Collector: Configure resources collected - stolostron/search-v2-operator Wiki

Starting in ACM 2.5, you can control which resources are collected by search using allow/deny rules.

Feature spec

https://github.com/stolostron/search-collector#dev-preview-search-configurable-collection

Distribute the ConfigMap to the managed clusters using a policy

We can create a policy to distribute the ConfigMap search-collector-config to the managed clusters. In this example, we create a Policy with the configuration to stop collecting the Kubernetes resource secrets from all managed clusters where the search add-on is available.

Sample Policy

Required: Update the AllowResources and DenyResources in the ConfigMap definition. Look for comment in the sample.

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: search-addon-config
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: search-addon-config-policy
        spec:
          namespaceSelector:
            include:
              - open-cluster-management-agent-addon
          object-templates:
            - complianceType: mustonlyhave
              objectDefinition:
                apiVersion: v1
                data:                     ## <-- Update this section
                  AllowedResources: |-
                    - apiGroups:
                        - "*"
                      resources:
                        - "*"
                  DeniedResources: |-
                    - apiGroups:
                        - "*"
                      resources:
                        - secrets
                        - groups
                        - configmaps
                        - serviceaccounts
                        - rolebindings
                        - clusterroles
                        - apirequestcounts
                        - images
                        - replicasets
                        - clusterrolebindings
                        - serviceentries
                        - podnetworkconnectivitychecks
                kind: ConfigMap
                metadata:
                  name: search-collector-config
          remediationAction: inform
          severity: low
  remediationAction: enforce

Sample PlacementRule

Optional: Update the clusterSelector if you want to change which managed clusters will get updated. Look for comment in the sample.

apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name: search-addon-config-placement
spec:
  clusterConditions:
    - status: "True"
      type: ManagedClusterConditionAvailable
  clusterSelector:
    matchExpressions:                             ## <-- Update this section
      - key: feature.open-cluster-management.io/addon-search-collector
        operator: In
        values:
          - available

Sample PlacementBinding

No changes are needed for this sample.

apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: search-addon-config-placement
placementRef:
  name: search-addon-config-placement
  apiGroup: apps.open-cluster-management.io
  kind: PlacementRule
subjects:
  - name: search-addon-config
    apiGroup: policy.open-cluster-management.io
    kind: Policy

Restart the search add-on using a policy

A current limitation is that the search add-on pod must restart to recognize a new search-collector-config. We can use a temporary policy to stop (scale down to 0) the search add-on in the managed clusters.

Sample Policy

No changes are needed for this sample.

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: restart-search-addon
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: restart-search-addon
        spec:
          namespaceSelector:
            include:
              - open-cluster-management-agent-addon
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: apps/v1
                kind: Deployment
                metadata:
                  name: klusterlet-addon-search
                spec:
                  replicas: 0
          remediationAction: enforce
          evaluationInterval:
            compliant: never
          severity: low
  remediationAction: enforce

Sample PlacementRule

Use the same PlacementRule created before.

Sample PlacementBinding

No changes are needed for this sample. You could also edit the PlacementBinding created before.

apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: restart-search-addon-placement
placementRef:
  name: search-addon-config-placement
  apiGroup: apps.open-cluster-management.io
  kind: PlacementRule
subjects:
  - name: restart-search-addon
    apiGroup: policy.open-cluster-management.io
    kind: Policy