From c7419196514a683da2419d25d8d4f8ef8268af7b Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Tue, 27 Aug 2024 07:13:03 -0700 Subject: [PATCH] CMP-2400: exclusion of the namespace for rule ocp4-resource-requests-quota-per-project Excluded RHACS from the default namespace check. We don't want to releax our rule too much for optional operator, as it might incress security risk, instead user should use tailoredprofile to set the exclusion regex. Added a new variable 'var_resource_requests_quota_per_project_exempt_regex' --- .../rule.yml | 6 +++--- ...requests_quota_per_project_exempt_regex.var | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 applications/openshift/general/var_resource_requests_quota_per_project_exempt_regex.var diff --git a/applications/openshift/general/resource_requests_quota_per_project/rule.yml b/applications/openshift/general/resource_requests_quota_per_project/rule.yml index 8ccf02691d78..6d741f6de823 100644 --- a/applications/openshift/general/resource_requests_quota_per_project/rule.yml +++ b/applications/openshift/general/resource_requests_quota_per_project/rule.yml @@ -48,13 +48,13 @@ references: {{% set resourcequotas_api_path = '/api/v1/resourcequotas' %}} {{% set namespaces_api_path = '/api/v1/namespaces' %}} -{{% set resourcequotas_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique' %}} -{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' %}} +{{% set resourcequotas_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and .metadata.namespace != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.namespace | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}) | .metadata.namespace] | unique' %}} +{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}))]' %}} ocil_clause: 'Resource requests and limits is not set per project' # same as above except filters the names only. Used in OCIL only, not in the 'warnings attribute' -{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' %}} +{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}) | .metadata.name]' %}} ocil: |- Verify that the every non-control plane namespace has an appropriate ResourceQuota. diff --git a/applications/openshift/general/var_resource_requests_quota_per_project_exempt_regex.var b/applications/openshift/general/var_resource_requests_quota_per_project_exempt_regex.var new file mode 100644 index 000000000000..07cfb6a69674 --- /dev/null +++ b/applications/openshift/general/var_resource_requests_quota_per_project_exempt_regex.var @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Namespaces exempt of Resource Requests Quota per Project checks' + +description: |- + Namespaces regular expression explicitly allowed + through deployment resource filters, e.g. setting value to + "namespace1|namespace2" will exempt namespace + "namespace1" and "namespace2" for deployment resource limit checks. + +type: string + +operator: equals + +interactive: true + +options: + default: "None"