From 88975f4c9d2cadee752f2e07f92b832087bdd6aa Mon Sep 17 00:00:00 2001 From: Gus Parvin Date: Tue, 1 Oct 2024 10:43:54 -0400 Subject: [PATCH] Change the OPP policies to adopt OperatorPolicy Deploying operators with OperatorPolicy has benefits that should be adopted to help customers get better visibility into the operator status automatically. Refs: - https://issues.redhat.com/browse/OCPQE-25041 Signed-off-by: Gus Parvin (cherry picked from commit 0894bdb7a87b26cf0a726ae7dbe06e2610fef13f) --- .../policy-acs-operator-central.yaml | 32 +++++++------- .../policy-compliance-operator-install.yaml | 44 ++++++++----------- .../input-odf/policy-odf-status.yaml | 10 ----- .../openshift-plus/input-odf/policy-odf.yaml | 34 +++++++------- .../input-quay/policy-hub-quay-bridge.yaml | 19 ++++---- .../input-quay/policy-install-quay.yaml | 34 +++++++------- .../input-quay/policy-quay-bridge.yaml | 19 ++++---- ...icy-advanced-managed-cluster-security.yaml | 32 +++++++------- 8 files changed, 106 insertions(+), 118 deletions(-) diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-acs-central/policy-acs-operator-central.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-acs-central/policy-acs-operator-central.yaml index c701c4428..e8b3a7c30 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-acs-central/policy-acs-operator-central.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-acs-central/policy-acs-operator-central.yaml @@ -8,24 +8,24 @@ kind: Namespace metadata: name: rhacs-operator --- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: OperatorPolicy metadata: - name: rhacs-operator-group - namespace: rhacs-operator -spec: {} ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: rhacs-operator - namespace: rhacs-operator + name: operatorpolicy-rhacs-operator spec: - channel: stable - installPlanApproval: Automatic - name: rhacs-operator - source: redhat-operators - sourceNamespace: openshift-marketplace + remediationAction: enforce + severity: high + complianceType: musthave + upgradeApproval: Automatic + operatorGroup: + name: rhacs-operator-group + namespace: rhacs-operator + subscription: + channel: stable + name: rhacs-operator + namespace: rhacs-operator + source: redhat-operators + sourceNamespace: openshift-marketplace --- apiVersion: platform.stackrox.io/v1alpha1 kind: Central diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-compliance/policy-compliance-operator-install.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-compliance/policy-compliance-operator-install.yaml index 5164e0aa7..e38e27f6a 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-compliance/policy-compliance-operator-install.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-compliance/policy-compliance-operator-install.yaml @@ -3,31 +3,23 @@ kind: Namespace metadata: name: openshift-compliance --- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: OperatorPolicy metadata: - name: compliance-operator - namespace: openshift-compliance + name: operatorpolicy-comp-operator spec: - targetNamespaces: - - openshift-compliance ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: compliance-operator - namespace: openshift-compliance -spec: - installPlanApproval: Automatic - name: compliance-operator - source: redhat-operators - sourceNamespace: openshift-marketplace ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: ClusterServiceVersion -metadata: - namespace: openshift-compliance -spec: - displayName: Compliance Operator -status: - phase: Succeeded # check the csv status to determine if operator is running or not + remediationAction: enforce + severity: high + complianceType: musthave + upgradeApproval: Automatic + operatorGroup: + name: compliance-operator + namespace: openshift-compliance + targetNamespaces: + - openshift-compliance + subscription: + channel: stable + name: compliance-operator + namespace: openshift-compliance + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml index 62286b6f6..748174369 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml @@ -18,16 +18,6 @@ status: - status: "True" type: Available --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: odf-operator-controller-manager - namespace: openshift-storage -status: - conditions: - - status: "True" - type: Available ---- apiVersion: ocs.openshift.io/v1 kind: StorageCluster metadata: diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml index d56103e66..5502e2b52 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml @@ -5,25 +5,25 @@ metadata: openshift.io/cluster-monitoring: "true" name: openshift-storage --- -apiVersion: operators.coreos.com/v1alpha2 -kind: OperatorGroup +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: OperatorPolicy metadata: - name: openshift-storage-operatorgroup - namespace: openshift-storage -spec: - targetNamespaces: - - openshift-storage ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: odf-operator - namespace: openshift-storage + name: operatorpolicy-odf-operator spec: - installPlanApproval: Automatic - name: odf-operator - source: redhat-operators - sourceNamespace: openshift-marketplace + remediationAction: enforce + severity: high + complianceType: musthave + upgradeApproval: Automatic + operatorGroup: + name: openshift-storage-operatorgroup + namespace: openshift-storage + targetNamespaces: + - openshift-storage + subscription: + name: odf-operator + namespace: openshift-storage + source: redhat-operators + sourceNamespace: openshift-marketplace --- apiVersion: odf.openshift.io/v1alpha1 kind: StorageSystem diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-hub-quay-bridge.