
                    type: Container

See Working with IBM Multicloud Manager compliance for more compliance topics.