From d55fb6f23e5d6e0fa42c36f5ab60f1122a39fc56 Mon Sep 17 00:00:00 2001 From: Petr Date: Fri, 8 Nov 2024 11:48:59 +0100 Subject: [PATCH] Apply labels in patch for openshift-logging This is change related to bug: - https://issues.redhat.com/browse/OSD-25576 Signed-off-by: Petr Kotas --- ...ERATED-osd-logging-unsupported.Policy.yaml | 156 ++++- deploy/osd-logging/00-namespace.patch.yaml | 17 + deploy/osd-logging/00-namespace.yaml | 8 +- .../osd-logging/01-operatorgroup.patch.yaml | 7 - ...orgroup.yaml.bak => 01-operatorgroup.yaml} | 0 .../02-curator.configmap.patch.yaml | 7 - ...map.yaml.bak => 02-curator.configmap.yaml} | 0 deploy/osd-logging/config.yaml | 2 + .../supported/03-storage-quota.patch.yaml | 7 - ...e-quota.yaml.bak => 03-storage-quota.yaml} | 0 .../osd-logging/supported/05-role.patch.yaml | 7 - .../{05-role.yaml.bak => 05-role.yaml} | 0 .../supported/06-rolebinding.patch.yaml | 7 - ...lebinding.yaml.bak => 06-rolebinding.yaml} | 0 .../unsupported/00-namespace.patch.yaml | 14 + .../osd-logging/unsupported/00-namespace.yaml | 5 +- .../unsupported/05-role.patch.yaml | 7 - .../{05-role.yaml.bak => 05-role.yaml} | 0 ...lebinding.yaml.bak => 06-rolebinding.yaml} | 0 .../unsupported/0601-rolebinding.patch.yaml | 7 - .../unsupported/0602-rolebinding.patch.yaml | 7 - .../unsupported/0603-rolebinding.patch.yaml | 7 - .../unsupported/0604-rolebinding.patch.yaml | 7 - deploy/osd-logging/unsupported/config.yaml | 3 + ...naged-cluster-config-integration.yaml.tmpl | 556 ++++++++++++++---- ...anaged-cluster-config-production.yaml.tmpl | 556 ++++++++++++++---- ...osd-managed-cluster-config-stage.yaml.tmpl | 556 ++++++++++++++---- 27 files changed, 1485 insertions(+), 458 deletions(-) create mode 100644 deploy/osd-logging/00-namespace.patch.yaml delete mode 100644 deploy/osd-logging/01-operatorgroup.patch.yaml rename deploy/osd-logging/{01-operatorgroup.yaml.bak => 01-operatorgroup.yaml} (100%) delete mode 100644 deploy/osd-logging/02-curator.configmap.patch.yaml rename deploy/osd-logging/{02-curator.configmap.yaml.bak => 02-curator.configmap.yaml} (100%) delete mode 100644 deploy/osd-logging/supported/03-storage-quota.patch.yaml rename deploy/osd-logging/supported/{03-storage-quota.yaml.bak => 03-storage-quota.yaml} (100%) delete mode 100644 deploy/osd-logging/supported/05-role.patch.yaml rename deploy/osd-logging/supported/{05-role.yaml.bak => 05-role.yaml} (100%) delete mode 100644 deploy/osd-logging/supported/06-rolebinding.patch.yaml rename deploy/osd-logging/supported/{06-rolebinding.yaml.bak => 06-rolebinding.yaml} (100%) create mode 100644 deploy/osd-logging/unsupported/00-namespace.patch.yaml delete mode 100644 deploy/osd-logging/unsupported/05-role.patch.yaml rename deploy/osd-logging/unsupported/{05-role.yaml.bak => 05-role.yaml} (100%) rename deploy/osd-logging/unsupported/{06-rolebinding.yaml.bak => 06-rolebinding.yaml} (100%) delete mode 100644 deploy/osd-logging/unsupported/0601-rolebinding.patch.yaml delete mode 100644 deploy/osd-logging/unsupported/0602-rolebinding.patch.yaml delete mode 100644 deploy/osd-logging/unsupported/0603-rolebinding.patch.yaml delete mode 100644 deploy/osd-logging/unsupported/0604-rolebinding.patch.yaml diff --git a/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml b/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml index 0b0b1c003e..36e460e933 100644 --- a/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml +++ b/deploy/acm-policies/50-GENERATED-osd-logging-unsupported.Policy.yaml @@ -21,67 +21,165 @@ spec: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: |- + { + "annotations": { + "openshift.io/node-selector": "" + }, + "labels": { + "openshift.io/cluster-logging": "true" + } + } + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: "" - labels: - openshift.io/cluster-logging: "true" name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - "" + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low diff --git a/deploy/osd-logging/00-namespace.patch.yaml b/deploy/osd-logging/00-namespace.patch.yaml new file mode 100644 index 0000000000..a4b65ffc14 --- /dev/null +++ b/deploy/osd-logging/00-namespace.patch.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Namespace +name: openshift-logging +applyMode: AlwaysApply +patchType: merge +patch: |- + { + "annotations": { + "openshift.io/node-selector": "" + }, + "labels": { + "managed.openshift.io/service-lb-quota-exempt": "true" + "managed.openshift.io/storage-pv-quota-exempt": "true" + "openshift.io/cluster-logging": "true" + "openshift.io/cluster-monitoring": 'true' + } + } diff --git a/deploy/osd-logging/00-namespace.yaml b/deploy/osd-logging/00-namespace.yaml index 98498e9e52..d7fad2fc99 100644 --- a/deploy/osd-logging/00-namespace.yaml +++ b/deploy/osd-logging/00-namespace.yaml @@ -2,10 +2,4 @@ apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: "" - labels: - managed.openshift.io/service-lb-quota-exempt: "true" - managed.openshift.io/storage-pv-quota-exempt: "true" - openshift.io/cluster-logging: "true" - openshift.io/cluster-monitoring: 'true' + diff --git a/deploy/osd-logging/01-operatorgroup.patch.yaml b/deploy/osd-logging/01-operatorgroup.patch.yaml deleted file mode 100644 index 4bcfab8b16..0000000000 --- a/deploy/osd-logging/01-operatorgroup.