-
Notifications
You must be signed in to change notification settings - Fork 10
Collector: Configure resources collected
Jorge Padilla edited this page Feb 1, 2024
·
21 revisions
Starting in ACM 2.5, you can control which resources are collected by search using allow/deny rules.
Creating search configurable collection
We can create a policy to distribute the ConfigMap search-collector-config
to the managed clusters.
In this example, we create a Policy with the configuration to stop collecting the Kubernetes resource secrets
from all managed clusters where the search add-on is available.
Required: Update the AllowResources
and DenyResources
in the ConfigMap definition. Look for comment in the sample.
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: search-addon-config
spec:
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: search-addon-config-policy
spec:
namespaceSelector:
include:
- open-cluster-management-agent-addon
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
data: ## <-- Update this section
AllowedResources: |-
- apiGroups:
- "*"
resources:
- "*"
DeniedResources: |-
- apiGroups:
- "*"
resources:
- secrets
- groups
- configmaps
- serviceaccounts
- rolebindings
- clusterroles
- apirequestcounts
- images
- replicasets
- clusterrolebindings
- serviceentries
- podnetworkconnectivitychecks
kind: ConfigMap
metadata:
name: search-collector-config
remediationAction: inform
severity: low
remediationAction: enforce
Optional: Update the clusterSelector if you want to change which managed clusters will get updated. Look for comment in the sample.
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: search-addon-config-placement
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions: ## <-- Update this section
- key: feature.open-cluster-management.io/addon-search-collector
operator: In
values:
- available
No changes are needed for this sample.
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: search-addon-config-placement
placementRef:
name: search-addon-config-placement
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
subjects:
- name: search-addon-config
apiGroup: policy.open-cluster-management.io
kind: Policy