Skip to content

Commit

Permalink
Apply labels in patch for openshift-logging
Browse files Browse the repository at this point in the history 
This is change related to bug:
- https://issues.redhat.com/browse/OSD-25576

Signed-off-by: Petr Kotas <[email protected]>
  • Loading branch information
@petrkotas
petrkotas committed Nov 15, 2024
1 parent 5c803b3 commit d55fb6f
Show file tree
Hide file tree
Showing 27 changed files with 1,485 additions and 458 deletions.
156 changes: 127 additions & 29 deletions deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,67 +21,165 @@ spec:
compliant: 2h
noncompliant: 45s
object-templates:
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: v1
applyMode: AlwaysApply
kind: Namespace
name: openshift-logging
patch: |-
{
"annotations": {
"openshift.io/node-selector": ""
},
"labels": {
"openshift.io/cluster-logging": "true"
}
}
patchType: merge
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/node-selector: ""
labels:
openshift.io/cluster-logging: "true"
name: openshift-logging
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: Role
name: dedicated-admins-openshift-logging
namespace: openshift-logging
patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}'
patchType: merge
metadata:
name: dedicated-admins-openshift-logging
namespace: openshift-logging
rules:
- apiGroups:
- ""
resources:
- events
- namespaces
- persistentvolumeclaims
- persistentvolumes
- pods
- pods/log
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- '*'
- apiGroups:
- logging.openshift.io
resources:
- clusterloggings
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- operators.coreos.com
resources:
- subscriptions
- clusterserviceversions
verbs:
- '*'
- apiGroups:
- operators.coreos.com
resources:
- installplans
verbs:
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- '*'
- apiGroups:
- apps
- extensions
resources:
- daemonsets
verbs:
- get
- list
- patch
- update
- watch
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: admin-dedicated-admins
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}'
patchType: merge
metadata:
name: admin-dedicated-admins
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dedicated-admins
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: admin-system:serviceaccounts:dedicated-admin
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}'
patchType: merge
metadata:
name: admin-system:serviceaccounts:dedicated-admin
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:dedicated-admin
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: openshift-logging-dedicated-admins
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}'
patchType: merge
metadata:
name: openshift-logging-dedicated-admins
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dedicated-admins-project
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dedicated-admins
- complianceType: mustonlyhave
metadataComplianceType: musthave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
applyMode: AlwaysApply
kind: RoleBinding
name: openshift-logging:serviceaccounts:dedicated-admin
namespace: openshift-logging
patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}'
patchType: merge
metadata:
name: openshift-logging:serviceaccounts:dedicated-admin
namespace: openshift-logging
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dedicated-admins-project
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:dedicated-admin
pruneObjectBehavior: DeleteIfCreated
remediationAction: enforce
severity: low
Expand Down
17 changes: 17 additions & 0 deletions deploy/osd-logging/00-namespace.patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Namespace
name: openshift-logging
applyMode: AlwaysApply
patchType: merge
patch: |-
{
"annotations": {
"openshift.io/node-selector": ""
},
"labels": {
"managed.openshift.io/service-lb-quota-exempt": "true"
"managed.openshift.io/storage-pv-quota-exempt": "true"
"openshift.io/cluster-logging": "true"
"openshift.io/cluster-monitoring": 'true'
}
}
8 changes: 1 addition & 7 deletions deploy/osd-logging/00-namespace.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,4 @@ apiVersion: v1
kind: Namespace
metadata:
name: openshift-logging
annotations:
openshift.io/node-selector: ""
labels:
managed.openshift.io/service-lb-quota-exempt: "true"
managed.openshift.io/storage-pv-quota-exempt: "true"
openshift.io/cluster-logging: "true"
openshift.io/cluster-monitoring: 'true'

7 changes: 0 additions & 7 deletions deploy/osd-logging/01-operatorgroup.patch.yaml
View file

This file was deleted.