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: operators.coreos.com/v1 -applyMode: AlwaysApply -kind: OperatorGroup -name: openshift-logging -namespace: openshift-logging -patchType: merge -patch: '{"annotations":{"olm.providedAPIs": "ClusterLogging.v1.logging.openshift.io"},"spec":{"targetNamespaces":["openshift-logging"]}}' \ No newline at end of file diff --git a/deploy/osd-logging/01-operatorgroup.yaml.bak b/deploy/osd-logging/01-operatorgroup.yaml similarity index 100% rename from deploy/osd-logging/01-operatorgroup.yaml.bak rename to deploy/osd-logging/01-operatorgroup.yaml diff --git a/deploy/osd-logging/02-curator.configmap.patch.yaml b/deploy/osd-logging/02-curator.configmap.patch.yaml deleted file mode 100644 index a1ad522ea5..0000000000 --- a/deploy/osd-logging/02-curator.configmap.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -name: curator -namespace: openshift-logging -namespace: openshift-logging -patchType: merge -patch: '{"data":{"actions.yaml":"# ---\n# Remember, leave a key empty if there is no value. None will be a string,\n# not a Python \"NoneType\"\n#\n# Also remember that all examples have \"disable_action\" set to True. If you\n# want to use this action as a template, be sure to set this to False after\n# copying it.\n# actions:\n# 1:\n# action: delete_indices\n# description: >-\n# Delete .operations indices older than 30 days.\n# Ignore the error if the filter does not\n# result in an actionable list of indices (ignore_empty_list).\n# See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html\n# options:\n# # Swallow curator.exception.NoIndices exception\n# ignore_empty_list: True\n# # In seconds, default is 300\n# timeout_override: ${CURATOR_TIMEOUT}\n# # Don not swallow any other exceptions\n# continue_if_exception: False\n# # Optionally disable action, useful for debugging\n# disable_action: False\n# # All filters are bound by logical AND\n# filters:\n# - filtertype: pattern\n# kind: regex\n# value: \"^\\.operations\\..*$\"\n# exclude: False\n# - filtertype: age\n# # Parse timestamp from index name\n# source: name\n# direction: older\n# timestring: \"%Y.%m.%d\"\n# unit: days\n# unit_count: 30\n# exclude: False\n","config.yaml":"# Logging example curator config file\n\n# uncomment and use this to override the defaults from env vars\n#.defaults:\n# delete:\n# days: 30\n.defaults:\n delete:\n days: 7\n\n# to keep ops logs for a different duration:\n.operations:\n delete:\n days: 0\n\n# example for a normal project\n#myapp:\n# delete:\n# weeks: 1\n","curator5.yaml":"---\nclient:\n hosts:\n - ${ES_HOST}\n port: ${ES_PORT}\n use_ssl: True\n certificate: ${ES_CA}\n client_cert: ${ES_CLIENT_CERT}\n client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: ${CURATOR_TIMEOUT}\n master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat: default\n blacklist: ["elasticsearch", "urllib3"]\n \n"}}' diff --git a/deploy/osd-logging/02-curator.configmap.yaml.bak b/deploy/osd-logging/02-curator.configmap.yaml similarity index 100% rename from deploy/osd-logging/02-curator.configmap.yaml.bak rename to deploy/osd-logging/02-curator.configmap.yaml diff --git a/deploy/osd-logging/config.yaml b/deploy/osd-logging/config.yaml index 1aeb524695..93fd28611e 100644 --- a/deploy/osd-logging/config.yaml +++ b/deploy/osd-logging/config.yaml @@ -3,6 +3,8 @@ selectorSyncSet: # if this config no longer applies, don't delete the resources resourceApplyMode: "Upsert" + applyBehavior: "CreateOnly" + matchExpressions: # Enable in-cluster logging alerts for those clusters that already have logging installed # https://issues.redhat.com/browse/OSD-7564 diff --git a/deploy/osd-logging/supported/03-storage-quota.patch.yaml b/deploy/osd-logging/supported/03-storage-quota.patch.yaml deleted file mode 100644 index 4718675223..0000000000 --- a/deploy/osd-logging/supported/03-storage-quota.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ResourceQuota -name: logging-storage-quota -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"spec":{"hard":{"requests.storage":"1500Gi"}}}' \ No newline at end of file diff --git a/deploy/osd-logging/supported/03-storage-quota.yaml.bak b/deploy/osd-logging/supported/03-storage-quota.yaml similarity index 100% rename from deploy/osd-logging/supported/03-storage-quota.yaml.bak rename to deploy/osd-logging/supported/03-storage-quota.yaml diff --git a/deploy/osd-logging/supported/05-role.patch.yaml b/deploy/osd-logging/supported/05-role.patch.yaml deleted file mode 100644 index 9b33db4e16..0000000000 --- a/deploy/osd-logging/supported/05-role.