IBM Multicloud Manager compliance and policy overview
An IBM Multicloud Manager policy is defined within a compliance. Each compliance can have at least one or multiple policies. To define the clusters that the compliance is applied to, you need to define a PlacementPolicy, which is bound to a compliance policy by PlacementBinding.
Compliance policies are created with CustomResourceDefinitions. See Extend the Kubernetes API with CustomResourceDefinitions to learn more about CustomResourceDefinition (CRD).
Compliance policy elements
A compliance document contains a specification with runtime-rules
, which is a list of policies within the compliance. Each policy within the compliance contains the following elements:
-
A
namespace
selector that specifies which namespaces within the cluster that the policy is applied to. -
A list of
templates
, such asrole-templates
, orobject-templates
within the policy that describes how a resource in Kubernetes should be defined, and whether it is allowed to exist. -
A
role-templates
is used to list RBAC roles that must be evaluated or applied to the managed-clusters. Role templates are treatead as a special category of templates, as they have rules inside that can be analyzed and compared to evaluate the compliance of a cluster. -
An
object-template
is used to list any other kubernetes object that must be evaluated or applied to the managed-clusters. An example of object can be a pod security policy, an image policy, or a limit range.
Compliance policy template examples
Example of role-templates and object-templates: See the .yaml
file example of the definition for a roletemplate. Edit the spec
section of your YAML to define your policy.
apiVersion: compliance.mcm.ibm.com/v1alpha1
kind: Compliance
metadata:
name: compliance1
spec:
runtime-rules:
- apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy1
labels:
cis-docker: "true"
spec:
remediationAction: "enforce" # enforce or inform
complianceType: "musthave" # used as default, when missing in a particular sub-template
namespaces:
include: ["default"]
exclude: ["kube*"]
role-templates:
- apiVersion: roletemplate.mcm.ibm.com/v1alpha1
metadata:
namespace: "" # will be inferred
name: operator-role
selector:
matchLabels:
dev: "true"
complianceType: "musthave" # at this level, it means the role must exist with the rules that it musthave below
rules:
- complianceType: "mustnothave" # at this level, it means if the role exists the rule is a mustnothave
policyRule:
apiGroups: ["core"]
resources: ["secrets"]
verbs: ["get", "list", "watch","delete", "create", "update", "patch"]
- complianceType: "musthave" # at this level, it means if the role exists the rule is a musthave
policyRule:
apiGroups: ["core"]
resources: ["pods"]
verbs: ["get", "list", "watch"]
object-templates:
- complianceType: "musthave"
objectDefinition:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: operate-pods-rolebinding
namespace: default
subjects:
- kind: User
name: admin # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: operator # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
- complianceType: "musthave"
objectDefinition:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-mcm
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false # no priviliedged pods
allowPrivilegeEscalation: false
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 1000 # ports < 1000 are reserved
max: 65535
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
- complianceType: "musthave"
objectDefinition:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: default
name: deny-from-other-namespaces
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {} # accept ingress from all pods within this namespace only
- complianceType: "musthave"
objectDefinition:
apiVersion: v1
kind: LimitRange
metadata:
name: mem-limit-range
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
See Working with IBM Multicloud Manager compliance for more compliance topics.