Advance Cluster Management (ACM) Tips and Tricks -
James Land - 17 Jul 2023
Advance Cluster Management (ACM) Tips and Tricks
Advance Cluster Management is something I recently used recently and there are a couple things I want to make sure I don’t forget
Custom Policies
The Policy below was very generously created for me by another Red Hatter and does a good job of showing how to do a custom policy that lets us do pretty much anything we would want. Going to break it down a little more below:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: validate-pipeline-sa
spec:
remediationAction: inform
severity: low
object-templates-raw: |
- complianceType: mustnothave
objectDefinition:
kind: ConfigMap
apiVersion: v1
metadata:
name: fake-policy-holder
namespace: default
data:
fake: holder so policy is not generated empty
- complianceType: mustnothave
objectDefinition:
kind: Pod
apiVersion: v1
metadata:
name:
namespace:
So it uses the Go Template Language so most of the functions you can use can be found there. (Stuff like range, if/else, etc…)
But the real key item here is this:
The lookup command is what allows us to look up specific objects to figure out if they exist or not. In this case we want to see if $pod.spec.serviceAccountName is pipeline. As well as if a labels key does not equal a specific value.