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -name: dedicated-admins-openshift-logging -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' \ No newline at end of file diff --git a/deploy/osd-logging/supported/05-role.yaml.bak b/deploy/osd-logging/supported/05-role.yaml similarity index 100% rename from deploy/osd-logging/supported/05-role.yaml.bak rename to deploy/osd-logging/supported/05-role.yaml diff --git a/deploy/osd-logging/supported/06-rolebinding.patch.yaml b/deploy/osd-logging/supported/06-rolebinding.patch.yaml deleted file mode 100644 index 4ed45e448f..0000000000 --- a/deploy/osd-logging/supported/06-rolebinding.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -name: dedicated-admins-openshift-logging -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"},{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"dedicated-admins-openshift-logging"}}' \ No newline at end of file diff --git a/deploy/osd-logging/supported/06-rolebinding.yaml.bak b/deploy/osd-logging/supported/06-rolebinding.yaml similarity index 100% rename from deploy/osd-logging/supported/06-rolebinding.yaml.bak rename to deploy/osd-logging/supported/06-rolebinding.yaml diff --git a/deploy/osd-logging/unsupported/00-namespace.patch.yaml b/deploy/osd-logging/unsupported/00-namespace.patch.yaml new file mode 100644 index 0000000000..119c6d0b8f --- /dev/null +++ b/deploy/osd-logging/unsupported/00-namespace.patch.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +name: openshift-logging +applyMode: AlwaysApply +patchType: merge +patch: |- + { + "annotations": { + "openshift.io/node-selector": "" + }, + "labels": { + "openshift.io/cluster-logging": "true" + } + } diff --git a/deploy/osd-logging/unsupported/00-namespace.yaml b/deploy/osd-logging/unsupported/00-namespace.yaml index 4ccc2c061f..9658faa7c6 100644 --- a/deploy/osd-logging/unsupported/00-namespace.yaml +++ b/deploy/osd-logging/unsupported/00-namespace.yaml @@ -2,7 +2,4 @@ apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: "" - labels: - openshift.io/cluster-logging: "true" + \ No newline at end of file diff --git a/deploy/osd-logging/unsupported/05-role.patch.yaml b/deploy/osd-logging/unsupported/05-role.patch.yaml deleted file mode 100644 index 9b33db4e16..0000000000 --- a/deploy/osd-logging/unsupported/05-role.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -name: dedicated-admins-openshift-logging -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' \ No newline at end of file diff --git a/deploy/osd-logging/unsupported/05-role.yaml.bak b/deploy/osd-logging/unsupported/05-role.yaml similarity index 100% rename from deploy/osd-logging/unsupported/05-role.yaml.bak rename to deploy/osd-logging/unsupported/05-role.yaml diff --git a/deploy/osd-logging/unsupported/06-rolebinding.yaml.bak b/deploy/osd-logging/unsupported/06-rolebinding.yaml similarity index 100% rename from deploy/osd-logging/unsupported/06-rolebinding.yaml.bak rename to deploy/osd-logging/unsupported/06-rolebinding.yaml diff --git a/deploy/osd-logging/unsupported/0601-rolebinding.patch.yaml b/deploy/osd-logging/unsupported/0601-rolebinding.patch.yaml deleted file mode 100644 index eb673d03ae..0000000000 --- a/deploy/osd-logging/unsupported/0601-rolebinding.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -name: admin-dedicated-admins -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' \ No newline at end of file diff --git a/deploy/osd-logging/unsupported/0602-rolebinding.patch.yaml b/deploy/osd-logging/unsupported/0602-rolebinding.patch.yaml deleted file mode 100644 index 0623e1633a..0000000000 --- a/deploy/osd-logging/unsupported/0602-rolebinding.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -name: admin-system:serviceaccounts:dedicated-admin -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' \ No newline at end of file diff --git a/deploy/osd-logging/unsupported/0603-rolebinding.patch.yaml b/deploy/osd-logging/unsupported/0603-rolebinding.patch.yaml deleted file mode 100644 index 2ee7d31da3..0000000000 --- a/deploy/osd-logging/unsupported/0603-rolebinding.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -name: openshift-logging-dedicated-admins -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' \ No newline at end of file diff --git a/deploy/osd-logging/unsupported/0604-rolebinding.patch.yaml b/deploy/osd-logging/unsupported/0604-rolebinding.patch.yaml deleted file mode 100644 index 077404567b..0000000000 --- a/deploy/osd-logging/unsupported/0604-rolebinding.patch.