From ee4d9758408ad51eebf15430f3f6907695dc8a7c Mon Sep 17 00:00:00 2001 From: Justin Kulikauskas Date: Fri, 6 Sep 2024 15:01:38 -0400 Subject: [PATCH] Add policy for ArgoCD healthcheck configuration Refs: - https://issues.redhat.com/browse/ACM-13094 Signed-off-by: Justin Kulikauskas --- stable/CM-Configuration-Management/README.md | 1 + .../argocd-policy-healthchecks.yaml | 162 ++++++++++++++++++ stable/README.md | 1 + 3 files changed, 164 insertions(+) create mode 100644 stable/CM-Configuration-Management/argocd-policy-healthchecks.yaml diff --git a/stable/CM-Configuration-Management/README.md b/stable/CM-Configuration-Management/README.md index d98d1355..384541aa 100644 --- a/stable/CM-Configuration-Management/README.md +++ b/stable/CM-Configuration-Management/README.md @@ -10,5 +10,6 @@ Policy | Description | Prerequisites [policy-pod](../CM-Configuration-Management/policy-pod.yaml) | Ensures that a pod exists as specified. | [policy-zts-cmc](../CM-Configuration-Management/policy-zts-cmc.yaml) | This example deploys a replica of \`zts-cmc-deployment\`. | See the [Zettaset README.stable(https://github.com/zettaset/zettaset-public/) to learn more about Zettaset CMC Deployment. [Scan your cluster with the OpenShift CIS security profile](../CM-Configuration-Management/policy-compliance-operator-cis-scan.yaml) | This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the OpenShift CIS benchmark. | See the [Compliance Operator repository](https://github.com/openshift/compliance-operator) to learn more about the operator. **Note**: The Compliance Operator must be installed to use this policy. See the [Compliance operator policy](../CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml) to install the Compliance Operator with a policy. +[Configure ArgoCD instances with Policy healthchecks](../CM-Configuration-Management/argocd-policy-healthchecks.yaml) | This policy configures healthchecks for open-cluster-management-io Policy kinds on any ArgoCD instances found on the cluster. | See the [Red Hat OpenShift GitOps documentation](https://docs.openshift.com/gitops/) for more information about this operator. | You can contribute more policies that map to the Configuration Management catalog. See [Contibuting policies](https://github.com/open-cluster-management-io/policy-collection/blob/main/docs/CONTRIBUTING.md) for more details. diff --git a/stable/CM-Configuration-Management/argocd-policy-healthchecks.yaml b/stable/CM-Configuration-Management/argocd-policy-healthchecks.yaml new file mode 100644 index 00000000..baec386e --- /dev/null +++ b/stable/CM-Configuration-Management/argocd-policy-healthchecks.yaml @@ -0,0 +1,162 @@ +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: argocd-policy-healthchecks + annotations: + policy.open-cluster-management.io/standards: NIST SP 800-53 + policy.open-cluster-management.io/categories: CM Configuration Management + policy.open-cluster-management.io/controls: CM-2 Baseline Configuration + policy.open-cluster-management.io/description: >- + This policy configures healthchecks for open-cluster-management-io Policy kinds on any ArgoCD + instances found on the cluster. +spec: + remediationAction: inform + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: config-argocd-policy-healthchecks + spec: + severity: medium + # Apply the healthcheck configuration to all ArgoCD instances that are + # found - this helps it to work on different environments, and ensures + # that the configuration is not applied before the GitOps operator + # creates the initial instance. + object-templates-raw: | + {{- range (lookup "argoproj.io/v1beta1" "ArgoCD" "" "").items }} + - complianceType: musthave + objectDefinition: + apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + metadata: + name: {{ .metadata.name }} + namespace: {{ .metadata.namespace }} + spec: + resourceHealthChecks: + - group: policy.open-cluster-management.io + kind: CertificatePolicy + check: | + hs = {} + if obj.status == nil or obj.status.compliant == nil then + hs.status = "Progressing" + hs.message = "Waiting for the status to be reported" + return hs + end + if obj.status.compliant == "Compliant" then + hs.status = "Healthy" + hs.message = "All certificates found comply with the policy" + return hs + else + hs.status = "Degraded" + hs.message = "At least once certificate does not comply with the policy" + return hs + end + - group: policy.open-cluster-management.io + kind: ConfigurationPolicy + check: | + hs = {} + if