ComplianceAsCode
OCPBUGS-304: exclude rhacs-operator namespace from resource limit rules
Added three new variables to be able to exclude namespaces:
var_daemonset_limit_namespaces_exempt_regex for rule resource_requests_limits_in_daemonset var_deployment_limit_namespaces_exempt_regex for rule resource_requests_limits_in_deployment var_statefulset_limit_namespaces_exempt_regex for rule resource_requests_limits_in_statefulset
rhacs-operator namespace has also been excluded by default.
Link to Jira Bug: https://issues.redhat.com/browse/OCPBUGS-304, https://issues.redhat.com/browse/CMP-2400
Additional namespace should be excluded using those variables
Start a new ephemeral environment with changes proposed in this pull request:
Fedora Environment
Oracle Linux 8 Environment
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
:robot: A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12307
This image was built from commit: 5798710019bbb471c24c3d4347616ec8a714dcbc
Click here to see how to deploy it
If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12307
Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12307 make deploy-local
Nit, not necessary to merge this PR.
The result of the jquery is quite uncanny. So I was playing with it and got to this: https://jqplay.org/s/v33KOMdUaoM9X8j
CI issues related to the malformed condition, I think
helpers.go:872: Result - Name: e2e-moderate-resource-requests-limits-in-daemonset - Status: PASS - Severity: medium
helpers.go:1060: Rule e2e-moderate-resource-requests-limits-in-daemonset matched expected result
helpers.go:872: Result - Name: e2e-moderate-resource-requests-limits-in-deployment - Status: FAIL - Severity: medium
helpers.go:879: E2E-FAILURE: The expected result for the e2e-moderate-resource-requests-limits-in-deployment rule didn't match. Expected 'PASS', Got 'FAIL'
helpers.go:872: Result - Name: e2e-moderate-resource-requests-limits-in-statefulset - Status: FAIL - Severity: medium
helpers.go:879: E2E-FAILURE: The expected result for the e2e-moderate-resource-requests-limits-in-statefulset rule didn't match. Expected 'PASS', Got 'FAIL'
@Vincent056 Why is https://issues.redhat.com/browse/CMP-2400 linked? Do you plan to address this rule? https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/general/resource_requests_quota_per_project/rule.yml
@yuumasato thanks for the review!
@Vincent056 Why is https://issues.redhat.com/browse/CMP-2400 linked? Do you plan to address this rule? https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/general/resource_requests_quota_per_>project/rule.yml
I have submitted a new pr for CMP 2400 here: https://github.com/ComplianceAsCode/content/pull/12344
verification pass with ghcr.io/complianceascode/k8scontent:12307
1. Create 2 namespaces test1 and test2, and create daemonset, deployment, statefulset without resource limits.
2. Create tp and ssb.
% cat tp.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: limits-test
namespace: openshift-compliance
spec:
description: Test
setValues:
- name: upstream-ocp4-var-daemonset-limit-namespaces-exempt-regex
value: "test1|test2"
rationale: test
- name: upstream-ocp4-var-deployment-limit-namespaces-exempt-regex
value: "test1|test2"
rationale: test
- name: upstream-ocp4-var-statefulset-limit-namespaces-exempt-regex
value: "test1|test2"
rationale: test
extends: upstream-ocp4-high
title: My modified nist profile with a custom value
% oc apply -f tp.yaml
tailoredprofile.compliance.openshift.io/limits-test created
% cat ssb_high_u.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: cis-compliance
namespace: openshift-compliance
profiles:
- name: limits-test
kind: TailoredProfile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
% cat ssb_high_u2.yaml
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: high-profile-compliance
namespace: openshift-compliance
profiles:
- name: upstream-ocp4-high
kind: Profile
apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
name: default
kind: ScanSetting
apiGroup: compliance.openshift.io/v1alpha1
% oc apply -f ssb_high_u.yaml
scansettingbinding.compliance.openshift.io/cis-compliance created
% oc apply -f ssb_high_u2.yaml
scansettingbinding.compliance.openshift.io/high-profile-compliance created
3. Check the result:
% oc get ccr | grep resource-requests-limit
limits-test-resource-requests-limits-in-daemonset PASS medium
limits-test-resource-requests-limits-in-deployment PASS medium
limits-test-resource-requests-limits-in-statefulset PASS medium
upstream-ocp4-high-resource-requests-limits-in-daemonset FAIL medium
upstream-ocp4-high-resource-requests-limits-in-deployment FAIL medium
upstream-ocp4-high-resource-requests-limits-in-statefulset FAIL medium
% oc get rule upstream-ocp4-resource-requests-limits-in-daemonset -o=jsonpath={.instructions}
Run the following command to retrieve a list of daemonsets that does not have resource requests and limits:
$ oc get daemonset.apps --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]'
Make sure that there is output nothing in the result.
Is it the case that Resource requests and limits is not set?% % oc get daemonset.apps --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]'
[
"hello-daemonset",
"hello-daemonset",
"hello-daemonset",
"hello-daemonset"
]
% oc get rule upstream-ocp4-resource-requests-limits-in-deployment -o=jsonpath={.instructions}
Run the following command to retrieve a list of deployments that does not have resource requests and limits:
$ oc get deployment.apps --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]'
Make sure that there is output nothing in the result.
Is it the case that Resource requests and limits is not set?% % oc get deployment.apps --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]'
[
"nginx-deployment",
"nginx-deployment"
]
% oc get rule upstream-ocp4-resource-requests-limits-in-statefulset -o=jsonpath={.instructions}
Run the following command to retrieve a list of statefulsets that does not have resource requests and limits:
$ oc get statefulset.apps --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]'
Make sure that there is output nothing in the result.
Is it the case that Resource requests and limits is not set?%
% oc get statefulset.apps --all-namespaces -o json | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]'
[
"hello-statefulset",
"hello-statefulset"
]
@Vincent056 you might need to rebase for Gate / Build, Test on Fedora Latest (Container) (push) to pass
Code Climate has analyzed commit 57987100 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 59.5% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}