Added warn-podman-images-bestpractices (#34)

redhat-cop · Jun 24, 2020 · 4210aa7 · 4210aa7
1 parent e06b1b9
commit 4210aa7
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -37,6 +37,9 @@ Current policies in this repo are below. The naming of the policy files follows
 - [warn-podman-history-bestpractices.rego](policy/warn-podman-history-bestpractices.rego)
     - warn rules to check a wrapped JSON output of "podman history"; i.e.: expected base layer is found.
 
+- [warn-podman-images-bestpractices.rego](policy/warn-podman-images-bestpractices.rego)
+    - warn rules to check a wrapped JSON output of "podman images"; i.e.: check image size is within bounds.
+
 ## 3rd Party Policies
 A list of git repos that contain rego polices which can be combined with this repo:
 - [deprek8ion: Rego policies to monitor Kubernetes APIs deprecations](https://github.com/swade1987/deprek8ion)

diff --git a/_test/conftest.sh b/_test/conftest.sh
@@ -198,4 +198,15 @@ load _helpers
   [ "${lines[1]}" = "# Warnings" ]
   [ "${lines[2]}" = "not ok 1 - /tmp/rego-policies/_test/warn-podman-history-bestpractices/jenkins-python-mising.json - quay.io/redhat-cop/jenkins-agent-python:has-missing-sha: did not find expected SHA" ]
   [ "${lines[3]}" = "# Successes" ]
+}
+
+@test "_test/warn-podman-images-bestpractices" {
+  copy_dir_via_jq "_test/warn-podman-images-bestpractices/*.json"
+  run conftest test /tmp/rego-policies/_test/warn-podman-images-bestpractices --output tap
+
+  print_err "$status" "$output"
+  [ "$status" -eq 0 ]
+  [ "${lines[1]}" = "# Warnings" ]
+  [ "${lines[2]}" = "not ok 1 - /tmp/rego-policies/_test/warn-podman-images-bestpractices/jenkins-base.json - quay.io/openshift/origin-jenkins-agent-base:4.4: has a size of '692.095652Mi', which is greater than '512Mi' limit." ]
+  [ "${lines[3]}" = "# Successes" ]
 }
diff --git a/_test/warn-podman-images-bestpractices/jenkins-base.json b/_test/warn-podman-images-bestpractices/jenkins-base.json
@@ -0,0 +1,15 @@
+{
+  "kind": "PodmanImages",
+  "image": "quay.io/openshift/origin-jenkins-agent-base:4.4",
+  "items": [
+    {
+      "id": "cd343f0d83042932fa992e095cd4a93a89a3520873f99b0e15fde69eb46e7e10",
+      "names": [
+        "quay.io/openshift/origin-jenkins-agent-base:4.4"
+      ],
+      "digest": "sha256:1d59d3b1902a3581b6a9b1955fbd1d44490d9f470abbd60591948942a4ef7437",
+      "created": "2020-06-13T00:10:44.644429651Z",
+      "size": 725714890
+    }
+  ]
+}
diff --git a/policy/warn-podman-images-bestpractices.rego b/policy/warn-podman-images-bestpractices.rego
@@ -0,0 +1,17 @@
+package main
+
+warn[msg] {
+  #NOTE: upperBound is an arbitrary number and it should be changed to what your company believes is the correct policy
+
+  input.kind == "PodmanImages"
+
+  kb := 1024
+  mb := kb * 1024
+  upperBound := 512
+
+  image := input.items[_]
+  sizeInMb := image.size / mb
+  sizeInMb > upperBound
+
+  msg := sprintf("%s: has a size of '%fMi', which is greater than '%dMi' limit.", [input.image, sizeInMb, upperBound])
+}