open-cluster-management-io · openshift-merge-bot · Apr 9, 2025 · Apr 8, 2025
diff --git a/community/AC-Access-Control/policy-standalone-hubtemplate-config.yaml b/community/AC-Access-Control/policy-standalone-hubtemplate-config.yaml
@@ -0,0 +1,121 @@
+# ## **Summary **
+# This policy enables the standalone-hub-templating addon on the `mycluster` managed cluster, and
+# allows it access to `ConfigMaps` in that cluster's namespace on the hub. This policy can easily
+# be adjusted to provide different permissions for the addon, or to apply to a different cluster.
+# This policy should only be placed on the hub cluster.
+#
+# ## **Prerequisites **
+# The standalone-hub-templating feature was introduced in the config-policy-controller v0.16.0,
+# included in RHACM 2.13 - using this policy with earlier versions will not be efffective.
+#
+# ## **Background **
+# Policy templates like `ConfigurationPolicies` can be applied directly to managed clusters either
+# by users or automated processes (eg GitOps and other CI systems). Those resources can be placed in
+# the managed cluster namespace, or the `open-cluster-management-policies` namespace since community
+# version v0.15.0 (included in RHACM 2.12). Both `ConfigurationPolicies` and `OperatorPolicies`
+# allow templates, but when they are applied directly to the cluster, they can only access resources
+# present on that managed cluster.
+# 
+# The `standalone-hub-templating` feature allows those policy templates to access resources on the
+# hub cluster. By default, they will only have access to the `ManagedCluster` resource, but other
+# permissions can be added on the hub cluster, as this sample demonstrates.
+#
+# ## **Usage **
+# All instances of `mycluster` in the policy can be replaced by a specific managed cluster name. The
+# Role can be modified to provide access to other resources by changing its `rules`. The Role and
+# RoleBinding can be defined in a different namespace to provide access to resources in that
+# namespace, or they can be changed to a ClusterRole and ClusterRoleBinding to provide access to
+# resources in any namespace on the hub cluster. The Policy should only ever be placed on the hub
+# cluster, since that is where all of these details are configured.
+
+# ## **Example standalone policy**
+# This ConfigurationPolicy can be applied directly to the managed cluster, and would use the access
+# granted by the `standalone-hubtemplate-config` Policy to resolve its hub template, looking up the
+# "cloud" label on the ManagedCluster and some data from a "hub-cm" ConfigMap present on the hub
+# cluster.
+#
+# ```yaml
+# apiVersion: policy.open-cluster-management.io/v1
+# kind: ConfigurationPolicy
+# metadata:
+#   name: standalone-hubtemplates-example
+#   namespace: open-cluster-management-policies
+# spec:
+#   remediationAction: inform
+#   severity: low
+#   object-templates:
+#     - complianceType: musthave
+#       objectDefinition:
+#         kind: ConfigMap
+#         apiVersion: v1
+#         metadata:
+#           name: standalone-hubtemplates-example
+#           namespace: default
+#         data:
+#           cloud: '{{hub .ManagedClusterLabels.cloud hub}}'
+#           hubFoo: '{{hub fromConfigMap "mycluster" "hub-cm" "foo" hub}}'
+# ```
+
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: standalone-hubtemplate-config
+spec:
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: standalone-hubtemplate-addon
+        spec:
+          remediationAction: inform
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: addon.open-cluster-management.io/v1alpha1
+                kind: ManagedClusterAddOn
+                metadata:
+                  name: governance-standalone-hub-templating
+                  namespace: mycluster 
+                spec:
+                  installNamespace: open-cluster-management-agent-addon
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: standalone-hubtemplate-mycluster-rbac
+        spec:
+          remediationAction: inform
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: rbac.authorization.k8s.io/v1
+                kind: Role
+                metadata:
+                  name: cm-reader
+                  namespace: mycluster 
+                rules:
+                - apiGroups:
+                  - ""
+                  resources:
+                  - configmaps
+                  verbs:
+                  - get
+                  - list
+                  - watch
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: rbac.authorization.k8s.io/v1
+                kind: RoleBinding
+                metadata:
+                  name: cm-reader-binding
+                  namespace: mycluster 
+                roleRef:
+                  apiGroup: rbac.authorization.k8s.io
+                  kind: Role
+                  name: cm-reader
+                subjects:
+                - apiGroup: rbac.authorization.k8s.io
+                  kind: Group
+                  name: system:open-cluster-management:cluster:mycluster:addon:governance-standalone-hub-templating
diff --git a/community/README.md b/community/README.md
@@ -37,14 +37,15 @@ Policies in this folder are organized by [NIST Special Publication 800-53](https
 