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -name: openshift-logging:serviceaccounts:dedicated-admin -namespace: openshift-logging -applyMode: AlwaysApply -patchType: merge -patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' \ No newline at end of file diff --git a/deploy/osd-logging/unsupported/config.yaml b/deploy/osd-logging/unsupported/config.yaml index c3a5d16fc1..600abbde33 100644 --- a/deploy/osd-logging/unsupported/config.yaml +++ b/deploy/osd-logging/unsupported/config.yaml @@ -2,6 +2,9 @@ deploymentMode: "SelectorSyncSet" selectorSyncSet: # if we ever remove this, do not remove the resources resourceApplyMode: "Upsert" + + applyBehavior: "CreateOnly" + matchExpressions: # Disable in-cluster logging alerts for those clusters that do not already have logging installed # We removed the version check because that would conflict with this check here for clusters that diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index 8cf3e650ec..a7ea6963d8 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -6262,67 +6262,159 @@ objects: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\"\ + : \"\"\n },\n \"labels\": {\n \"openshift.io/cluster-logging\"\ + : \"true\"\n }\n}" + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -31423,56 +31515,127 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"managed.openshift.io/service-lb-quota-exempt\"\ + : \"true\"\n \"managed.openshift.io/storage-pv-quota-exempt\": \"true\"\ + \n \"openshift.io/cluster-logging\": \"true\"\n \"openshift.io/cluster-monitoring\"\ + : 'true'\n }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - managed.openshift.io/service-lb-quota-exempt: 'true' - managed.openshift.io/storage-pv-quota-exempt: 'true' - openshift.io/cluster-logging: 'true' - openshift.io/cluster-monitoring: 'true' - patches: - apiVersion: operators.coreos.com/v1 - applyMode: AlwaysApply kind: OperatorGroup - name: openshift-logging - namespace: openshift-logging - patchType: merge - patch: '{"annotations":{"olm.providedAPIs": "ClusterLogging.v1.logging.openshift.io"},"spec":{"targetNamespaces":["openshift-logging"]}}' + metadata: + annotations: + olm.providedAPIs: ClusterLogging.v1.logging.openshift.io + name: openshift-logging + namespace: openshift-logging + spec: + targetNamespaces: + - openshift-logging - apiVersion: v1 + data: + actions.yaml: '# --- + + # Remember, leave a key empty if there is no value. None will be a string, + + # not a Python "NoneType" + + # + + # Also remember that all examples have "disable_action" set to True. If + you + + # want to use this action as a template, be sure to set this to False after + + # copying it. + + # actions: + + # 1: + + # action: delete_indices + + # description: >- + + # Delete .operations indices older than 30 days. + + # Ignore the error if the filter does not + + # result in an actionable list of indices (ignore_empty_list). + + # See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html + + # options: + + # # Swallow curator.exception.NoIndices exception + + # ignore_empty_list: True + + # # In seconds, default is 300 + + # timeout_override: ${CURATOR_TIMEOUT} + + # # Don''t swallow any other exceptions + + # continue_if_exception: False + + # # Optionally disable action, useful for debugging + + # disable_action: False + + # # All filters are bound by logical AND + + # filters: + + # - filtertype: pattern + + # kind: regex + + # value: "^\.operations\..*$" + + # exclude: False + + # - filtertype: age + + # # Parse timestamp from index name + + # source: name + + # direction: older + + # timestring: "%Y.%m.%d" + + # unit: days + + # unit_count: 30 + + # exclude: False + + ' + config.yaml: "# Logging example curator config file\n\n# uncomment and use\ + \ this to override the defaults from env vars\n#.defaults:\n# delete:\n\ + # days: 30\n.defaults:\n delete:\n days: 7\n\n# to keep ops logs\ + \ for a different duration:\n.operations:\n delete:\n days: 0\n\n# example\ + \ for a normal project\n#myapp:\n# delete:\n# weeks: 1\n" + curator5.yaml: "---\nclient:\n hosts:\n - ${ES_HOST}\n port: ${ES_PORT}\n\ + \ use_ssl: True\n certificate: ${ES_CA}\n client_cert: ${ES_CLIENT_CERT}\n\ + \ client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: ${CURATOR_TIMEOUT}\n\ + \ master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat:\ + \ default\n blacklist: ['elasticsearch', 'urllib3']\n \n" kind: ConfigMap - name: curator - namespace: openshift-logging - patchType: merge - patch: '{"data":{"actions.yaml":"# ---\n# Remember, leave a key empty if there - is no value. None will be a string,\n# not a Python \"NoneType\"\n#\n# Also - remember that all examples have \"disable_action\" set to True. If you\n# - want to use this action as a template, be sure to set this to False after\n# - copying it.\n# actions:\n# 1:\n# action: delete_indices\n# description: - >-\n# Delete .operations indices older than 30 days.\n# Ignore - the error if the filter does not\n# result in an actionable list of - indices (ignore_empty_list).