diff --git a/policy/combine/namespace-has-networkpolicy/src.rego b/policy/combine/namespace-has-networkpolicy/src.rego index f173fb81..7266b7ca 100644 --- a/policy/combine/namespace-has-networkpolicy/src.rego +++ b/policy/combine/namespace-has-networkpolicy/src.rego @@ -1,12 +1,22 @@ -# @title RHCOP-COMBINE-00001: Namespace has a NetworkPolicy -# -# Kubernetes network policies specify the access permissions for groups of pods, -# much like security groups in the cloud are used to control access to VM instances. -# In other words, it creates firewalls between pods running on a Kubernetes cluster. -# See: Network policies -> https://learnk8s.io/production-best-practices#governance -# -# @skip-constraint -# @kinds core/Namespace networking.k8s.io/NetworkPolicy +# METADATA +# title: 'RHCOP-COMBINE-00001: Namespace has a NetworkPolicy' +# description: |- +# Kubernetes network policies specify the access permissions for groups of pods, +# much like security groups in the cloud are used to control access to VM instances. +# In other words, it creates firewalls between pods running on a Kubernetes cluster. +# See: Network policies -> https://learnk8s.io/production-best-practices#governance +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Namespace +# - apiGroups: +# - networking.k8s.io +# kinds: +# - NetworkPolicy +# skipConstraint: true package combine.namespace_has_networkpolicy import data.lib.konstraint.core as konstraint_core diff --git a/policy/combine/namespace-has-resourcequota/src.rego b/policy/combine/namespace-has-resourcequota/src.rego index 4fb61c02..733705bd 100644 --- a/policy/combine/namespace-has-resourcequota/src.rego +++ b/policy/combine/namespace-has-resourcequota/src.rego @@ -1,13 +1,20 @@ -# @title RHCOP-COMBINE-00002: Namespace has a ResourceQuota -# -# With ResourceQuotas, you can limit the total resource consumption of all containers inside a Namespace. -# Defining a resource quota for a namespace limits the total amount of CPU, memory or storage resources -# that can be consumed by all containers belonging to that namespace. You can also set quotas for other -# Kubernetes objects such as the number of Pods in the current namespace. -# See: Namespace limits -> https://learnk8s.io/production-best-practices#governance -# -# @skip-constraint -# @kinds core/Namespace core/ResourceQuota +# METADATA +# title: 'RHCOP-COMBINE-00002: Namespace has a ResourceQuota' +# description: |- +# With ResourceQuotas, you can limit the total resource consumption of all containers inside a Namespace. +# Defining a resource quota for a namespace limits the total amount of CPU, memory or storage resources +# that can be consumed by all containers belonging to that namespace. You can also set quotas for other +# Kubernetes objects such as the number of Pods in the current namespace. +# See: Namespace limits -> https://learnk8s.io/production-best-practices#governance +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Namespace +# - ResourceQuota +# skipConstraint: true package combine.namespace_has_resourcequota import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/common-k8s-labels-notset/src.rego b/policy/ocp/bestpractices/common-k8s-labels-notset/src.rego index d8f60762..bdc43c2e 100644 --- a/policy/ocp/bestpractices/common-k8s-labels-notset/src.rego +++ b/policy/ocp/bestpractices/common-k8s-labels-notset/src.rego @@ -1,9 +1,37 @@ -# @title RHCOP-OCP_BESTPRACT-00001: Common k8s labels are set -# -# Check if all workload related kinds contain labels as suggested by k8s. -# See: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob core/Service route.openshift.io/Route +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00001: Common k8s labels are set' +# description: |- +# Check if all workload related kinds contain labels as suggested by k8s. +# See: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - Service +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob +# - apiGroups: +# - route.openshift.io +# kinds: +# - Route package ocp.bestpractices.common_k8s_labels_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-env-maxmemory-notset/src.rego b/policy/ocp/bestpractices/container-env-maxmemory-notset/src.rego index 2e6a0a15..a4021747 100644 --- a/policy/ocp/bestpractices/container-env-maxmemory-notset/src.rego +++ b/policy/ocp/bestpractices/container-env-maxmemory-notset/src.rego @@ -1,10 +1,33 @@ -# @title RHCOP-OCP_BESTPRACT-00002: Container env has CONTAINER_MAX_MEMORY set -# -# Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings. -# Instead of manually setting -Xmx, let the image automatically set it for you. -# See: https://github.com/jboss-openshift/cct_module/blob/master/jboss/container/java/jvm/bash/artifacts/opt/jboss/container/java/jvm/java-default-options -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00002: Container env has CONTAINER_MAX_MEMORY set' +# description: |- +# Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings. +# Instead of manually setting -Xmx, let the image automatically set it for you. +# See: https://github.com/jboss-openshift/cct_module/blob/master/jboss/container/java/jvm/bash/artifacts/opt/jboss/container/java/jvm/java-default-options +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_env_maxmemory_notset import data.lib.konstraint.core as konstraint_core @@ -24,4 +47,4 @@ is_env_max_memory_set(container) { env := container.env[_] env.name == "CONTAINER_MAX_MEMORY" env.valueFrom.resourceFieldRef.resource == "limits.memory" -} \ No newline at end of file +} diff --git a/policy/ocp/bestpractices/container-image-latest/src.rego b/policy/ocp/bestpractices/container-image-latest/src.rego index 00967cfc..efa76a4a 100644 --- a/policy/ocp/bestpractices/container-image-latest/src.rego +++ b/policy/ocp/bestpractices/container-image-latest/src.rego @@ -1,8 +1,30 @@ -# @title RHCOP-OCP_BESTPRACT-00003: Container image is not set as latest -# -# Images should use immutable tags. Today's latest is not tomorrows latest. -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00003: Container image is not set as latest' +# description: Images should use immutable tags. Today's latest is not tomorrows latest. