Skip to content

Commit

Permalink
CMP-2400: exclusion of the namespace for rule ocp4-resource-requests-…
Browse files Browse the repository at this point in the history
…quota-per-project

Excluded RHACS from the default namespace check. We don't want to releax our rule too much for optional operator,
as it might incress security risk, instead user should use tailoredprofile to set the exclusion regex.

Added a new variable 'var_resource_requests_quota_per_project_exempt_regex'
  • Loading branch information
Vincent056 committed Sep 4, 2024
1 parent ec2429f commit dd1d55f
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 7 deletions.
Original file line number Diff line number Diff line change
@@ -1,17 +1,25 @@
<def-group>
{{% set resourcequota_api_path = '/api/v1/resourcequotas' %}}
{{% set namespaces_api_path = '/api/v1/namespaces' %}}
{{% set resourcequota_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique' %}}
{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' %}}
{{% set resourcequota_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and .metadata.namespace != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.namespace | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}}
{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}))]' %}}
<definition class="compliance" id="resource_requests_quota_per_project" version="1">
{{{ oval_metadata("Ensure that application Namespaces have Network Policies defined") }}}
<criteria>
<criterion comment="Make sure that the file '{{{ openshift_filtered_path(resourcequota_api_path, resourcequota_for_non_ctlplane_namespaces_filter) }}} exists."
test_ref="test_file_for_resource_requests_quota_per_project"/>
<criterion comment="Make sure that the file '{{{ openshift_filtered_path(namespaces_api_path, non_ctlplane_namespaces_filter) }}}' exists."
test_ref="test_file_for_resource_requests_quotas_filtered_namespaces"/>
<criterion comment="Make sure that all target elements exists "
test_ref="test_elements_count_for_resource_requests_quota_per_project"/>
<criteria operator="OR">
<criterion comment="Make sure that all target elements exist"
test_ref="test_elements_count_for_resource_requests_quota_per_project"/>
<criteria operator="AND">
<criterion comment="Make sure there are no resource quotas in non-ctlplane namespaces"
test_ref="test_resource_requests_quota_per_project"/>
<criterion comment="Make sure there are no namespaces in non-ctlplane namespaces"
test_ref="test_resource_requests_quotas_filtered_namespaces"/>
</criteria>
</criteria>
</criteria>
</definition>

Expand Down Expand Up @@ -51,6 +59,19 @@
<unix:filepath var_ref="resource_requests_quotas_filtered_namespaces_file_location"/>
</unix:file_object>

<!-- Check if the number of elements at the two paths are both zero -->
<ind:yamlfilecontent_test id="test_resource_requests_quota_per_project" version="1" check="all"
comment="Make sure there are no resource quotas in non-ctlplane namespaces"
check_existence="none_exist" state_operator="AND">
<ind:object object_ref="object_resource_requests_quota_per_project"/>
</ind:yamlfilecontent_test>

<ind:yamlfilecontent_test id="test_resource_requests_quotas_filtered_namespaces" version="1" check="all"
comment="Make sure there are no namespaces in non-ctlplane namespaces"
check_existence="none_exist" state_operator="AND">
<ind:object object_ref="object_resource_requests_quotas_filtered_namespaces"/>
</ind:yamlfilecontent_test>

<!-- Object gathering -->
<ind:yamlfilecontent_object id="object_resource_requests_quota_per_project" version="1">
<ind:filepath var_ref="resource_requests_quota_per_project_file_location"/>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,13 @@ references:

{{% set resourcequotas_api_path = '/api/v1/resourcequotas' %}}
{{% set namespaces_api_path = '/api/v1/namespaces' %}}
{{% set resourcequotas_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique' %}}
{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' %}}
{{% set resourcequotas_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and .metadata.namespace != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.namespace | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique' %}}
{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}))]' %}}

ocil_clause: 'Resource requests and limits is not set per project'

# same as above except filters the names only. Used in OCIL only, not in the 'warnings attribute'
{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' %}}
{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name]' %}}

ocil: |-
Verify that the every non-control plane namespace has an appropriate ResourceQuota.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
documentation_complete: true

title: 'Namespaces exempt of Resource Requests Quota per Project checks'

description: |-
Namespaces regular expression explicitly allowed
through deployment resource filters, e.g. setting value to
"namespace1|namespace2" will exempt namespace
"namespace1" and "namespace2" for deployment resource limit checks.

type: string

operator: equals

interactive: true

options:
default: "None"

0 comments on commit dd1d55f

Please sign in to comment.