From 5798710019bbb471c24c3d4347616ec8a714dcbc Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Thu, 15 Aug 2024 09:32:46 -0700 Subject: [PATCH] OCPBUGS-304: exclude rhacs-operator namespace from resource limit rules Added three new variable to be able to exclude namespaces in: `var_daemonset_limit_namespaces_exempt_regex` for rule `resource_requests_limits_in_daemonset` `var_deployment_limit_namespaces_exempt_regex` for rule `resource_requests_limits_in_deployment` `var_statefulset_limit_namespaces_exempt_regex` for rule `resource_requests_limits_in_statefulset` `rhacs-operator` namespace has also being excluded by default. Link to Jira Bug: https://issues.redhat.com/browse/OCPBUGS-304 --- .../rule.yml | 4 +--- .../rule.yml | 2 +- .../rule.yml | 2 +- ...daemonset_limit_namespaces_exempt_regex.var | 18 ++++++++++++++++++ ...eployment_limit_namespaces_exempt_regex.var | 18 ++++++++++++++++++ ...atefulset_limit_namespaces_exempt_regex.var | 18 ++++++++++++++++++ 6 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 applications/openshift/general/var_daemonset_limit_namespaces_exempt_regex.var create mode 100644 applications/openshift/general/var_deployment_limit_namespaces_exempt_regex.var create mode 100644 applications/openshift/general/var_statefulset_limit_namespaces_exempt_regex.var diff --git a/applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml b/applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml index f318d048b23..e75c1db95c8 100644 --- a/applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml +++ b/applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml @@ -25,9 +25,7 @@ identifiers: {} references: nist: SC-6 - -{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} - +{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_daemonset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_daemonset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} ocil_clause: 'Resource requests and limits is not set' ocil: |- diff --git a/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml b/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml index 1f424404014..ea3927371d3 100644 --- a/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml +++ b/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml @@ -26,7 +26,7 @@ identifiers: {} references: nist: SC-6 -{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} +{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_deployment_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_deployment_limit_namespaces_exempt_regex}}") | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} ocil_clause: 'Resource requests and limits is not set' diff --git a/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml b/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml index 98f4fdd8787..2aebd4f395b 100644 --- a/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml +++ b/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml @@ -26,7 +26,7 @@ identifiers: {} references: nist: SC-6 -{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} +{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_statefulset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_statefulset_limit_namespaces_exempt_regex}}") | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} ocil_clause: 'Resource requests and limits is not set' diff --git a/applications/openshift/general/var_daemonset_limit_namespaces_exempt_regex.var b/applications/openshift/general/var_daemonset_limit_namespaces_exempt_regex.var new file mode 100644 index 00000000000..1ddcfad3d12 --- /dev/null +++ b/applications/openshift/general/var_daemonset_limit_namespaces_exempt_regex.var @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Namespaces exempt of Daemonset Resource Limit' + +description: |- + Namespaces regular expression explicitly allowed + through daemonset resource filters, e.g. setting value to + "namespace1|namespace2" will exempt namespace + "namespace1" and "namespace2" for daemonset resource limit checks. + +type: string + +operator: equals + +interactive: true + +options: + default: "None" diff --git a/applications/openshift/general/var_deployment_limit_namespaces_exempt_regex.var b/applications/openshift/general/var_deployment_limit_namespaces_exempt_regex.var new file mode 100644 index 00000000000..110c3f9d597 --- /dev/null +++ b/applications/openshift/general/var_deployment_limit_namespaces_exempt_regex.var @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Namespaces exempt of Deployment Resource Limit' + +description: |- + Namespaces regular expression explicitly allowed + through deployment resource filters, e.g. setting value to + "namespace1|namespace2" will exempt namespace + "namespace1" and "namespace2" for deployment resource limit checks. + +type: string + +operator: equals + +interactive: true + +options: + default: "None" diff --git a/applications/openshift/general/var_statefulset_limit_namespaces_exempt_regex.var b/applications/openshift/general/var_statefulset_limit_namespaces_exempt_regex.var new file mode 100644 index 00000000000..8f2919a950b --- /dev/null +++ b/applications/openshift/general/var_statefulset_limit_namespaces_exempt_regex.var @@ -0,0 +1,18 @@ +documentation_complete: true + +title: 'Namespaces exempt of Statefulset Resource Limit' + +description: |- + Namespaces regular expression explicitly allowed + through statefulset resource filters, e.g. setting value to + "namespace1|namespace2" will exempt namespace + "namespace1" and "namespace2" for statefulset resource limit checks. + +type: string + +operator: equals + +interactive: true + +options: + default: "None"