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_image_latest import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-image-unknownregistries/src.rego b/policy/ocp/bestpractices/container-image-unknownregistries/src.rego index ad7da02c..a78815f5 100644 --- a/policy/ocp/bestpractices/container-image-unknownregistries/src.rego +++ b/policy/ocp/bestpractices/container-image-unknownregistries/src.rego @@ -1,8 +1,30 @@ -# @title RHCOP-OCP_BESTPRACT-00004: Container image is not from a known registry -# -# Only images from trusted and known registries should be used -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00004: Container image is not from a known registry' +# description: Only images from trusted and known registries should be used +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_image_unknownregistries import future.keywords.in diff --git a/policy/ocp/bestpractices/container-java-xmx-set/src.rego b/policy/ocp/bestpractices/container-java-xmx-set/src.rego index 81182a00..c18c990f 100644 --- a/policy/ocp/bestpractices/container-java-xmx-set/src.rego +++ b/policy/ocp/bestpractices/container-java-xmx-set/src.rego @@ -1,9 +1,32 @@ -# @title RHCOP-OCP_BESTPRACT-00005: Container does not set Java Xmx option -# -# Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings. -# Instead of manually setting -Xmx, let the image automatically set it for you. -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00005: Container does not set Java Xmx option' +# description: |- +# Red Hat OpenJDK image uses CONTAINER_MAX_MEMORY env via the downward API to set Java memory settings. +# Instead of manually setting -Xmx, let the image automatically set it for you. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_java_xmx_set import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-labelkey-inconsistent/src.rego b/policy/ocp/bestpractices/container-labelkey-inconsistent/src.rego index 00e3ffa0..ff0973a0 100644 --- a/policy/ocp/bestpractices/container-labelkey-inconsistent/src.rego +++ b/policy/ocp/bestpractices/container-labelkey-inconsistent/src.rego @@ -1,8 +1,31 @@ -# @title RHCOP-OCP_BESTPRACT-00006: Label key is consistent -# -# Label keys should be qualified by 'app.kubernetes.io' or 'company.com' to allow a consistent understanding. -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00006: Label key is consistent' +# description: Label keys should be qualified by 'app.kubernetes.io' or 'company.com' +# to allow a consistent understanding. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_labelkey_inconsistent import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-liveness-readinessprobe-equal/src.rego b/policy/ocp/bestpractices/container-liveness-readinessprobe-equal/src.rego index ad6ae767..8feca5fa 100644 --- a/policy/ocp/bestpractices/container-liveness-readinessprobe-equal/src.rego +++ b/policy/ocp/bestpractices/container-liveness-readinessprobe-equal/src.rego @@ -1,11 +1,34 @@ -# @title RHCOP-OCP_BESTPRACT-00007: Container liveness and readiness probes are equal -# -# When Liveness and Readiness probes are pointing to the same endpoint, the effects of the probes are combined. -# When the app signals that it's not ready or live, the kubelet detaches the container from the Service and delete it at the same time. -# You might notice dropping connections because the container does not have enough time to drain the current connections or process the incoming ones. -# See: Health checks -> https://learnk8s.io/production-best-practices#application-development -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00007: Container liveness and readiness probes are equal' +# description: |- +# When Liveness and Readiness probes are pointing to the same endpoint, the effects of the probes are combined. +# When the app signals that it's not ready or live, the kubelet detaches the container from the Service and delete it at the same time. +# You might notice dropping connections because the container does not have enough time to drain the current connections or process the incoming ones. +# See: Health checks -> https://learnk8s.io/production-best-practices#application-development +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_liveness_readinessprobe_equal import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-livenessprobe-notset/src.rego b/policy/ocp/bestpractices/container-livenessprobe-notset/src.rego index 7d745c33..d9486d5b 100644 --- a/policy/ocp/bestpractices/container-livenessprobe-notset/src.rego +++ b/policy/ocp/bestpractices/container-livenessprobe-notset/src.rego @@ -1,10 +1,33 @@ -# @title RHCOP-OCP_BESTPRACT-00008: Container liveness prob is not set -# -# A Liveness checks determines if the container in which it is scheduled is still running. -# If the liveness probe fails due to a condition such as a deadlock, the kubelet kills the container. -# See: https://docs.openshift.com/container-platform/4.6/applications/application-health.html -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00008: Container liveness prob is not set' +# description: |- +# A Liveness checks determines if the container in which it is scheduled is still running. +# If the liveness probe fails due to a condition such as a deadlock, the kubelet kills the container. +# See: https://docs.openshift.com/container-platform/4.6/applications/application-health.html +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_livenessprobe_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-readinessprobe-notset/src.rego b/policy/ocp/bestpractices/container-readinessprobe-notset/src.rego index 55ac939d..82bbe468 100644 --- a/policy/ocp/bestpractices/container-readinessprobe-notset/src.rego +++ b/policy/ocp/bestpractices/container-readinessprobe-notset/src.rego @@ -1,10 +1,33 @@ -# @title RHCOP-OCP_BESTPRACT-00009: Container readiness prob is not set -# -# A Readiness check determines if the container in which it is scheduled is ready to service requests. -# If the readiness probe fails a container, the endpoints controller ensures the container has its IP address removed from the endpoints of all services. -# See: https://docs.openshift.com/container-platform/4.6/applications/application-health.html -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00009: Container readiness prob is not set' +# description: |- +# A Readiness check determines if the container in which it is scheduled is ready to service requests. +# If the readiness probe fails a container, the endpoints controller ensures the container has its IP address removed from the endpoints of all services. +# See: https://docs.openshift.com/container-platform/4.6/applications/application-health.html +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_readinessprobe_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-resources-limits-cpu-set/src.rego b/policy/ocp/bestpractices/container-resources-limits-cpu-set/src.rego index fa95e50f..49986327 100644 --- a/policy/ocp/bestpractices/container-resources-limits-cpu-set/src.rego +++ b/policy/ocp/bestpractices/container-resources-limits-cpu-set/src.rego @@ -1,10 +1,33 @@ -# @title RHCOP-OCP_BESTPRACT-00010: Container resource limits CPU not set -# -# If you're not sure about what's the best settings for your app, it's better not to set the CPU limits. -# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development -# See: reddit.com/r/kubernetes/comments/all1vg/on_kubernetes_cpu_limits -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00010: Container resource limits CPU not set' +# description: |- +# If you're not sure about what's the best settings for your app, it's better not to set the CPU limits. +# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development +# See: reddit.com/r/kubernetes/comments/all1vg/on_kubernetes_cpu_limits +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_resources_limits_cpu_set import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-resources-limits-memory-greater-than/src.rego b/policy/ocp/bestpractices/container-resources-limits-memory-greater-than/src.rego index 25651581..d69b6823 100644 --- a/policy/ocp/bestpractices/container-resources-limits-memory-greater-than/src.rego +++ b/policy/ocp/bestpractices/container-resources-limits-memory-greater-than/src.rego @@ -1,10 +1,33 @@ -# @title RHCOP-OCP_BESTPRACT-00011: Container resource limits memory not greater than -# -# Setting a too high memory limit can cause under utilisation on a node. -# It is better to run multiple pods which use smaller limits. -# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00011: Container resource limits memory not greater than' +# description: |- +# Setting a too high memory limit can cause under utilisation on a node. +# It is better to run multiple pods which use smaller limits. +# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_resources_limits_memory_greater_than import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-resources-limits-memory-notset/src.rego b/policy/ocp/bestpractices/container-resources-limits-memory-notset/src.rego index 82b7ab70..d14861fe 100644 --- a/policy/ocp/bestpractices/container-resources-limits-memory-notset/src.rego +++ b/policy/ocp/bestpractices/container-resources-limits-memory-notset/src.rego @@ -1,10 +1,33 @@ -# @title RHCOP-OCP_BESTPRACT-00012: Container resource limits memory not set -# -# A container without a memory limit has memory utilisation of zero — according to the scheduler. -# An unlimited number of Pods if schedulable on any nodes leading to resource overcommitment and potential node (and kubelet) crashes. -# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00012: Container resource limits memory not set' +# description: |- +# A container without a memory limit has memory utilisation of zero — according to the scheduler. +# An unlimited number of Pods if schedulable on any nodes leading to resource overcommitment and potential node (and kubelet) crashes. +# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_resources_limits_memory_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-resources-memoryunit-incorrect/src.rego b/policy/ocp/bestpractices/container-resources-memoryunit-incorrect/src.rego index 3157b571..6f703888 100644 --- a/policy/ocp/bestpractices/container-resources-memoryunit-incorrect/src.rego +++ b/policy/ocp/bestpractices/container-resources-memoryunit-incorrect/src.rego @@ -1,11 +1,35 @@ -# @title RHCOP-OCP_BESTPRACT-00013: Container resources limit memory has incorrect unit -# -# Begininers can easily confuse the allowed memory unit, this policy enforces what is valid. -# k8s also allows for millibyte as a unit for memory, which causes unintended consequences for the scheduler. -# See: https://github.com/kubernetes/kubernetes/issues/28741 -# See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00013: Container resources limit memory has incorrect +# unit' +# description: |- +# Begininers can easily confuse the allowed memory unit, this policy enforces what is valid. +# k8s also allows for millibyte as a unit for memory, which causes unintended consequences for the scheduler. +# See: https://github.com/kubernetes/kubernetes/issues/28741 +# See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_resources_memoryunit_incorrect import future.keywords.in diff --git a/policy/ocp/bestpractices/container-resources-requests-cpuunit-incorrect/src.rego b/policy/ocp/bestpractices/container-resources-requests-cpuunit-incorrect/src.rego index 46b33093..5429f3ac 100644 --- a/policy/ocp/bestpractices/container-resources-requests-cpuunit-incorrect/src.rego +++ b/policy/ocp/bestpractices/container-resources-requests-cpuunit-incorrect/src.rego @@ -1,9 +1,33 @@ -# @title RHCOP-OCP_BESTPRACT-00014: Container resources requests cpu has incorrect unit -# -# Beginners can easily confuse the allowed cpu unit, this policy enforces what is valid. -# See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00014: Container resources requests cpu has incorrect +# unit' +# description: |- +# Beginners can easily confuse the allowed cpu unit, this policy enforces what is valid. +# See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-units-in-kubernetes +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_resources_requests_cpuunit_incorrect import future.keywords.in diff --git a/policy/ocp/bestpractices/container-resources-requests-memory-greater-than/src.rego b/policy/ocp/bestpractices/container-resources-requests-memory-greater-than/src.rego index cc4d35dd..01f56a99 100644 --- a/policy/ocp/bestpractices/container-resources-requests-memory-greater-than/src.rego +++ b/policy/ocp/bestpractices/container-resources-requests-memory-greater-than/src.rego @@ -1,10 +1,34 @@ -# @title RHCOP-OCP_BESTPRACT-00015: Container resource requests memory not greater than -# -# Setting a too high memory request can cause under utilisation on a node. -# It is better to run multiple pods which use smaller requests. -# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00015: Container resource requests memory not greater +# than' +# description: |- +# Setting a too high memory request can cause under utilisation on a node. +# It is better to run multiple pods which use smaller requests. +# See: Resources utilisation -> https://learnk8s.io/production-best-practices#application-development +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_resources_requests_memory_greater_than import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-secret-mounted-envs/src.rego b/policy/ocp/bestpractices/container-secret-mounted-envs/src.rego index df8cad29..af5b2f6e 100644 --- a/policy/ocp/bestpractices/container-secret-mounted-envs/src.rego +++ b/policy/ocp/bestpractices/container-secret-mounted-envs/src.rego @@ -1,11 +1,34 @@ -# @title RHCOP-OCP_BESTPRACT-00016: Container secret not mounted as envs -# -# The content of Secret resources should be mounted into containers as volumes rather than passed in as environment variables. -# This is to prevent that the secret values appear in the command that was used to start the container, which may be inspected -# by individuals that shouldn't have access to the secret values. -# See: Configuration and secrets -> https://learnk8s.io/production-best-practices#application-development -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00016: Container secret not mounted as envs' +# description: |- +# The content of Secret resources should be mounted into containers as volumes rather than passed in as environment variables. +# This is to prevent that the secret values appear in the command that was used to start the container, which may be inspected +# by individuals that shouldn't have access to the secret values. +# See: Configuration and secrets -> https://learnk8s.io/production-best-practices#application-development +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_secret_mounted_envs import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-volumemount-inconsistent-path/src.rego b/policy/ocp/bestpractices/container-volumemount-inconsistent-path/src.rego index 28e851d7..63be3ddd 100644 --- a/policy/ocp/bestpractices/container-volumemount-inconsistent-path/src.rego +++ b/policy/ocp/bestpractices/container-volumemount-inconsistent-path/src.rego @@ -1,8 +1,31 @@ -# @title RHCOP-OCP_BESTPRACT-00017: Container volume mount path is consistent -# -# Mount paths should be mounted at '/var/run/company.com' to allow a consistent understanding. -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00017: Container volume mount path is consistent' +# description: Mount paths should be mounted at '/var/run/company.com' to allow a consistent +# understanding. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_volumemount_inconsistent_path import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/container-volumemount-missing/src.rego b/policy/ocp/bestpractices/container-volumemount-missing/src.rego index 3828ec95..cac4f3c2 100644 --- a/policy/ocp/bestpractices/container-volumemount-missing/src.rego +++ b/policy/ocp/bestpractices/container-volumemount-missing/src.rego @@ -1,8 +1,31 @@ -# @title RHCOP-OCP_BESTPRACT-00018: Container volume mount not set -# -# A volume does not have a corresponding volume mount. There is probably a mistake in your definition. -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00018: Container volume mount not set' +# description: A volume does not have a corresponding volume mount. There is probably +# a mistake in your definition. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.container_volumemount_missing import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/deploymentconfig-triggers-containername/src.rego b/policy/ocp/bestpractices/deploymentconfig-triggers-containername/src.rego index f0764b27..9455e8d8 100644 --- a/policy/ocp/bestpractices/deploymentconfig-triggers-containername/src.rego +++ b/policy/ocp/bestpractices/deploymentconfig-triggers-containername/src.rego @@ -1,9 +1,15 @@ -# @title RHCOP-OCP_BESTPRACT-00027: DeploymentConfig triggers container name miss match -# -# If you are using a DeploymentConfig with 'spec.triggers' set, but the container name does not match the trigger will never fire. -# There is probably a mistake in your definition. -# -# @kinds apps.openshift.io/DeploymentConfig +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00027: DeploymentConfig triggers container name miss match' +# description: |- +# If you are using a DeploymentConfig with 'spec.triggers' set, but the container name does not match the trigger will never fire. +# There is probably a mistake in your definition. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig package ocp.bestpractices.deploymentconfig_triggers_containername import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/deploymentconfig-triggers-notset/src.rego b/policy/ocp/bestpractices/deploymentconfig-triggers-notset/src.rego index d6d315e9..4fcf4bdd 100644 --- a/policy/ocp/bestpractices/deploymentconfig-triggers-notset/src.rego +++ b/policy/ocp/bestpractices/deploymentconfig-triggers-notset/src.rego @@ -1,9 +1,15 @@ -# @title RHCOP-OCP_BESTPRACT-00019: DeploymentConfig triggers not set -# -# If you are using a DeploymentConfig without 'spec.triggers' set, you could probably just use the k8s Deployment. -# -# @skip-constraint -# @kinds apps.openshift.io/DeploymentConfig +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00019: DeploymentConfig triggers not set' +# description: If you are using a DeploymentConfig without 'spec.triggers' set, you +# could probably just use the k8s Deployment. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# skipConstraint: true package ocp.bestpractices.deploymentconfig_triggers_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/pod-antiaffinity-notset/src.rego b/policy/ocp/bestpractices/pod-antiaffinity-notset/src.rego index 8080f8d8..d1eb0f07 100644 --- a/policy/ocp/bestpractices/pod-antiaffinity-notset/src.rego +++ b/policy/ocp/bestpractices/pod-antiaffinity-notset/src.rego @@ -1,11 +1,28 @@ -# @title RHCOP-OCP_BESTPRACT-00026: Pod anti-affinity not set +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00026: Pod anti-affinity not set' +# description: |- +# Even if you run several copies of your Pods, there are no guarantees that losing a node won't take down your service. +# Anti-Affinity # -# Even if you run several copies of your Pods, there are no guarantees that losing a node won't take down your service. -# Anti-Affinity -# -# See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -# -# @kinds apps.openshift.io/DeploymentConfig apps/Deployment apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod +# See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - Deployment +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig package ocp.bestpractices.pod_antiaffinity_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/pod-hostnetwork/src.rego b/policy/ocp/bestpractices/pod-hostnetwork/src.rego index 43e9e814..fcd75726 100644 --- a/policy/ocp/bestpractices/pod-hostnetwork/src.rego +++ b/policy/ocp/bestpractices/pod-hostnetwork/src.rego @@ -1,8 +1,31 @@ -# @title RHCOP-OCP_BESTPRACT-00020: Pod hostnetwork not set -# -# Pods which require 'spec.hostNetwork' should be limited due to security concerns. -# -# @kinds apps.openshift.io/DeploymentConfig apps/DaemonSet apps/Deployment apps/Job apps/ReplicaSet core/ReplicationController apps/StatefulSet core/Pod batch/CronJob +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00020: Pod hostnetwork not set' +# description: Pods which require 'spec.hostNetwork' should be limited due to security +# concerns. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Pod +# - ReplicationController +# - apiGroups: +# - apps +# kinds: +# - DaemonSet +# - Deployment +# - Job +# - ReplicaSet +# - StatefulSet +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig +# - apiGroups: +# - batch +# kinds: +# - CronJob package ocp.bestpractices.pod_hostnetwork import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/pod-replicas-below-one/src.rego b/policy/ocp/bestpractices/pod-replicas-below-one/src.rego index d172b3c8..e19d0457 100644 --- a/policy/ocp/bestpractices/pod-replicas-below-one/src.rego +++ b/policy/ocp/bestpractices/pod-replicas-below-one/src.rego @@ -1,9 +1,19 @@ -# @title RHCOP-OCP_BESTPRACT-00021: Pod replica below 1 -# -# Never run a single Pod individually. -# See: Fault tolerance -> https://learnk8s.io/production-best-practices#application-development -# -# @kinds apps.openshift.io/DeploymentConfig apps/Deployment +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00021: Pod replica below 1' +# description: |- +# Never run a single Pod individually. +# See: Fault tolerance -> https://learnk8s.io/production-best-practices#application-development +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps +# kinds: +# - Deployment +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig package ocp.bestpractices.pod_replicas_below_one import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/pod-replicas-not-odd/src.rego b/policy/ocp/bestpractices/pod-replicas-not-odd/src.rego index 17b0dec7..60a68048 100644 --- a/policy/ocp/bestpractices/pod-replicas-not-odd/src.rego +++ b/policy/ocp/bestpractices/pod-replicas-not-odd/src.rego @@ -1,9 +1,19 @@ -# @title RHCOP-OCP_BESTPRACT-00022: Pod replica is not odd -# -# Pods should be run with a replica which is odd, i.e.: 3, 5, 7, etc, for HA guarantees. -# See: Fault tolerance -> https://learnk8s.io/production-best-practices#application-development -# -# @kinds apps.openshift.io/DeploymentConfig apps/Deployment +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00022: Pod replica is not odd' +# description: |- +# Pods should be run with a replica which is odd, i.e.: 3, 5, 7, etc, for HA guarantees. +# See: Fault tolerance -> https://learnk8s.io/production-best-practices#application-development +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps +# kinds: +# - Deployment +# - apiGroups: +# - apps.openshift.io +# kinds: +# - DeploymentConfig package ocp.bestpractices.pod_replicas_not_odd import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/rolebinding-roleref-apigroup-notset/src.rego b/policy/ocp/bestpractices/rolebinding-roleref-apigroup-notset/src.rego index 39047d5d..f1c6ebe7 100644 --- a/policy/ocp/bestpractices/rolebinding-roleref-apigroup-notset/src.rego +++ b/policy/ocp/bestpractices/rolebinding-roleref-apigroup-notset/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_BESTPRACT-00023: RoleBinding has apiGroup set -# -# Migrating from 3.11 to 4.x requires the 'roleRef.apiGroup' to be set. -# -# @skip-constraint -# @kinds rbac.authorization.k8s.io/RoleBinding +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00023: RoleBinding has apiGroup set' +# description: Migrating from 3.11 to 4.x requires the 'roleRef.apiGroup' to be set. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - rbac.authorization.k8s.io +# kinds: +# - RoleBinding +# skipConstraint: true package ocp.bestpractices.rolebinding_roleref_apigroup_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/rolebinding-roleref-kind-notset/src.rego b/policy/ocp/bestpractices/rolebinding-roleref-kind-notset/src.rego index 38cd3bf7..0a0bd022 100644 --- a/policy/ocp/bestpractices/rolebinding-roleref-kind-notset/src.rego +++ b/policy/ocp/bestpractices/rolebinding-roleref-kind-notset/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_BESTPRACT-00024: RoleBinding has kind set -# -# Migrating from 3.11 to 4.x requires the 'roleRef.kind' to be set. -# -# @skip-constraint -# @kinds rbac.authorization.k8s.io/RoleBinding +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00024: RoleBinding has kind set' +# description: Migrating from 3.11 to 4.x requires the 'roleRef.kind' to be set. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - rbac.authorization.k8s.io +# kinds: +# - RoleBinding +# skipConstraint: true package ocp.bestpractices.rolebinding_roleref_kind_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/bestpractices/route-tls-termination-notset/src.rego b/policy/ocp/bestpractices/route-tls-termination-notset/src.rego index 647cddfc..ed970f39 100644 --- a/policy/ocp/bestpractices/route-tls-termination-notset/src.rego +++ b/policy/ocp/bestpractices/route-tls-termination-notset/src.rego @@ -1,8 +1,13 @@ -# @title RHCOP-OCP_BESTPRACT-00025: Route has TLS Termination Defined -# -# Routes should specify a TLS termination type to allow only secure ingress. -# -# @kinds route.openshift.io/Route +# METADATA +# title: 'RHCOP-OCP_BESTPRACT-00025: Route has TLS Termination Defined' +# description: Routes should specify a TLS termination type to allow only secure ingress. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - route.openshift.io +# kinds: +# - Route package ocp.bestpractices.route_tls_termination_notset import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/buildconfig-v1/src.rego b/policy/ocp/deprecated/3_11/buildconfig-v1/src.rego index f15061f5..af58871e 100644 --- a/policy/ocp/deprecated/3_11/buildconfig-v1/src.rego +++ b/policy/ocp/deprecated/3_11/buildconfig-v1/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00001: BuildConfig no longer served by v1 -# -# OCP4.x expects build.openshift.io/v1. -# -# @skip-constraint -# @kinds v1/BuildConfig +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00001: BuildConfig no longer served by v1' +# description: OCP4.x expects build.openshift.io/v1. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - BuildConfig +# skipConstraint: true package ocp.deprecated.ocp3_11.buildconfig_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/deploymentconfig-v1/src.rego b/policy/ocp/deprecated/3_11/deploymentconfig-v1/src.rego index 95b6015e..c1c40890 100644 --- a/policy/ocp/deprecated/3_11/deploymentconfig-v1/src.rego +++ b/policy/ocp/deprecated/3_11/deploymentconfig-v1/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00002: DeploymentConfig no longer served by v1 -# -# OCP4.x expects apps.openshift.io/v1. -# -# @skip-constraint -# @kinds v1/DeploymentConfig +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00002: DeploymentConfig no longer served by v1' +# description: OCP4.x expects apps.openshift.io/v1. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - DeploymentConfig +# skipConstraint: true package ocp.deprecated.ocp3_11.deploymentconfig_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/imagestream-v1/src.rego b/policy/ocp/deprecated/3_11/imagestream-v1/src.rego index 8e930608..da09c366 100644 --- a/policy/ocp/deprecated/3_11/imagestream-v1/src.rego +++ b/policy/ocp/deprecated/3_11/imagestream-v1/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00003: ImageStream no longer served by v1 -# -# OCP4.x expects image.openshift.io/v1. -# -# @skip-constraint -# @kinds v1/ImageStream +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00003: ImageStream no longer served by v1' +# description: OCP4.x expects image.openshift.io/v1. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - ImageStream +# skipConstraint: true package ocp.deprecated.ocp3_11.imagestream_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/projectrequest-v1/src.rego b/policy/ocp/deprecated/3_11/projectrequest-v1/src.rego index 0faf847a..ab752eb4 100644 --- a/policy/ocp/deprecated/3_11/projectrequest-v1/src.rego +++ b/policy/ocp/deprecated/3_11/projectrequest-v1/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00004: ProjectRequest no longer served by v1 -# -# OCP4.x expects project.openshift.io/v1. -# -# @skip-constraint -# @kinds v1/ProjectRequest +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00004: ProjectRequest no longer served by v1' +# description: OCP4.x expects project.openshift.io/v1. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - ProjectRequest +# skipConstraint: true package ocp.deprecated.ocp3_11.projectrequest_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/rolebinding-v1/src.rego b/policy/ocp/deprecated/3_11/rolebinding-v1/src.rego index 833e5457..5337ab22 100644 --- a/policy/ocp/deprecated/3_11/rolebinding-v1/src.rego +++ b/policy/ocp/deprecated/3_11/rolebinding-v1/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00005: RoleBinding no longer served by v1 -# -# OCP4.x expects rbac.authorization.k8s.io/v1 -# -# @skip-constraint -# @kinds v1/RoleBinding +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00005: RoleBinding no longer served by v1' +# description: OCP4.x expects rbac.authorization.k8s.io/v1 +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - RoleBinding +# skipConstraint: true package ocp.deprecated.ocp3_11.rolebinding_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/route-v1/src.rego b/policy/ocp/deprecated/3_11/route-v1/src.rego index efc4f09e..b295789d 100644 --- a/policy/ocp/deprecated/3_11/route-v1/src.rego +++ b/policy/ocp/deprecated/3_11/route-v1/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00006: Route no longer served by v1 -# -# OCP4.x expects route.openshift.io/v1. -# -# @skip-constraint -# @kinds v1/Route +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00006: Route no longer served by v1' +# description: OCP4.x expects route.openshift.io/v1. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - Route +# skipConstraint: true package ocp.deprecated.ocp3_11.route_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/securitycontextconstraints-v1/src.rego b/policy/ocp/deprecated/3_11/securitycontextconstraints-v1/src.rego index 6a5827b3..cebabdde 100644 --- a/policy/ocp/deprecated/3_11/securitycontextconstraints-v1/src.rego +++ b/policy/ocp/deprecated/3_11/securitycontextconstraints-v1/src.rego @@ -1,9 +1,15 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00007: SecurityContextConstraints no longer served by v1 -# -# OCP4.x expects security.openshift.io/v1. -# -# @skip-constraint -# @kinds v1/SecurityContextConstraints +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00007: SecurityContextConstraints no longer served +# by v1' +# description: OCP4.x expects security.openshift.io/v1. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - SecurityContextConstraints +# skipConstraint: true package ocp.deprecated.ocp3_11.securitycontextconstraints_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/3_11/template-v1/src.rego b/policy/ocp/deprecated/3_11/template-v1/src.rego index 7058c0d9..ae1581de 100644 --- a/policy/ocp/deprecated/3_11/template-v1/src.rego +++ b/policy/ocp/deprecated/3_11/template-v1/src.rego @@ -1,9 +1,14 @@ -# @title RHCOP-OCP_DEPRECATED-3_11-00008: Template no longer served by v1 -# -# OCP4.x expects template.openshift.io/v1. -# -# @skip-constraint -# @kinds v1/Template +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-3_11-00008: Template no longer served by v1' +# description: OCP4.x expects template.openshift.io/v1. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - v1 +# kinds: +# - Template +# skipConstraint: true package ocp.deprecated.ocp3_11.template_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_1/buildconfig-custom-strategy/src.rego b/policy/ocp/deprecated/4_1/buildconfig-custom-strategy/src.rego index 6295198a..8dad3526 100644 --- a/policy/ocp/deprecated/4_1/buildconfig-custom-strategy/src.rego +++ b/policy/ocp/deprecated/4_1/buildconfig-custom-strategy/src.rego @@ -1,10 +1,16 @@ -# @title RHCOP-OCP_DEPRECATED-4_1-00001: BuildConfig exposeDockerSocket deprecated -# -# 'spec.strategy.customStrategy.exposeDockerSocket' is no longer supported by BuildConfig. -# See: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html#ocp-41-deprecated-features -# -# @skip-constraint -# @kinds build.openshift.io/BuildConfig +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_1-00001: BuildConfig exposeDockerSocket deprecated' +# description: |- +# 'spec.strategy.customStrategy.exposeDockerSocket' is no longer supported by BuildConfig. +# See: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html#ocp-41-deprecated-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - build.openshift.io +# kinds: +# - BuildConfig +# skipConstraint: true package ocp.deprecated.ocp4_1.buildconfig_custom_strategy import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_2/authorization-openshift/src.rego b/policy/ocp/deprecated/4_2/authorization-openshift/src.rego index 56694324..7e4692cb 100644 --- a/policy/ocp/deprecated/4_2/authorization-openshift/src.rego +++ b/policy/ocp/deprecated/4_2/authorization-openshift/src.rego @@ -1,10 +1,19 @@ -# @title RHCOP-OCP_DEPRECATED-4_2-00001: authorization openshift io is deprecated -# -# From OCP4.2 onwards, you should migrate from 'authorization.openshift.io' to rbac.authorization.k8s.io/v1. -# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features -# -# @skip-constraint -# @kinds authorization.openshift.io/ClusterRole authorization.openshift.io/ClusterRoleBinding authorization.openshift.io/Role authorization.openshift.io/RoleBinding +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_2-00001: authorization openshift io is deprecated' +# description: |- +# From OCP4.2 onwards, you should migrate from 'authorization.openshift.io' to rbac.authorization.k8s.io/v1. +# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - authorization.openshift.io +# kinds: +# - ClusterRole +# - ClusterRoleBinding +# - Role +# - RoleBinding +# skipConstraint: true package ocp.deprecated.ocp4_2.authorization_openshift import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_2/automationbroker-v1alpha1/src.rego b/policy/ocp/deprecated/4_2/automationbroker-v1alpha1/src.rego index e3afa41f..af0279f5 100644 --- a/policy/ocp/deprecated/4_2/automationbroker-v1alpha1/src.rego +++ b/policy/ocp/deprecated/4_2/automationbroker-v1alpha1/src.rego @@ -1,11 +1,19 @@ -# @title RHCOP-OCP_DEPRECATED-4_2-00002: automationbroker io v1alpha1 is deprecated -# -# 'automationbroker.io/v1alpha1' is deprecated in OCP 4.2 and removed in 4.4. -# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features -# See: https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html#ocp-4-4-deprecated-removed-features -# -# @skip-constraint -# @kinds automationbroker.io/Bundle automationbroker.io/BundleBinding automationbroker.io/BundleInstance +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_2-00002: automationbroker io v1alpha1 is deprecated' +# description: |- +# 'automationbroker.io/v1alpha1' is deprecated in OCP 4.2 and removed in 4.4. +# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features +# See: https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html#ocp-4-4-deprecated-removed-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - automationbroker.io +# kinds: +# - Bundle +# - BundleBinding +# - BundleInstance +# skipConstraint: true package ocp.deprecated.ocp4_2.automationbroker_v1alpha1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_2/catalogsourceconfigs-v1/src.rego b/policy/ocp/deprecated/4_2/catalogsourceconfigs-v1/src.rego index c8d41591..ff1e2b0c 100644 --- a/policy/ocp/deprecated/4_2/catalogsourceconfigs-v1/src.rego +++ b/policy/ocp/deprecated/4_2/catalogsourceconfigs-v1/src.rego @@ -1,11 +1,18 @@ -# @title RHCOP-OCP_DEPRECATED-4_2-00003: operators coreos com v1 CatalogSourceConfigs is deprecated -# -# 'operators.coreos.com/v1:CatalogSourceConfigs' is deprecated in OCP 4.2 and removed in 4.5. -# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features -# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features -# -# @skip-constraint -# @kinds operators.coreos.com/CatalogSourceConfigs +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_2-00003: operators coreos com v1 CatalogSourceConfigs +# is deprecated' +# description: |- +# 'operators.coreos.com/v1:CatalogSourceConfigs' is deprecated in OCP 4.2 and removed in 4.5. +# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features +# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - operators.coreos.com +# kinds: +# - CatalogSourceConfigs +# skipConstraint: true package ocp.deprecated.ocp4_2.catalogsourceconfigs_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_2/catalogsourceconfigs-v2/src.rego b/policy/ocp/deprecated/4_2/catalogsourceconfigs-v2/src.rego index 328935f8..efbeebcb 100644 --- a/policy/ocp/deprecated/4_2/catalogsourceconfigs-v2/src.rego +++ b/policy/ocp/deprecated/4_2/catalogsourceconfigs-v2/src.rego @@ -1,11 +1,18 @@ -# @title RHCOP-OCP_DEPRECATED-4_2-00004: operators coreos com v2 CatalogSourceConfigs is deprecated -# -# 'operators.coreos.com/v2:CatalogSourceConfigs' is deprecated in OCP 4.2 and removed in 4.5. -# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features -# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features -# -# @skip-constraint -# @kinds operators.coreos.com/CatalogSourceConfigs +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_2-00004: operators coreos com v2 CatalogSourceConfigs +# is deprecated' +# description: |- +# 'operators.coreos.com/v2:CatalogSourceConfigs' is deprecated in OCP 4.2 and removed in 4.5. +# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features +# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - operators.coreos.com +# kinds: +# - CatalogSourceConfigs +# skipConstraint: true package ocp.deprecated.ocp4_2.catalogsourceconfigs_v2 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_2/operatorsources-v1/src.rego b/policy/ocp/deprecated/4_2/operatorsources-v1/src.rego index 423a1f25..1fac4ccd 100644 --- a/policy/ocp/deprecated/4_2/operatorsources-v1/src.rego +++ b/policy/ocp/deprecated/4_2/operatorsources-v1/src.rego @@ -1,10 +1,17 @@ -# @title RHCOP-OCP_DEPRECATED-4_2-00005: operators coreos com v1 OperatorSource is deprecated -# -# 'operators.coreos.com/v1:OperatorSource' is deprecated in OCP 4.2 and will be removed in a future version. -# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features -# -# @skip-constraint -# @kinds operators.coreos.com/OperatorSource +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_2-00005: operators coreos com v1 OperatorSource is +# deprecated' +# description: |- +# 'operators.coreos.com/v1:OperatorSource' is deprecated in OCP 4.2 and will be removed in a future version. +# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - operators.coreos.com +# kinds: +# - OperatorSource +# skipConstraint: true package ocp.deprecated.ocp4_2.operatorsources_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_2/osb-v1/src.rego b/policy/ocp/deprecated/4_2/osb-v1/src.rego index e777cdb2..7bade8d7 100644 --- a/policy/ocp/deprecated/4_2/osb-v1/src.rego +++ b/policy/ocp/deprecated/4_2/osb-v1/src.rego @@ -1,11 +1,18 @@ -# @title RHCOP-OCP_DEPRECATED-4_2-00006: osb openshift io v1 is deprecated -# -# 'osb.openshift.io/v1' is deprecated in OCP 4.2 and removed in 4.5. -# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features -# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features -# -# @skip-constraint -# @kinds osb.openshift.io/TemplateServiceBroker osb.openshift.io/AutomationBroker +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_2-00006: osb openshift io v1 is deprecated' +# description: |- +# 'osb.openshift.io/v1' is deprecated in OCP 4.2 and removed in 4.5. +# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features +# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - osb.openshift.io +# kinds: +# - AutomationBroker +# - TemplateServiceBroker +# skipConstraint: true package