obj.status == nil or obj.status.compliant == nil then + hs.status = "Progressing" + hs.message = "Waiting for the status to be reported" + return hs + end + if obj.status.lastEvaluatedGeneration ~= obj.metadata.generation then + hs.status = "Progressing" + hs.message = "Waiting for the status to be updated" + return hs + end + if obj.status.compliant == "Compliant" then + hs.status = "Healthy" + else + hs.status = "Degraded" + end + if obj.status.compliancyDetails ~= nil then + messages = {} + for i, compliancy in ipairs(obj.status.compliancyDetails) do + if compliancy.conditions ~= nil then + for i, condition in ipairs(compliancy.conditions) do + if condition.message ~= nil and condition.type ~= nil then + table.insert(messages, condition.type .. " - " .. condition.message) + end + end + end + end + hs.message = table.concat(messages, "; ") + return hs + end + hs.status = "Progressing" + hs.message = "Waiting for compliance" + return hs + - group: policy.open-cluster-management.io + kind: OperatorPolicy + check: | + hs = {} + if obj.status == nil or obj.status.conditions == nil then + hs.status = "Progressing" + hs.message = "Waiting for the status to be reported" + return hs + end + if obj.status.observedGeneration ~= nil and obj.status.observedGeneration ~= obj.metadata.generation then + hs.status = "Progressing" + hs.message = "Waiting for the status to be updated" + return hs + end + for i, condition in ipairs(obj.status.conditions) do + if condition.type == "Compliant" then + hs.message = condition.message + if condition.status == "True" then + hs.status = "Healthy" + return hs + else + hs.status = "Degraded" + return hs + end + end + end + hs.status = "Progressing" + hs.message = "Waiting for the compliance condition" + return hs + - group: policy.open-cluster-management.io + kind: Policy + check: | + hs = {} + if obj.status == nil or obj.status.compliant == nil then + hs.status = "Progressing" + hs.message = "Waiting for the status to be reported" + return hs + end + if obj.status.compliant == "Compliant" then + hs.status = "Healthy" + else + hs.status = "Degraded" + end + noncompliants = {} + if obj.status.status ~= nil then + -- "root" policy + for i, entry in ipairs(obj.status.status) do + if entry.compliant ~= "Compliant" then + noncompliants[i] = entry.clustername + end + end + if table.getn(noncompliants) == 0 then + hs.message = "All clusters are compliant" + else + hs.message = "NonCompliant clusters: " .. table.concat(noncompliants, ", ") + end + elseif obj.status.details ~= nil then + -- "replicated" policy + for i, entry in ipairs(obj.status.details) do + if entry.compliant ~= "Compliant" then + noncompliants[i] = entry.templateMeta.name + end + end + if table.getn(noncompliants) == 0 then + hs.message = "All templates are compliant" + else + hs.message = "NonCompliant templates: " .. table.concat(noncompliants, ", ") + end + end + return hs + {{- end }} diff --git a/stable/README.md b/stable/README.md index 65bbdb77..2d7dfac5 100644 --- a/stable/README.md +++ b/stable/README.md @@ -54,6 +54,7 @@ Policy | Description | Prerequisites [policy-pod](./CM-Configuration-Management/policy-pod.yaml) | Ensures that a pod exists as specified. | [policy-zts-cmc](./CM-Configuration-Management/policy-zts-cmc.yaml) | This example deploys a replica of \`zts-cmc-deployment\`. | See the [Zettaset README.stable](https://github.com/zettaset/zettaset-public/) to learn more about Zettaset CMC Deployment. [Scan your cluster with the OpenShift CIS security profile](./CM-Configuration-Management/policy-compliance-operator-cis-scan.yaml) | This example creates a ScanSettingBinding that the ComplianceOperator uses to scan the cluster for compliance with the OpenShift CIS benchmark. | See the [Compliance Operator repository](https://github.com/openshift/compliance-operator) to learn more about the operator. **Note**: The Compliance Operator must be installed to use this policy. See the [Compliance operator policy](./CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml) to install the Compliance Operator with a policy. +[Configure ArgoCD instances with Policy healthchecks](./CM-Configuration-Management/argocd-policy-healthchecks.yaml) | This policy configures healthchecks for open-cluster-management-io Policy kinds on any ArgoCD instances found on the cluster. | See the [Red Hat OpenShift GitOps documentation](https://docs.openshift.com/gitops/) for more information about this operator. | ### Contingency Planning