diff --git a/community/CM-Configuration-Management/policy-integrity-shield.yaml b/community/CM-Configuration-Management/policy-integrity-shield.yaml index 326d98115..2a1df9648 100644 --- a/community/CM-Configuration-Management/policy-integrity-shield.yaml +++ b/community/CM-Configuration-Management/policy-integrity-shield.yaml @@ -627,7 +627,6 @@ spec: kinds: - ConfigurationPolicy - CertificatePolicy - - IamPolicy namespaceSelector: matchExpressions: - key: policy.open-cluster-management.io/isClusterNamespace diff --git a/policygenerator/policy-sets/community/ocp-best-practices/input-admin/policy-limitclusteradmin.yaml b/policygenerator/policy-sets/community/ocp-best-practices/input-admin/policy-limitclusteradmin.yaml deleted file mode 100644 index 91d06b1f9..000000000 --- a/policygenerator/policy-sets/community/ocp-best-practices/input-admin/policy-limitclusteradmin.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: policy-limitclusteradmin - annotations: - policy.open-cluster-management.io/standards: NIST SP 800-53 - policy.open-cluster-management.io/categories: AC Access Control - policy.open-cluster-management.io/controls: AC-3 Access Enforcement -spec: - remediationAction: inform - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: IamPolicy # limit clusteradminrole and report violation - metadata: - name: policy-limitclusteradmin-example - spec: - severity: medium - remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. - maxClusterRoleBindingUsers: 5 diff --git a/policygenerator/policy-sets/community/ocp-best-practices/policyGenerator.yaml b/policygenerator/policy-sets/community/ocp-best-practices/policyGenerator.yaml index 68626afa9..2891e753b 100644 --- a/policygenerator/policy-sets/community/ocp-best-practices/policyGenerator.yaml +++ b/policygenerator/policy-sets/community/ocp-best-practices/policyGenerator.yaml @@ -17,9 +17,6 @@ policyDefaults: standards: - NIST SP 800-53 policies: -#- name: policy-limitclusteradmin # iam policy not supported by the generator -# manifests: -# - path: input-admin/policy-limitclusteradmin.yaml - name: policy-remove-kubeadmin categories: - SC System and Communications Protection diff --git a/stable/AC-Access-Control/README.md b/stable/AC-Access-Control/README.md index 3acdfb7df..ffa9129e0 100644 --- a/stable/AC-Access-Control/README.md +++ b/stable/AC-Access-Control/README.md @@ -4,7 +4,6 @@ See [Security and Privacy Controls for Information Systems and Organizations, Re Policy | Description | Prerequisites ------- | ----------- | ------------- -[policy-limitclusteradmin](../AC-Access-Control/policy-limitclusteradmin.yaml) | Limit the number of cluster administrator for Openshift users. | [policy-role](../AC-Access-Control/policy-role.yaml) | Ensures that a role exists with permissions as specified. | [policy-rolebinding](../AC-Access-Control/policy-rolebinding.yaml) | Ensures that an entity is bound to a particular role. | diff --git a/stable/AC-Access-Control/policy-limitclusteradmin.yaml b/stable/AC-Access-Control/policy-limitclusteradmin.yaml deleted file mode 100644 index 6721875e7..000000000 --- a/stable/AC-Access-Control/policy-limitclusteradmin.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: policy.open-cluster-management.io/v1 -kind: Policy -metadata: - name: policy-limitclusteradmin - annotations: - policy.open-cluster-management.io/standards: NIST SP 800-53 - policy.open-cluster-management.io/categories: AC Access Control - policy.open-cluster-management.io/controls: AC-3 Access Enforcement -spec: - remediationAction: inform - disabled: false - policy-templates: - - objectDefinition: - apiVersion: policy.open-cluster-management.io/v1 - kind: IamPolicy # limit clusteradminrole and report violation - metadata: - name: policy-limitclusteradmin-example - spec: - severity: medium - remediationAction: inform # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. - maxClusterRoleBindingUsers: 5 ---- -apiVersion: policy.open-cluster-management.io/v1 -kind: PlacementBinding -metadata: - name: binding-policy-limitclusteradmin -placementRef: - name: placement-policy-limitclusteradmin - kind: PlacementRule - apiGroup: apps.open-cluster-management.io -subjects: - - name: policy-limitclusteradmin - kind: Policy - apiGroup: policy.open-cluster-management.io ---- -apiVersion: apps.open-cluster-management.io/v1 -kind: PlacementRule -metadata: - name: placement-policy-limitclusteradmin -spec: - clusterSelector: - matchExpressions: - - {key: environment, operator: In, values: ["dev"]} diff --git a/stable/README.md b/stable/README.md index 0887bd1fb..50dedf2d0 100644 --- a/stable/README.md +++ b/stable/README.md @@ -25,7 +25,6 @@ Policies in this folder are organized by [NIST Special Publication 800-53](https ### Access Control Policy | Description | Prerequisites ------- | ----------- | ------------- -[policy-limitclusteradmin](./AC-Access-Control/policy-limitclusteradmin.yaml) | Limits the number of cluster administrator Openshift users. | [policy-role](./AC-Access-Control/policy-role.yaml) | Ensures that a role exists with permissions as specified. | [policy-rolebinding](./AC-Access-Control/policy-rolebinding.yaml) | Ensures that an entity is bound to a particular role. |