\n# See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html\n# options:\n# # - Swallow curator.exception.NoIndices exception\n# ignore_empty_list: - True\n# # In seconds, default is 300\n# timeout_override: ${CURATOR_TIMEOUT}\n# # - Don not swallow any other exceptions\n# continue_if_exception: False\n# # - Optionally disable action, useful for debugging\n# disable_action: False\n# # - All filters are bound by logical AND\n# filters:\n# - filtertype: - pattern\n# kind: regex\n# value: \"^\\.operations\\..*$\"\n# exclude: - False\n# - filtertype: age\n# # Parse timestamp from index name\n# source: - name\n# direction: older\n# timestring: \"%Y.%m.%d\"\n# unit: - days\n# unit_count: 30\n# exclude: False\n","config.yaml":"# Logging - example curator config file\n\n# uncomment and use this to override the defaults - from env vars\n#.defaults:\n# delete:\n# days: 30\n.defaults:\n delete:\n days: - 7\n\n# to keep ops logs for a different duration:\n.operations:\n delete:\n days: - 0\n\n# example for a normal project\n#myapp:\n# delete:\n# weeks: 1\n","curator5.yaml":"---\nclient:\n hosts:\n - - ${ES_HOST}\n port: ${ES_PORT}\n use_ssl: True\n certificate: ${ES_CA}\n client_cert: - ${ES_CLIENT_CERT}\n client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: - ${CURATOR_TIMEOUT}\n master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat: - default\n blacklist: ["elasticsearch", "urllib3"]\n \n"}}' + metadata: + name: curator + namespace: openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31491,28 +31654,99 @@ objects: values: - 'true' resourceApplyMode: Sync - patches: + resources: - apiVersion: v1 kind: ResourceQuota - name: logging-storage-quota - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"spec":{"hard":{"requests.storage":"1500Gi"}}}' + metadata: + name: logging-storage-quota + namespace: openshift-logging + spec: + hard: + requests.storage: 1500Gi - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"},{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"dedicated-admins-openshift-logging"}}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dedicated-admins-openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31531,51 +31765,141 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"openshift.io/cluster-logging\": \"true\"\n \ + \ }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index 8cf3e650ec..a7ea6963d8 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -6262,67 +6262,159 @@ objects: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\"\ + : \"\"\n },\n \"labels\": {\n \"openshift.io/cluster-logging\"\ + : \"true\"\n }\n}" + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -31423,56 +31515,127 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"managed.openshift.io/service-lb-quota-exempt\"\ + : \"true\"\n \"managed.openshift.io/storage-pv-quota-exempt\": \"true\"\ + \n \"openshift.io/cluster-logging\": \"true\"\n \"openshift.io/cluster-monitoring\"\ + : 'true'\n }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - managed.openshift.io/service-lb-quota-exempt: 'true' - managed.openshift.io/storage-pv-quota-exempt: 'true' - openshift.io/cluster-logging: 'true' - openshift.io/cluster-monitoring: 'true' - patches: - apiVersion: operators.coreos.com/v1 - applyMode: AlwaysApply kind: OperatorGroup - name: openshift-logging - namespace: openshift-logging - patchType: merge - patch: '{"annotations":{"olm.providedAPIs": "ClusterLogging.v1.logging.openshift.io"},"spec":{"targetNamespaces":["openshift-logging"]}}' + metadata: + annotations: + olm.providedAPIs: ClusterLogging.v1.logging.openshift.io + name: openshift-logging + namespace: openshift-logging + spec: + targetNamespaces: + - openshift-logging - apiVersion: v1 + data: + actions.yaml: '# --- + + # Remember, leave a key empty if there is no value. None will be a string, + + # not a Python "NoneType" + + # + + # Also remember that all examples have "disable_action" set to True. If + you + + # want to use this action as a template, be sure to set this to False after + + # copying it. + + # actions: + + # 1: + + # action: delete_indices + + # description: >- + + # Delete .operations indices older than 30 days. + + # Ignore the error if the filter does not + + # result in an actionable list of indices (ignore_empty_list). + + # See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html + + # options: + + # # Swallow curator.exception.NoIndices exception + + # ignore_empty_list: True + + # # In seconds, default is 300 + + # timeout_override: ${CURATOR_TIMEOUT} + + # # Don''t swallow any other exceptions + + # continue_if_exception: False + + # # Optionally disable action, useful for debugging + + # disable_action: False + + # # All filters are bound by logical AND + + # filters: + + # - filtertype: pattern + + # kind: regex + + # value: "^\.operations\..*$" + + # exclude: False + + # - filtertype: age + + # # Parse timestamp from index name + + # source: name + + # direction: older + + # timestring: "%Y.%m.%d" + + # unit: days + + # unit_count: 30 + + # exclude: False + + ' + config.yaml: "# Logging example curator config file\n\n# uncomment and use\ + \ this to override the defaults from env vars\n#.defaults:\n# delete:\n\ + # days: 30\n.defaults:\n delete:\n days: 7\n\n# to keep ops logs\ + \ for a different duration:\n.operations:\n delete:\n days: 0\n\n# example\ + \ for a normal project\n#myapp:\n# delete:\n# weeks: 1\n" + curator5.yaml: "---\nclient:\n hosts:\n - ${ES_HOST}\n port: ${ES_PORT}\n\ + \ use_ssl: True\n certificate: ${ES_CA}\n client_cert: ${ES_CLIENT_CERT}\n\ + \ client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: ${CURATOR_TIMEOUT}\n\ + \ master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat:\ + \ default\n blacklist: ['elasticsearch', 'urllib3']\n \n" kind: ConfigMap - name: curator - namespace: openshift-logging - patchType: merge - patch: '{"data":{"actions.yaml":"# ---\n# Remember, leave a key empty if there - is no value. None will be a string,\n# not a Python \"NoneType\"\n#\n# Also - remember that all examples have \"disable_action\" set to True. If you\n# - want to use this action as a template, be sure to set this to False after\n# - copying it.\n# actions:\n# 1:\n# action: delete_indices\n# description: - >-\n# Delete .operations indices older than 30 days.\n# Ignore - the error if the filter does not\n# result in an actionable list of - indices (ignore_empty_list).\n# See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html\n# options:\n# # - Swallow curator.exception.NoIndices exception\n# ignore_empty_list: - True\n# # In seconds, default is 300\n# timeout_override: ${CURATOR_TIMEOUT}\n# # - Don not swallow any other exceptions\n# continue_if_exception: False\n# # - Optionally disable action, useful for debugging\n# disable_action: False\n# # - All filters are bound by logical AND\n# filters:\n# - filtertype: - pattern\n# kind: regex\n# value: \"^\\.operations\\..*$\"\n# exclude: - False\n# - filtertype: age\n# # Parse timestamp from index name\n# source: - name\n# direction: older\n# timestring: \"%Y.%m.%d\"\n# unit: - days\n# unit_count: 30\n# exclude: False\n","config.yaml":"# Logging - example curator config file\n\n# uncomment and use this to override the defaults - from env vars\n#.defaults:\n# delete:\n# days: 30\n.defaults:\n delete:\n days: - 7\n\n# to keep ops logs for a different duration:\n.operations:\n delete:\n days: - 0\n\n# example for a normal project\n#myapp:\n# delete:\n# weeks: 1\n","curator5.yaml":"---\nclient:\n hosts:\n - - ${ES_HOST}\n port: ${ES_PORT}\n use_ssl: True\n certificate: ${ES_CA}\n client_cert: - ${ES_CLIENT_CERT}\n client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: - ${CURATOR_TIMEOUT}\n master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat: - default\n blacklist: ["elasticsearch", "urllib3"]\n \n"}}' + metadata: + name: curator + namespace: openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31491,28 +31654,99 @@ objects: values: - 'true' resourceApplyMode: Sync - patches: + resources: - apiVersion: v1 kind: ResourceQuota - name: logging-storage-quota - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"spec":{"hard":{"requests.storage":"1500Gi"}}}' + metadata: + name: logging-storage-quota + namespace: openshift-logging + spec: + hard: + requests.storage: 1500Gi - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"},{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"dedicated-admins-openshift-logging"}}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dedicated-admins-openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31531,51 +31765,141 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"openshift.io/cluster-logging\": \"true\"\n \ + \ }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index 8cf3e650ec..a7ea6963d8 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -6262,67 +6262,159 @@ objects: compliant: 2h noncompliant: 45s object-templates: + - complianceType: mustonlyhave + metadataComplianceType: musthave + objectDefinition: + apiVersion: v1 + applyMode: AlwaysApply + kind: Namespace + name: openshift-logging + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\"\ + : \"\"\n },\n \"labels\": {\n \"openshift.io/cluster-logging\"\ + : \"true\"\n }\n}" + patchType: merge - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: v1 kind: Namespace metadata: - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' name: openshift-logging - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' - patchType: merge + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' - patchType: merge + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' - patchType: merge + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - complianceType: mustonlyhave