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-hub-quay-bridge.yaml index 274d24eab..9da2110b0 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-hub-quay-bridge.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-hub-quay-bridge.yaml @@ -1,15 +1,18 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: OperatorPolicy metadata: + name: operatorpolicy-quay-bridge-operator labels: operators.coreos.com/quay-bridge-operator.openshift-operators: "" - name: quay-bridge-operator - namespace: openshift-operators spec: - installPlanApproval: Automatic - name: quay-bridge-operator - source: redhat-operators - sourceNamespace: openshift-marketplace + remediationAction: enforce + severity: high + complianceType: musthave + upgradeApproval: Automatic + subscription: + name: quay-bridge-operator + source: redhat-operators + sourceNamespace: openshift-marketplace --- kind: Secret type: Opaque diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-install-quay.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-install-quay.yaml index b6253ca3b..e6eae647a 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-install-quay.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-install-quay.yaml @@ -58,27 +58,27 @@ subjects: name: create-admin-user namespace: local-quay --- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: local-quay - namespace: local-quay -spec: - targetNamespaces: - - local-quay ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: OperatorPolicy metadata: + name: operatorpolicy-quay-operator labels: operators.coreos.com/quay-operator.local-quay: "" - name: quay-operator - namespace: local-quay spec: - installPlanApproval: Automatic - name: quay-operator - source: redhat-operators - sourceNamespace: openshift-marketplace + remediationAction: enforce + severity: high + complianceType: musthave + upgradeApproval: Automatic + operatorGroup: + name: local-quay + namespace: local-quay + targetNamespaces: + - local-quay + subscription: + name: quay-operator + namespace: local-quay + source: redhat-operators + sourceNamespace: openshift-marketplace --- apiVersion: v1 data: diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-quay-bridge.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-quay-bridge.yaml index 32c702b5e..512ae0079 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-quay-bridge.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-quay/policy-quay-bridge.yaml @@ -1,15 +1,18 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: OperatorPolicy metadata: + name: operatorpolicy-quay-bridge-operator labels: operators.coreos.com/quay-bridge-operator.openshift-operators: "" - name: quay-bridge-operator - namespace: openshift-operators spec: - installPlanApproval: Automatic - name: quay-bridge-operator - source: redhat-operators - sourceNamespace: openshift-marketplace + remediationAction: enforce + severity: high + complianceType: musthave + upgradeApproval: Automatic + subscription: + name: quay-bridge-operator + source: redhat-operators + sourceNamespace: openshift-marketplace --- apiVersion: quay.redhat.com/v1 kind: QuayIntegration diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-sensor/policy-advanced-managed-cluster-security.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-sensor/policy-advanced-managed-cluster-security.yaml index 70d3e425e..b78aa0171 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-sensor/policy-advanced-managed-cluster-security.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-sensor/policy-advanced-managed-cluster-security.yaml @@ -8,24 +8,24 @@ kind: Namespace metadata: name: rhacs-operator --- -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: OperatorPolicy metadata: - name: rhacs-operator-group - namespace: rhacs-operator -spec: {} ---- -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: rhacs-operator - namespace: rhacs-operator + name: operatorpolicy-rhacs-operator spec: - channel: stable - installPlanApproval: Automatic - name: rhacs-operator - source: redhat-operators - sourceNamespace: openshift-marketplace + remediationAction: enforce + severity: high + complianceType: musthave + upgradeApproval: Automatic + operatorGroup: + name: rhacs-operator-group + namespace: rhacs-operator + subscription: + channel: stable + name: rhacs-operator + namespace: rhacs-operator + source: redhat-operators + sourceNamespace: openshift-marketplace --- apiVersion: v1 data: