Merge pull request #233 from garethahealy/main

converted to opa metadata comments via konstraint convert

policy/combine/namespace-has-networkpolicy/src.rego

@@ -1,12 +1,22 @@
-# @title RHCOP-COMBINE-00001: Namespace has a NetworkPolicy
-#
-# Kubernetes network policies specify the access permissions for groups of pods,
-# much like security groups in the cloud are used to control access to VM instances.
-# In other words, it creates firewalls between pods running on a Kubernetes cluster.
-# See: Network policies -> https://learnk8s.io/production-best-practices#governance
-#
-# @skip-constraint
-# @kinds core/Namespace networking.k8s.io/NetworkPolicy
+# METADATA
+# title: 'RHCOP-COMBINE-00001: Namespace has a NetworkPolicy'
+# description: |-
+#   Kubernetes network policies specify the access permissions for groups of pods,
+#   much like security groups in the cloud are used to control access to VM instances.
+#   In other words, it creates firewalls between pods running on a Kubernetes cluster.
+#   See: Network policies -> https://learnk8s.io/production-best-practices#governance
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Namespace
+#     - apiGroups:
+#       - networking.k8s.io
+#       kinds:
+#       - NetworkPolicy
+#   skipConstraint: true
 package combine.namespace_has_networkpolicy
 
 import data.lib.konstraint.core as konstraint_core

policy/combine/namespace-has-resourcequota/src.rego

@@ -1,13 +1,20 @@
-# @title RHCOP-COMBINE-00002: Namespace has a ResourceQuota
-#
-# With ResourceQuotas, you can limit the total resource consumption of all containers inside a Namespace.
-# Defining a resource quota for a namespace limits the total amount of CPU, memory or storage resources
-# that can be consumed by all containers belonging to that namespace. You can also set quotas for other
-# Kubernetes objects such as the number of Pods in the current namespace.
-# See: Namespace limits -> https://learnk8s.io/production-best-practices#governance
-#
-# @skip-constraint
-# @kinds core/Namespace core/ResourceQuota
+# METADATA
+# title: 'RHCOP-COMBINE-00002: Namespace has a ResourceQuota'
+# description: |-
+#   With ResourceQuotas, you can limit the total resource consumption of all containers inside a Namespace.
+#   Defining a resource quota for a namespace limits the total amount of CPU, memory or storage resources
+#   that can be consumed by all containers belonging to that namespace. You can also set quotas for other
+#   Kubernetes objects such as the number of Pods in the current namespace.
+#   See: Namespace limits -> https://learnk8s.io/production-best-practices#governance
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Namespace
+#       - ResourceQuota
+#   skipConstraint: true
 package combine.namespace_has_resourcequota
 
 import data.lib.konstraint.core as konstraint_core

policy/ocp/bestpractices/common-k8s-labels-notset/src.rego

@@ -1,9 +1,37 @@
-# @title RHCOP-OCP_BESTPRACT-00001: Common k8s labels are set
-#
-# Check if all workload related kinds contain labels as suggested by k8s.
-# See: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob core/Service route.openshift.io/Route
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00001: Common k8s labels are set'
+# description: |-
+#   Check if all workload related kinds contain labels as suggested by k8s.
+#   See: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#       - Service
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
+#     - apiGroups:
+#       - route.openshift.io
+#       kinds:
+#       - Route
 package ocp.bestpractices.common_k8s_labels_notset
 
 import data.lib.konstraint.core as konstraint_core

policy/ocp/bestpractices/container-env-maxmemory-notset/src.rego

@@ -1,10 +1,33 @@
-# @title RHCOP-OCP_BESTPRACT-00002: Container env has CONTAINER_MAX_MEMORY set
-#
-# Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings.
-# Instead of manually setting -Xmx, let the image automatically set it for you.
-# See: https://github.com/jboss-openshift/cct_module/blob/master/jboss/container/java/jvm/bash/artifacts/opt/jboss/container/java/jvm/java-default-options
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00002: Container env has CONTAINER_MAX_MEMORY set'
+# description: |-
+#   Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings.
+#   Instead of manually setting -Xmx, let the image automatically set it for you.
+#   See: https://github.com/jboss-openshift/cct_module/blob/master/jboss/container/java/jvm/bash/artifacts/opt/jboss/container/java/jvm/java-default-options
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
 package ocp.bestpractices.container_env_maxmemory_notset
 
 import data.lib.konstraint.core as konstraint_core
@@ -24,4 +47,4 @@ is_env_max_memory_set(container) {
   env := container.env[_]
   env.name == "CONTAINER_MAX_MEMORY"
   env.valueFrom.resourceFieldRef.resource == "limits.memory"
-}
+}

policy/ocp/bestpractices/container-image-latest/src.rego

@@ -1,8 +1,30 @@
-# @title RHCOP-OCP_BESTPRACT-00003: Container image is not set as latest
-#
-# Images should use immutable tags. Today's latest is not tomorrows latest.
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00003: Container image is not set as latest'
+# description: Images should use immutable tags. Today's latest is not tomorrows latest.
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
 package ocp.bestpractices.container_image_latest
 
 import data.lib.konstraint.core as konstraint_core

policy/ocp/bestpractices/container-image-unknownregistries/src.rego

@@ -1,8 +1,30 @@
-# @title RHCOP-OCP_BESTPRACT-00004: Container image is not from a known registry
-#
-# Only images from trusted and known registries should be used
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00004: Container image is not from a known registry'
+# description: Only images from trusted and known registries should be used
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
 package ocp.bestpractices.container_image_unknownregistries
 
 import future.keywords.in

policy/ocp/bestpractices/container-java-xmx-set/src.rego

@@ -1,9 +1,32 @@
-# @title RHCOP-OCP_BESTPRACT-00005: Container does not set Java Xmx option
-#
-# Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings.
-# Instead of manually setting -Xmx, let the image automatically set it for you.
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00005: Container does not set Java Xmx option'
+# description: |-
+#   Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings.
+#   Instead of manually setting -Xmx, let the image automatically set it for you.
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
 package ocp.bestpractices.container_java_xmx_set
 
 import data.lib.konstraint.core as konstraint_core

policy/ocp/bestpractices/container-labelkey-inconsistent/src.rego

@@ -1,8 +1,31 @@
-# @title RHCOP-OCP_BESTPRACT-00006: Label key is consistent
-#
-# Label keys should be qualified by 'app.kubernetes.io' or 'company.com' to allow a consistent understanding.
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00006: Label key is consistent'
+# description: Label keys should be qualified by 'app.kubernetes.io' or 'company.com'
+#   to allow a consistent understanding.
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
 package ocp.bestpractices.container_labelkey_inconsistent
 
 import data.lib.konstraint.core as konstraint_core

policy/ocp/bestpractices/container-liveness-readinessprobe-equal/src.rego

@@ -1,11 +1,34 @@
-# @title RHCOP-OCP_BESTPRACT-00007: Container liveness and readiness probes are equal
-#
-# When Liveness and Readiness probes are pointing to the same endpoint, the effects of the probes are combined.
-# When the app signals that it's not ready or live, the kubelet detaches the container from the Service and delete it at the same time.
-# You might notice dropping connections because the container does not have enough time to drain the current connections or process the incoming ones.
-# See: Health checks -> https://learnk8s.io/production-best-practices#application-development
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00007: Container liveness and readiness probes are equal'
+# description: |-
+#   When Liveness and Readiness probes are pointing to the same endpoint, the effects of the probes are combined.
+#   When the app signals that it's not ready or live, the kubelet detaches the container from the Service and delete it at the same time.
+#   You might notice dropping connections because the container does not have enough time to drain the current connections or process the incoming ones.
+#   See: Health checks -> https://learnk8s.io/production-best-practices#application-development
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
 package ocp.bestpractices.container_liveness_readinessprobe_equal
 
 import data.lib.konstraint.core as konstraint_core

policy/ocp/bestpractices/container-livenessprobe-notset/src.rego

@@ -1,10 +1,33 @@
-# @title RHCOP-OCP_BESTPRACT-00008: Container liveness prob is not set
-#
-# A Liveness checks determines if the container in which it is scheduled is still running.
-# If the liveness probe fails due to a condition such as a deadlock, the kubelet kills the container.
-# See: https://docs.openshift.com/container-platform/4.6/applications/application-health.html
-#
-# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob
+# METADATA
+# title: 'RHCOP-OCP_BESTPRACT-00008: Container liveness prob is not set'
+# description: |-
+#   A Liveness checks determines if the container in which it is scheduled is still running.
+#   If the liveness probe fails due to a condition such as a deadlock, the kubelet kills the container.
+#   See: https://docs.openshift.com/container-platform/4.6/applications/application-health.html
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - ""
+#       kinds:
+#       - Pod
+#       - ReplicationController
+#     - apiGroups:
+#       - apps
+#       kinds:
+#       - DaemonSet
+#       - Deployment
+#       - Job
+#       - ReplicaSet
+#       - StatefulSet
+#     - apiGroups:
+#       - apps.openshift.io
+#       kinds:
+#       - DeploymentConfig
+#     - apiGroups:
+#       - batch
+#       kinds:
+#       - CronJob
 package ocp.bestpractices.container_livenessprobe_notset
 
 import data.lib.konstraint.core as konstraint_core