Collector: Configure resources collected - stolostron/search-v2-operator GitHub Wiki

Starting in ACM 2.5, you can control which resources are collected by search using allow/deny rules.

Feature documentation

Creating search configurable collection

Distribute the ConfigMap to the managed clusters using a policy

We can create a policy to distribute the ConfigMap search-collector-config to the managed clusters. In this example, we create a Policy with the configuration to stop collecting the Kubernetes resource secrets from all managed clusters where the search add-on is available.

Sample Policy

Required: Update the AllowResources and DenyResources in the ConfigMap definition. Look for comment in the sample.

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: search-addon-config
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: search-addon-config-policy
        spec:
          namespaceSelector:
            include:
              - open-cluster-management-agent-addon
          object-templates:
            - complianceType: mustonlyhave
              objectDefinition:
                apiVersion: v1
                data:                     ## <-- Update this section
                  AllowedResources: |-
                    - apiGroups:
                        - "*"
                      resources:
                        - "*"
                  DeniedResources: |-
                    - apiGroups:
                        - "*"
                      resources:
                        - secrets
                        - groups
                        - configmaps
                        - serviceaccounts
                        - rolebindings
                        - clusterroles
                        - apirequestcounts
                        - images
                        - replicasets
                        - clusterrolebindings
                        - serviceentries
                        - podnetworkconnectivitychecks
                kind: ConfigMap
                metadata:
                  name: search-collector-config
          remediationAction: inform
          severity: low
  remediationAction: enforce

Sample PlacementRule

Optional: Update the clusterSelector if you want to change which managed clusters will get updated. Look for comment in the sample.

apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name: search-addon-config-placement
spec:
  clusterConditions:
    - status: "True"
      type: ManagedClusterConditionAvailable
  clusterSelector:
    matchExpressions:                             ## <-- Update this section
      - key: feature.open-cluster-management.io/addon-search-collector
        operator: In
        values:
          - available

Sample PlacementBinding

No changes are needed for this sample.

apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: search-addon-config-placement
placementRef:
  name: search-addon-config-placement
  apiGroup: apps.open-cluster-management.io
  kind: PlacementRule
subjects:
  - name: search-addon-config
    apiGroup: policy.open-cluster-management.io
    kind: Policy