-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-304: exclude rhacs-operator namespace from resource limit rules #12307
Conversation
f0a49fe
to
efb9940
Compare
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
/test 4.15-e2e-aws-ocp4-moderate |
applications/openshift/general/resource_requests_limits_in_deployment/rule.yml
Show resolved
Hide resolved
applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml
Show resolved
Hide resolved
Nit, not necessary to merge this PR. The result of the jquery is quite uncanny. So I was playing with it and got to this: |
CI issues related to the malformed condition, I think
|
@Vincent056 Why is https://issues.redhat.com/browse/CMP-2400 linked? |
@yuumasato thanks for the review!
I have submitted a new pr for CMP 2400 here: #12344 |
this is a nice tool! |
/test 4.15-e2e-aws-ocp4-moderate |
/hold for test |
/packit retest-failed |
|
||
{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} | ||
|
||
{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_daemonset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_daemonset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose we could bake the openshift-
, kube-
, and rhacs-operator
strings into the variable as the default, since that's effectively what this is doing, just in a more rigid way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is an interesting idea, but that would / could complicate the user experience a little bit.
To keep the "default" behavior of ignoring namespaces begining with openshift-
and kube-
and exactly matching rhcas-operator
they would have to add these same values on their tailorings. Otherwise, the rules would start to check the default list of ignored namespaces.
For example:
Kind: TailoredProfile
...
spec:
setValue:
- name: var_daemonset_limit_namespaces_exempt_regex
rationale: Set my org exceptions
value: "my_namespace_1|my_namespace_2"
This would end up dropping the default skipped namespaces, instead of adding to the list of skipped namespaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: However we could move the default skipped namespaces to a jq
variable with the aim of simplifying the jq filter.
verification pass with ghcr.io/complianceascode/k8scontent:12307
|
/unhold |
@Vincent056 you might need to rebase for |
Added three new variable to be able to exclude namespaces in: `var_daemonset_limit_namespaces_exempt_regex` for rule `resource_requests_limits_in_daemonset` `var_deployment_limit_namespaces_exempt_regex` for rule `resource_requests_limits_in_deployment` `var_statefulset_limit_namespaces_exempt_regex` for rule `resource_requests_limits_in_statefulset` `rhacs-operator` namespace has also being excluded by default. Link to Jira Bug: https://issues.redhat.com/browse/OCPBUGS-304
2de38b5
to
5798710
Compare
Code Climate has analyzed commit 5798710 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.5% (0.0% change). View more on Code Climate. |
Added three new variables to be able to exclude namespaces:
var_daemonset_limit_namespaces_exempt_regex
for ruleresource_requests_limits_in_daemonset
var_deployment_limit_namespaces_exempt_regex
for ruleresource_requests_limits_in_deployment
var_statefulset_limit_namespaces_exempt_regex
for ruleresource_requests_limits_in_statefulset
rhacs-operator
namespace has also been excluded by default.Link to Jira Bug: https://issues.redhat.com/browse/OCPBUGS-304, https://issues.redhat.com/browse/CMP-2400
Additional namespace should be excluded using those variables