metadataComplianceType: musthave objectDefinition: apiVersion: rbac.authorization.k8s.io/v1 - applyMode: AlwaysApply kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' - patchType: merge + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin pruneObjectBehavior: DeleteIfCreated remediationAction: enforce severity: low @@ -31423,56 +31515,127 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"managed.openshift.io/service-lb-quota-exempt\"\ + : \"true\"\n \"managed.openshift.io/storage-pv-quota-exempt\": \"true\"\ + \n \"openshift.io/cluster-logging\": \"true\"\n \"openshift.io/cluster-monitoring\"\ + : 'true'\n }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - managed.openshift.io/service-lb-quota-exempt: 'true' - managed.openshift.io/storage-pv-quota-exempt: 'true' - openshift.io/cluster-logging: 'true' - openshift.io/cluster-monitoring: 'true' - patches: - apiVersion: operators.coreos.com/v1 - applyMode: AlwaysApply kind: OperatorGroup - name: openshift-logging - namespace: openshift-logging - patchType: merge - patch: '{"annotations":{"olm.providedAPIs": "ClusterLogging.v1.logging.openshift.io"},"spec":{"targetNamespaces":["openshift-logging"]}}' + metadata: + annotations: + olm.providedAPIs: ClusterLogging.v1.logging.openshift.io + name: openshift-logging + namespace: openshift-logging + spec: + targetNamespaces: + - openshift-logging - apiVersion: v1 + data: + actions.yaml: '# --- + + # Remember, leave a key empty if there is no value. None will be a string, + + # not a Python "NoneType" + + # + + # Also remember that all examples have "disable_action" set to True. If + you + + # want to use this action as a template, be sure to set this to False after + + # copying it. + + # actions: + + # 1: + + # action: delete_indices + + # description: >- + + # Delete .operations indices older than 30 days. + + # Ignore the error if the filter does not + + # result in an actionable list of indices (ignore_empty_list). + + # See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html + + # options: + + # # Swallow curator.exception.NoIndices exception + + # ignore_empty_list: True + + # # In seconds, default is 300 + + # timeout_override: ${CURATOR_TIMEOUT} + + # # Don''t swallow any other exceptions + + # continue_if_exception: False + + # # Optionally disable action, useful for debugging + + # disable_action: False + + # # All filters are bound by logical AND + + # filters: + + # - filtertype: pattern + + # kind: regex + + # value: "^\.operations\..*$" + + # exclude: False + + # - filtertype: age + + # # Parse timestamp from index name + + # source: name + + # direction: older + + # timestring: "%Y.%m.%d" + + # unit: days + + # unit_count: 30 + + # exclude: False + + ' + config.yaml: "# Logging example curator config file\n\n# uncomment and use\ + \ this to override the defaults from env vars\n#.defaults:\n# delete:\n\ + # days: 30\n.defaults:\n delete:\n days: 7\n\n# to keep ops logs\ + \ for a different duration:\n.operations:\n delete:\n days: 0\n\n# example\ + \ for a normal project\n#myapp:\n# delete:\n# weeks: 1\n" + curator5.yaml: "---\nclient:\n hosts:\n - ${ES_HOST}\n port: ${ES_PORT}\n\ + \ use_ssl: True\n certificate: ${ES_CA}\n client_cert: ${ES_CLIENT_CERT}\n\ + \ client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: ${CURATOR_TIMEOUT}\n\ + \ master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat:\ + \ default\n blacklist: ['elasticsearch', 'urllib3']\n \n" kind: ConfigMap - name: curator - namespace: openshift-logging - patchType: merge - patch: '{"data":{"actions.yaml":"# ---\n# Remember, leave a key empty if there - is no value. None will be a string,\n# not a Python \"NoneType\"\n#\n# Also - remember that all examples have \"disable_action\" set to True. If you\n# - want to use this action as a template, be sure to set this to False after\n# - copying it.\n# actions:\n# 1:\n# action: delete_indices\n# description: - >-\n# Delete .operations indices older than 30 days.\n# Ignore - the error if the filter does not\n# result in an actionable list of - indices (ignore_empty_list).\n# See https://www.elastic.co/guide/en/elasticsearch/client/curator/5.2/ex_delete_indices.html\n# options:\n# # - Swallow curator.exception.NoIndices exception\n# ignore_empty_list: - True\n# # In seconds, default is 300\n# timeout_override: ${CURATOR_TIMEOUT}\n# # - Don not swallow any other exceptions\n# continue_if_exception: False\n# # - Optionally disable action, useful for debugging\n# disable_action: False\n# # - All filters are bound by logical AND\n# filters:\n# - filtertype: - pattern\n# kind: regex\n# value: \"^\\.operations\\..*$\"\n# exclude: - False\n# - filtertype: age\n# # Parse timestamp from index name\n# source: - name\n# direction: older\n# timestring: \"%Y.%m.