diff --git a/community/CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml b/community/CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml index 76701b5f..35b3d5e0 100644 --- a/community/CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml +++ b/community/CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml @@ -78,15 +78,21 @@ spec: {{hub end hub}} remediationAction: inform severity: high + customMessage: + compliant: | + The schedule {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- phase is not FailedValidation.{{hub end hub}} + noncompliant: | + The schedule {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- phase is FailedValidation. {{hub end hub}} + - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: - name: check-backup-completed + name: check-backup-error spec: object-templates-raw: | {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} - - complianceType: musthave + - complianceType: mustnothave objectDefinition: apiVersion: velero.io/v1 kind: Backup @@ -97,15 +103,21 @@ spec: cluster-id: '{{ fromClusterClaim "id.openshift.io" }}' cluster-name: '{{ fromClusterClaim "name" }}' status: - phase: Completed + phase: Error startTimestamp: '{{ (lookup "velero.io/v1" "Schedule" "{{hub $configMap.data.backupNS hub}}" "{{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}{{hub end hub}}-{{hub (printf "%s" .ManagedClusterName) hub}}").status.lastBackup }}' remediationAction: inform severity: high + customMessage: + compliant: | + There is no Backup with a startTimestamp matching the schedule {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup and having an Error phase.{{hub end hub}} + noncompliant: | + The Backup with a startTimestamp matching the {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup was found and has an Error phase. {{hub end hub}} + - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: - name: check-backup-error + name: check-backup-failed-validation spec: object-templates-raw: | {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} @@ -120,15 +132,21 @@ spec: cluster-id: '{{ fromClusterClaim "id.openshift.io" }}' cluster-name: '{{ fromClusterClaim "name" }}' status: - phase: Error + phase: FailedValidation startTimestamp: '{{ (lookup "velero.io/v1" "Schedule" "{{hub $configMap.data.backupNS hub}}" "{{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}{{hub end hub}}-{{hub (printf "%s" .ManagedClusterName) hub}}").status.lastBackup }}' remediationAction: inform severity: high + customMessage: + compliant: | + There is no Backup with a startTimestamp matching the schedule {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup and having a FailedValidation phase.{{hub end hub}} + noncompliant: | + The Backup with a startTimestamp matching the {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup was found and has a FailedValidation phase. {{hub end hub}} + - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: - name: check-backup-failed-validation + name: check-backup-partially-failed spec: object-templates-raw: | {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} @@ -143,15 +161,21 @@ spec: cluster-id: '{{ fromClusterClaim "id.openshift.io" }}' cluster-name: '{{ fromClusterClaim "name" }}' status: - phase: FailedValidation + phase: PartiallyFailed startTimestamp: '{{ (lookup "velero.io/v1" "Schedule" "{{hub $configMap.data.backupNS hub}}" "{{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}{{hub end hub}}-{{hub (printf "%s" .ManagedClusterName) hub}}").status.lastBackup }}' remediationAction: inform severity: high + customMessage: + compliant: | + There is no Backup with a startTimestamp matching the schedule {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup and having a PartiallyFailed phase.{{hub end hub}} + noncompliant: | + The Backup with a startTimestamp matching the {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup was found and has a PartiallyFailed phase. {{hub end hub}} + - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: - name: check-backup-partially-failed + name: check-backup-no-status spec: object-templates-raw: | {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} @@ -166,19 +190,25 @@ spec: cluster-id: '{{ fromClusterClaim "id.openshift.io" }}' cluster-name: '{{ fromClusterClaim "name" }}' status: - phase: PartiallyFailed + phase: '' startTimestamp: '{{ (lookup "velero.io/v1" "Schedule" "{{hub $configMap.data.backupNS hub}}" "{{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}{{hub end hub}}-{{hub (printf "%s" .ManagedClusterName) hub}}").status.lastBackup }}' remediationAction: inform - severity: high + severity: low + customMessage: + compliant: | + There is no Backup with a startTimestamp matching the schedule {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup and having an empty phase.{{hub end hub}} + noncompliant: | + The Backup with a startTimestamp matching the {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.status.lastBackup was found and has an empty state. {{hub end hub}} + - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy metadata: - name: check-backup-no-status + name: check-backup-completed spec: object-templates-raw: | {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} - - complianceType: mustnothave + - complianceType: musthave objectDefinition: apiVersion: velero.io/v1 kind: Backup @@ -189,7 +219,12 @@ spec: cluster-id: '{{ fromClusterClaim "id.openshift.io" }}' cluster-name: '{{ fromClusterClaim "name" }}' status: - phase: '' - startTimestamp: '{{ (lookup "velero.io/v1" "Schedule" "{{hub $configMap.data.backupNS hub}}" "{{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}{{hub end hub}}-{{hub (printf "%s" .ManagedClusterName) hub}}").status.lastBackup }}' + phase: Completed + {{hub end hub}} remediationAction: inform - severity: low + severity: high + customMessage: + compliant: | + There is at least one completed Backup generated by the {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.{{hub end hub}} + noncompliant: | + There is no completed Backup generated by the {{hub with $configMap := (lookup "v1" "ConfigMap" "" "hdr-app-configmap") hub}} {{hub $configMap.data.backupPrefix hub}}-{{hub $configMap.data.backupVolumeSnapshotLocation hub}}- Schedule.{{hub end hub}}