Skip to content

Commit

Permalink
openid
Browse files Browse the repository at this point in the history
  • Loading branch information
@showeimer
showeimer committed May 1, 2024
1 parent feb6011 commit 5342409
Showing 1 changed file with 110 additions and 0 deletions.
110 changes: 110 additions & 0 deletions community/CM-Configuration-Management/policy-oauth-openid.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# This policy configures the OAuth for using a supported OpenID Connect (OIDC) provider.
# This uses Azure Active Directory as an example OIDC identity provider
# For more information on configuring the OAuth server, consult the OpenShift documentation:
# https://docs.openshift.com/container-platform/4.15/authentication/identity_providers/configuring-oidc-identity-provider.html
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-oauth-openid
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management, AC Access Control
policy.open-cluster-management.io/controls: AC-3 Access Enforcement
policy.open-cluster-management.io/standards: NIST SP 800-53
spec:
disabled: false
policy-templates:
# Create a secret that stores the OIDC client secret
# clientSecret: <base64_encoded_client_secret>
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: openid-client-secret-azuread
spec:
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
kind: Secret
metadata:
name: openid-client-secret-azuread
namespace: openshift-config
type: Opaque
data:
clientSecret: <base64_encoded_client_secret>
pruneObjectBehavior: DeleteIfCreated
remediationAction: inform
severity: high
# Configure the OAuth for using OIDC as the identity provider
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-oauth
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: AAD
mappingMethod: claim
type: OpenID
openID:
clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
clientSecret:
name: openid-client-secret-azuread
extraScopes:
- email
- profile
extraAuthorizeParameters:
include_granted_scopes: "true"
claims:
preferredUsername:
- email
- upn
name:
- name
email:
- email
issuer: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
pruneObjectBehavior: DeleteIfCreated
remediationAction: inform
severity: high
remediationAction: inform
---
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
name: policy-oauth-openid
spec:
tolerations:
- key: cluster.open-cluster-management.io/unreachable
operator: Exists
- key: cluster.open-cluster-management.io/unavailable
operator: Exists
predicates:
- requiredClusterSelector:
labelSelector:
matchExpressions:
- key: vendor
operator: In
values:
- OpenShift
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: policy-oauth-openid
placementRef:
name: policy-oauth-openid
apiGroup: cluster.open-cluster-management.io
kind: Placement
subjects:
- name: policy-oauth-openid
apiGroup: policy.open-cluster-management.io
kind: Policy

0 comments on commit 5342409

Please sign in to comment.