8000 Add an operator policy, kubernetes RBAC policy and virtual machine ex… by jnpacker · Pull Request #108 · stolostron/policy-collection · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add an operator policy, kubernetes RBAC policy and virtual machine ex… #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add an operator policy, kubernetes RBAC policy and virtual machine ex… #108

wants to merge 5 commits into from

Conversation

jnpacker
Copy link
Member
@jnpacker jnpacker commented May 5, 2025

…amples.

  1. Policy deploys the CNV Operator
  2. There are also configuration policies that check to make sure controllers and subscription are happy path
  3. There is an extra policy template to set KVM_EMULATION: true if you want to run demos on NON-virtualization hardware, It is false by default.
  4. A configuration Policy for applying the 3x kubevirt roles to a user/group/serviceAccount (this will be updated to a clusterPermission in the future.
  5. Two example yamls for create VM's, this is to help get the users started. One with just a rootdisk, and one with rootdisk & datadisk.

@jnpacker
Add an operator policy, kubernetes RBAC policy and virtual machine ex…
ec41ad0 
…amples.

1. Policy deploys the CNV Operator
2. There are also configuration policy checks to make sure controllers and subscription are happy path
3. There is an extra policy template to set KVM_EMULATION: true if you want to run demos on NON-virtualization hardware.
4. A configuration Policy for applying the 3x kubevirt roles to a user/group/serviceAccount (this will be updated to a clusterPermission.
5. Two example yamls for create VM's this is a way to help get users started. One with just a rootdisk, and one with rootdisk & datadisk.

Signed-off-by: Joshua Packer <jpacker@redhat.com>
@jnpacker
Updated the Virtual Machine manifests to be applied via Configuration…
db42f5d 
…Policy

Signed-off-by: Joshua Packer <jpacker@redhat.com>
JustinKuli
JustinKuli requested changes May 12, 2025
View reviewed changes
community/OM-Operator-Management/cnv-samples/virtual-machines/fedora-rootdisk-and-datadisk.yaml Outdated
#cloud-config
chpasswd:
expire: false
password: change-me-5738
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This password will be saved in plaintext in etcd, which might be a security concern. Since this is an example, that might not be a problem, but it could be worth mentioning. To keep it secure, it could use templates - in particular, a hub template fromSecret should keep the value encrypted throughout all of the Policies and ConfigurationPolicy.

@jnpacker
Added an MTV policy for the ACM Hub. Improved the automatic upgrade a…
2110bd4 
…nd removed the KVM_EMULATION stanza

Signed-off-by: Joshua Packer <jpacker@redhat.com>
JustinKuli
JustinKuli reviewed May 19, 2025
View reviewed changes
Copy link
@JustinKuli JustinKuli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More comments

community/OM-Operator-Management/cnv-samples/cnv-operator-install/policy-mtv.yaml Outdated
Comment on lines 90 to 164
10000
- complianceType: musthave
objectDefinition:
apiVersion: apps/v1
kind: Deployment
metadata:
name: forklift-api
namespace: openshift-mtv
status:
readyReplicas: 1
availableReplicas: 1
conditions:
- type: Available
status: 'True'
reason: MinimumReplicasAvailable
message: Deployment has minimum availability.
- complianceType: musthave
objectDefinition:
apiVersion: apps/v1
kind: Deployment
metadata:
name: forklift-controller
namespace: openshift-mtv
status:
readyReplicas: 1
availableReplicas: 1
conditions:
- type: Available
status: 'True'
reason: MinimumReplicasAvailable
message: Deployment has minimum availability.
- complianceType: musthave
objectDefinition:
apiVersion: apps/v1
kind: Deployment
metadata:
name: forklift-validation
namespace: openshift-mtv
status:
readyReplicas: 1
availableReplicas: 1
conditions:
- type: Available
status: 'True'
reason: MinimumReplicasAvailable
message: Deployment has minimum availability.
- complianceType: musthave
objectDefinition:
apiVersion: apps/v1
kind: Deployment
metadata:
name: forklift-volume-populator-controller
namespace: openshift-mtv
status:
readyReplicas: 1
availableReplicas: 1
conditions:
- type: Available
status: 'True'
reason: MinimumReplicasAvailable
message: Deployment has minimum availability.
- complianceType: musthave
objectDefinition:
apiVersion: apps/v1
kind: Deployment
metadata:
name: forklift-operator
namespace: openshift-mtv
status:
readyReplicas: 1
availableReplicas: 1
conditions:
- type: Available
status: 'True'
reason: MinimumReplicasAvailable
message: Deployment has minimum availability.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might want object-templates-raw and a loop for these resources:

        spec:
          remediationAction: inform
          object-templates-raw: |
            {{ range $name := (list "forklift-api" "forklift-controller" "forklift-validation" "forklift-volume-populator-controller" "forklift-operator") }}
            - complianceType: musthave
              objectDefinition:
                apiVersion: apps/v1
                kind: Deployment
                metadata:
                  name: {{ $name }}
                  namespace: openshift-mtv
                status:
                  readyReplicas: 1
                  availableReplicas: 1
                  conditions:
                    - type: Available
                      status: 'True'
                      reason: MinimumReplicasAvailable
                      message: Deployment has minimum availability.
            {{- end }}

Or if it's all of the Deployments in that namespace (or all matching a label selector) you could use the newer objectSelector feature: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.13/html-single/governance/index#object-selector

If you did that, you could move the kind: ForkliftController part into the policy that defines its spec - ConfigurationPolicy knows to only check the status, not try and apply it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will check for a label and either use the selector or redo a loop in RAW

@jnpacker
Revamped based on the initial PR:
da58512 
* Added a reference to the root README.md
* Removed namespaces from the policies
* Removed the VM create policy example
* Removed the role binding examples
* Changed placementRule to Placement

Signed-off-by: Joshua Packer <jpacker@redhat.com>
JustinKuli
JustinKuli approved these changes May 27, 2025
View reviewed changes
Copy link
@JustinKuli JustinKuli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold

LGTM! Just one nitpick I have, you can just unhold it if you want. Thanks for all the updates along the way

@jnpacker
Originally I wrote a raw type template, that would loop through the d…
f9c111d 
…eployment names that were provided, and validate the acceptable number of replica's was present, but I realized that the OperatorPolicy already does this, plus checks that the CRDs are present. So I removed those checks from the policy-mtv.yaml

Signed-off-by: Joshua Packer <jpacker@redhat.com>
@jnpacker
Copy link
Member Author

Hey @JustinKuli can I get the lgtm again, I removed the note but the push of the squashed rebase reset the PR.

@openshift-ci openshift-ci bot added the lgtm label May 28, 2025
@openshift-ci OpenShift CI
Copy link
openshift-ci bot commented May 28, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jnpacker, JustinKuli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JustinKuli JustinKuli JustinKuli approved these changes

Assignees

@JustinKuli JustinKuli

Labels
approved dco-signoff: yes do-not-merge/hold lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jnpacker @JustinKuli
0