Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-304: exclude rhacs-operator namespace from resource limit rules #12307

Merged
merged 1 commit into from
Sep 4, 2024
Merged

OCPBUGS-304: exclude rhacs-operator namespace from resource limit rules #12307

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,7 @@ identifiers: {}

references:
nist: SC-6

{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}}

{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_daemonset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_daemonset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose we could bake the openshift-, kube-, and rhacs-operator strings into the variable as the default, since that's effectively what this is doing, just in a more rigid way.

Copy link
Member

@yuumasato yuumasato Sep 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is an interesting idea, but that would / could complicate the user experience a little bit.
To keep the "default" behavior of ignoring namespaces begining with openshift- and kube- and exactly matching rhcas-operator they would have to add these same values on their tailorings. Otherwise, the rules would start to check the default list of ignored namespaces.

For example:

Kind: TailoredProfile
...
spec:
  setValue:
  - name: var_daemonset_limit_namespaces_exempt_regex
    rationale: Set my org exceptions
    value: "my_namespace_1|my_namespace_2"

This would end up dropping the default skipped namespaces, instead of adding to the list of skipped namespaces.

Copy link
Member

@yuumasato yuumasato Sep 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: However we could move the default skipped namespaces to a jq variable with the aim of simplifying the jq filter.

ocil_clause: 'Resource requests and limits is not set'

ocil: |-
Expand Down
2 changes: 1 addition & 1 deletion applications/openshift/general/resource_requests_limits_in_deployment/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ identifiers: {}
references:
nist: SC-6

{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}}
{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_deployment_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_deployment_limit_namespaces_exempt_regex}}") | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}}
Vincent056 marked this conversation as resolved.
Show resolved Hide resolved

ocil_clause: 'Resource requests and limits is not set'

Expand Down
2 changes: 1 addition & 1 deletion applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ identifiers: {}
references:
nist: SC-6

{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}}
{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_statefulset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_statefulset_limit_namespaces_exempt_regex}}") | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}}
Vincent056 marked this conversation as resolved.
Show resolved Hide resolved

ocil_clause: 'Resource requests and limits is not set'

Expand Down
18 changes: 18 additions & 0 deletions applications/openshift/general/var_daemonset_limit_namespaces_exempt_regex.var
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
documentation_complete: true

title: 'Namespaces exempt of Daemonset Resource Limit'

description: |-
Namespaces regular expression explicitly allowed
through daemonset resource filters, e.g. setting value to
"namespace1|namespace2" will exempt namespace
"namespace1" and "namespace2" for daemonset resource limit checks.

type: string

operator: equals

interactive: true

options:
default: "None"
18 changes: 18 additions & 0 deletions applications/openshift/general/var_deployment_limit_namespaces_exempt_regex.var
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
documentation_complete: true

title: 'Namespaces exempt of Deployment Resource Limit'

description: |-
Namespaces regular expression explicitly allowed
through deployment resource filters, e.g. setting value to
"namespace1|namespace2" will exempt namespace
"namespace1" and "namespace2" for deployment resource limit checks.

type: string

operator: equals

interactive: true

options:
default: "None"
18 changes: 18 additions & 0 deletions applications/openshift/general/var_statefulset_limit_namespaces_exempt_regex.var
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
documentation_complete: true

title: 'Namespaces exempt of Statefulset Resource Limit'

description: |-
Namespaces regular expression explicitly allowed
through statefulset resource filters, e.g. setting value to
"namespace1|namespace2" will exempt namespace
"namespace1" and "namespace2" for statefulset resource limit checks.

type: string

operator: equals

interactive: true

options:
default: "None"
Loading