0 deploy/osd-logging/01-operatorgroup.yaml.bak → deploy/osd-logging/01-operatorgroup.yaml
View file
File renamed without changes.
7 changes: 0 additions & 7 deletions deploy/osd-logging/02-curator.configmap.patch.yaml
View file

This file was deleted.

0 ...osd-logging/02-curator.configmap.yaml.bak → deploy/osd-logging/02-curator.configmap.yaml
View file
File renamed without changes.
2 changes: 2 additions & 0 deletions deploy/osd-logging/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ selectorSyncSet:
# if this config no longer applies, don't delete the resources
resourceApplyMode: "Upsert"

applyBehavior: "CreateOnly"

matchExpressions:
# Enable in-cluster logging alerts for those clusters that already have logging installed
# https://issues.redhat.com/browse/OSD-7564
Expand Down
7 changes: 0 additions & 7 deletions deploy/osd-logging/supported/03-storage-quota.patch.yaml
View file

This file was deleted.

0 ...gging/supported/03-storage-quota.yaml.bak → ...d-logging/supported/03-storage-quota.yaml
View file
File renamed without changes.
7 changes: 0 additions & 7 deletions deploy/osd-logging/supported/05-role.patch.yaml
View file

This file was deleted.

0 ...oy/osd-logging/supported/05-role.yaml.bak → deploy/osd-logging/supported/05-role.yaml
View file
File renamed without changes.
7 changes: 0 additions & 7 deletions deploy/osd-logging/supported/06-rolebinding.patch.yaml
View file

This file was deleted.

0 ...logging/supported/06-rolebinding.yaml.bak → ...osd-logging/supported/06-rolebinding.yaml
View file
File renamed without changes.
14 changes: 14 additions & 0 deletions deploy/osd-logging/unsupported/00-namespace.patch.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Namespace
name: openshift-logging
applyMode: AlwaysApply
patchType: merge
patch: |-
{
"annotations": {
"openshift.io/node-selector": ""
},
"labels": {
"openshift.io/cluster-logging": "true"
}
}
5 changes: 1 addition & 4 deletions deploy/osd-logging/unsupported/00-namespace.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,4 @@ apiVersion: v1
kind: Namespace
metadata:
name: openshift-logging
annotations:
openshift.io/node-selector: ""
labels:
openshift.io/cluster-logging: "true"

7 changes: 0 additions & 7 deletions deploy/osd-logging/unsupported/05-role.patch.yaml
View file

This file was deleted.

0 .../osd-logging/unsupported/05-role.yaml.bak → deploy/osd-logging/unsupported/05-role.yaml
View file
File renamed without changes.
0 ...gging/unsupported/06-rolebinding.yaml.bak → ...d-logging/unsupported/06-rolebinding.yaml
View file
File renamed without changes.
7 changes: 0 additions & 7 deletions deploy/osd-logging/unsupported/0601-rolebinding.patch.yaml
View file

This file was deleted.

7 changes: 0 additions & 7 deletions deploy/osd-logging/unsupported/0602-rolebinding.patch.yaml
View file

This file was deleted.

7 changes: 0 additions & 7 deletions deploy/osd-logging/unsupported/0603-rolebinding.patch.yaml
View file

This file was deleted.

7 changes: 0 additions & 7 deletions deploy/osd-logging/unsupported/0604-rolebinding.patch.yaml
View file

This file was deleted.

3 changes: 3 additions & 0 deletions deploy/osd-logging/unsupported/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ deploymentMode: "SelectorSyncSet"
selectorSyncSet:
# if we ever remove this, do not remove the resources
resourceApplyMode: "Upsert"

applyBehavior: "CreateOnly"

matchExpressions:
# Disable in-cluster logging alerts for those clusters that do not already have logging installed
# We removed the version check because that would conflict with this check here for clusters that
Expand Down
Loading

0 comments on commit d55fb6f

Please sign in to comment.