 ### Access Control
 
-Policy  | Description                                                                                                                                                                                                            | Prerequisites
-------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -------------
-[Disallowed roles policy](./AC-Access-Control/policy-roles-no-wildcards.yaml) | Use the disallowed roles policy to make sure no pods are being granted full access in violation of least privilege.                                                                                                    | Check [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to learn more about Kubernetes RBAC authorization.
-[Disallowed anonymous authentication](./AC-Access-Control/policy-gatekeeper-disallow-anonymous.yaml) | Use the disallowed anonymous authentication policy to make sure that the system:anonymous user and system:unauthenticated group are not associated with any ClusterRole / Role in the environment                      | See the [Gatekeeper documentation](https://github.com/open-policy-agent/gatekeeper). **Note**: Gatekeeper controllers must be installed to use the gatekeeper policy.
+Policy  | Description | Prerequisites
+------- |------------ | -------------
+[Disallowed roles policy](./AC-Access-Control/policy-roles-no-wildcards.yaml) | Use the disallowed roles policy to make sure no pods are being granted full access in violation of least privilege. | Check [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to learn more about Kubernetes RBAC authorization.
+[Disallowed anonymous authentication](./AC-Access-Control/policy-gatekeeper-disallow-anonymous.yaml) | Use the disallowed anonymous authentication policy to make sure that the system:anonymous user and system:unauthenticated group are not associated with any ClusterRole / Role in the environment | See the [Gatekeeper documentation](https://github.com/open-policy-agent/gatekeeper). **Note**: Gatekeeper controllers must be installed to use the gatekeeper policy.
 [Limit user bindings to ClusterRole](./AC-Access-Control/policy-gatekeeper-limitclusteradmin.yaml) | This Gatekeeper Policy is intended to match the behavior of the deprecated ACM IAMPolicy Controller.  It will allow an administrator to monitor and alert if `ClusterRoleBindings` with the specified `ClusterRole` exceed the maximum number of users.  In the case where a Group is specified in the `ClusterRoleBinding` the number of users in the group are counted.  ServiceAccounts are ignored. | See the [Gatekeeper documentation](https://github.com/open-policy-agent/gatekeeper). **Note**: The Policy makes use of sync data from the cluster to have knowledge of the existing `ClusterRoleBindings` and `Groups`.
-[Configure RBAC for Application workloads ](./AC-Access-Control/policy-configure-appworkloads-rbac-sample.yaml) | Use this policy to configure a role based access control model for application workloads running on managed-clusters. This is a sample policy.                                                                         | This sample policy must be modified for your environment. Check [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to learn more about Kubernetes RBAC authorization.
-[Configure RBAC for Administering  policies ](./AC-Access-Control/policy-rbac-adminiterpolicies-sample.yaml) | Use this policy to configure a role based access control model on the hub for administering policies in a multi team environment.                                                                                      | Check [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to learn more about Kubernetes RBAC authorization.
+[Configure RBAC for Application workloads ](./AC-Access-Control/policy-configure-appworkloads-rbac-sample.yaml) | Use this policy to configure a role based access control model for application workloads running on managed-clusters. This is a sample policy. | This sample policy must be modified for your environment. Check [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to learn more about Kubernetes RBAC authorization.
+[Configure RBAC for Administering  policies ](./AC-Access-Control/policy-rbac-adminiterpolicies-sample.yaml) | Use this policy to configure a role based access control model on the hub for administering policies in a multi team environment. | Check [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to learn more about Kubernetes RBAC authorization.
 [Configure RBAC using groups in openshift for hub and managed clusters using admin and view-only roles ](./AC-Access-Control/policy-configure-clusterlevel-rbac.yaml) | Use this policy to configure a role based access control model on the hub to have a view-only access to desired managed clusters along with admin access to hub cluster based on groups to which the users belongs to. |  This sample policy must be modified for your environment, Check [Using RBAC Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)  to learn more about Kubernetes RBAC authorization.
+[Configure RBAC for standalone hub templates](./AC-Access-Control/policy-standalone-hubtemplate-config.yaml) | Use this policy to enable the standalone-hub-templating feature on a managed cluster, and configure additional access for hub templates resolved directly on that managed cluster. | Community version v0.15.0 (packaged in RHACM 2.13) or above.
 
 ### Awareness and Training