%d\"\n# unit: - days\n# unit_count: 30\n# exclude: False\n","config.yaml":"# Logging - example curator config file\n\n# uncomment and use this to override the defaults - from env vars\n#.defaults:\n# delete:\n# days: 30\n.defaults:\n delete:\n days: - 7\n\n# to keep ops logs for a different duration:\n.operations:\n delete:\n days: - 0\n\n# example for a normal project\n#myapp:\n# delete:\n# weeks: 1\n","curator5.yaml":"---\nclient:\n hosts:\n - - ${ES_HOST}\n port: ${ES_PORT}\n use_ssl: True\n certificate: ${ES_CA}\n client_cert: - ${ES_CLIENT_CERT}\n client_key: ${ES_CLIENT_KEY}\n ssl_no_validate: False\n timeout: - ${CURATOR_TIMEOUT}\n master_only: False\nlogging:\n loglevel: ${CURATOR_LOG_LEVEL}\n logformat: - default\n blacklist: ["elasticsearch", "urllib3"]\n \n"}}' + metadata: + name: curator + namespace: openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31491,28 +31654,99 @@ objects: values: - 'true' resourceApplyMode: Sync - patches: + resources: - apiVersion: v1 kind: ResourceQuota - name: logging-storage-quota - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"spec":{"hard":{"requests.storage":"1500Gi"}}}' + metadata: + name: logging-storage-quota + namespace: openshift-logging + spec: + hard: + requests.storage: 1500Gi - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"},{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"dedicated-admins-openshift-logging"}}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dedicated-admins-openshift-logging - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -31531,51 +31765,141 @@ objects: values: - 'true' resourceApplyMode: Upsert + applyBehavior: CreateOnly + patches: + - apiVersion: v1 + kind: Namespace + name: openshift-logging + applyMode: AlwaysApply + patchType: merge + patch: "{\n \"annotations\": {\n \"openshift.io/node-selector\": \"\"\n\ + \ },\n \"labels\": {\n \"openshift.io/cluster-logging\": \"true\"\n \ + \ }\n}" resources: - apiVersion: v1 kind: Namespace metadata: name: openshift-logging - annotations: - openshift.io/node-selector: '' - labels: - openshift.io/cluster-logging: 'true' - patches: - apiVersion: rbac.authorization.k8s.io/v1 kind: Role - name: dedicated-admins-openshift-logging - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"rules":[{"apiGroups":[""],"resources":["events","namespaces","persistentvolumeclaims","persistentvolumes","pods","pods/log"],"verbs":["list","get","watch"]},{"apiGroups":[""],"resources":["secrets"],"verbs":["*"]},{"apiGroups":["logging.openshift.io"],"resources":["clusterloggings"],"verbs":["create","delete","deletecollection","get","list","patch","update","watch"]},{"apiGroups":["operators.coreos.com"],"resources":["subscriptions","clusterserviceversions"],"verbs":["*"]},{"apiGroups":["operators.coreos.com"],"resources":["installplans"],"verbs":["update"]},{"apiGroups":[""],"resources":["persistentvolumeclaims"],"verbs":["*"]},{"apiGroups":["apps","extensions"],"resources":["daemonsets"],"verbs":["get","list","patch","update","watch"]}]}' + metadata: + name: dedicated-admins-openshift-logging + namespace: openshift-logging + rules: + - apiGroups: + - '' + resources: + - events + - namespaces + - persistentvolumeclaims + - persistentvolumes + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - '*' + - apiGroups: + - logging.openshift.io + resources: + - clusterloggings + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - subscriptions + - clusterserviceversions + verbs: + - '*' + - apiGroups: + - operators.coreos.com + resources: + - installplans + verbs: + - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - apps + - extensions + resources: + - daemonsets + verbs: + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: admin-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: admin-system:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"admin"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group"}]}' + metadata: + name: admin-system:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging-dedicated-admins - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"dedicated-admins"}]}' + metadata: + name: openshift-logging-dedicated-admins + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: dedicated-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding - name: openshift-logging:serviceaccounts:dedicated-admin - namespace: openshift-logging - applyMode: AlwaysApply - patchType: merge - patch: '{"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"dedicated-admins-project"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"Group","name":"system:serviceaccounts:dedicated-admin"}]}' + metadata: + name: openshift-logging:serviceaccounts:dedicated-admin + namespace: openshift-logging + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dedicated-admins-project + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:dedicated-admin - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: