apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-security-view
  namespace: acm-policies
spec:
  remediationAction: enforce
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: security-view-binding
        spec:
          remediationAction: enforce
          severity: low
          namespaceSelector:
            include:
              - "*"
            exclude:
              - "openshift-*"
              - "kube-*"
              - "default"
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: RoleBinding
                metadata:
                  name: security-team-view
                roleRef:
                  apiGroup: rbac.authorization.k8s.io
                  kind: ClusterRole
                  name: view
                subjects:
                  - apiGroup: rbac.authorization.k8s.io
                    kind: Group
                    name: security-team
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: binding-security-view
  namespace: acm-policies
placementRef:
  name: all-managed-clusters
  kind: Placement
  apiGroup: cluster.open-cluster-management.io
subjects:
  - name: policy-security-view
    kind: Policy
    apiGroup: policy.open-cluster-management.io