ocp.deprecated.ocp4_2.osb_v1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_2/servicecatalog-v1beta1/src.rego b/policy/ocp/deprecated/4_2/servicecatalog-v1beta1/src.rego index 9b42b239..4c189474 100644 --- a/policy/ocp/deprecated/4_2/servicecatalog-v1beta1/src.rego +++ b/policy/ocp/deprecated/4_2/servicecatalog-v1beta1/src.rego @@ -1,11 +1,21 @@ -# @title RHCOP-OCP_DEPRECATED-4_2-00007: servicecatalog k8s io v1beta1 is deprecated -# -# 'servicecatalog.k8s.io/v1beta1' is deprecated in OCP 4.2 and removed in 4.5. -# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features -# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features -# -# @skip-constraint -# @kinds servicecatalog.k8s.io/ClusterServiceBroker servicecatalog.k8s.io/ClusterServiceClass servicecatalog.k8s.io/ClusterServicePlan servicecatalog.k8s.io/ServiceInstance servicecatalog.k8s.io/ServiceBinding +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_2-00007: servicecatalog k8s io v1beta1 is deprecated' +# description: |- +# 'servicecatalog.k8s.io/v1beta1' is deprecated in OCP 4.2 and removed in 4.5. +# See: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html#ocp-4-2-deprecated-features +# See: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html#ocp-4-5-deprecated-removed-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - servicecatalog.k8s.io +# kinds: +# - ClusterServiceBroker +# - ClusterServiceClass +# - ClusterServicePlan +# - ServiceBinding +# - ServiceInstance +# skipConstraint: true package ocp.deprecated.ocp4_2.servicecatalog_v1beta1 import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/deprecated/4_3/buildconfig-jenkinspipeline-strategy/src.rego b/policy/ocp/deprecated/4_3/buildconfig-jenkinspipeline-strategy/src.rego index 3ae8b1e5..c3668817 100644 --- a/policy/ocp/deprecated/4_3/buildconfig-jenkinspipeline-strategy/src.rego +++ b/policy/ocp/deprecated/4_3/buildconfig-jenkinspipeline-strategy/src.rego @@ -1,10 +1,16 @@ -# @title RHCOP-OCP_DEPRECATED-4_3-00001: BuildConfig jenkinsPipelineStrategy is deprecated -# -# 'spec.strategy.jenkinsPipelineStrategy' is no longer supported by BuildConfig. -# See: https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html#ocp-4-3-deprecated-features -# -# @skip-constraint -# @kinds build.openshift.io/BuildConfig +# METADATA +# title: 'RHCOP-OCP_DEPRECATED-4_3-00001: BuildConfig jenkinsPipelineStrategy is deprecated' +# description: |- +# 'spec.strategy.jenkinsPipelineStrategy' is no longer supported by BuildConfig. +# See: https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html#ocp-4-3-deprecated-features +# custom: +# matchers: +# kinds: +# - apiGroups: +# - build.openshift.io +# kinds: +# - BuildConfig +# skipConstraint: true package ocp.deprecated.ocp4_3.buildconfig_jenkinspipeline_strategy import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/requiresinventory/deployment-has-matching-poddisruptionbudget/src.rego b/policy/ocp/requiresinventory/deployment-has-matching-poddisruptionbudget/src.rego index 232a01fd..fa8663cd 100644 --- a/policy/ocp/requiresinventory/deployment-has-matching-poddisruptionbudget/src.rego +++ b/policy/ocp/requiresinventory/deployment-has-matching-poddisruptionbudget/src.rego @@ -1,10 +1,16 @@ -# @title RHCOP-OCP_REQ_INV-00001: Deployment has a matching PodDisruptionBudget -# -# All Deployments should have matching PodDisruptionBudget, via 'spec.template.metadata.labels', to provide HA guarantees. -# See: Fault tolerance -> https://learnk8s.io/production-best-practices#application-development -# See: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ -# -# @kinds apps/Deployment +# METADATA +# title: 'RHCOP-OCP_REQ_INV-00001: Deployment has a matching PodDisruptionBudget' +# description: |- +# All Deployments should have matching PodDisruptionBudget, via 'spec.template.metadata.labels', to provide HA guarantees. +# See: Fault tolerance -> https://learnk8s.io/production-best-practices#application-development +# See: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps +# kinds: +# - Deployment package ocp.requiresinventory.deployment_has_matching_poddisruptionbudget import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/requiresinventory/deployment-has-matching-pvc/src.rego b/policy/ocp/requiresinventory/deployment-has-matching-pvc/src.rego index e4357d49..667ca95a 100644 --- a/policy/ocp/requiresinventory/deployment-has-matching-pvc/src.rego +++ b/policy/ocp/requiresinventory/deployment-has-matching-pvc/src.rego @@ -1,9 +1,15 @@ -# @title RHCOP-OCP_REQ_INV-00002: Deployment has matching PersistentVolumeClaim -# -# If Deployment has 'spec.template.spec.volumes.persistentVolumeClaim' set, there should be matching PersistentVolumeClaim. -# If not, this would suggest a mistake. -# -# @kinds apps/Deployment +# METADATA +# title: 'RHCOP-OCP_REQ_INV-00002: Deployment has matching PersistentVolumeClaim' +# description: |- +# If Deployment has 'spec.template.spec.volumes.persistentVolumeClaim' set, there should be matching PersistentVolumeClaim. +# If not, this would suggest a mistake. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps +# kinds: +# - Deployment package ocp.requiresinventory.deployment_has_matching_pvc import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/requiresinventory/deployment-has-matching-service/src.rego b/policy/ocp/requiresinventory/deployment-has-matching-service/src.rego index beea6c6e..8a0657b9 100644 --- a/policy/ocp/requiresinventory/deployment-has-matching-service/src.rego +++ b/policy/ocp/requiresinventory/deployment-has-matching-service/src.rego @@ -1,9 +1,15 @@ -# @title RHCOP-OCP_REQ_INV-00003: Deployment has a matching Service -# -# All Deployments should have matching Service, via 'spec.template.metadata.labels'. -# Deployments without a Service are not accessible and should be questioned as to why. -# -# @kinds apps/Deployment +# METADATA +# title: 'RHCOP-OCP_REQ_INV-00003: Deployment has a matching Service' +# description: |- +# All Deployments should have matching Service, via 'spec.template.metadata.labels'. +# Deployments without a Service are not accessible and should be questioned as to why. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps +# kinds: +# - Deployment package ocp.requiresinventory.deployment_has_matching_service import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/requiresinventory/deployment-has-matching-serviceaccount/src.rego b/policy/ocp/requiresinventory/deployment-has-matching-serviceaccount/src.rego index bad4cf9c..318473c9 100644 --- a/policy/ocp/requiresinventory/deployment-has-matching-serviceaccount/src.rego +++ b/policy/ocp/requiresinventory/deployment-has-matching-serviceaccount/src.rego @@ -1,9 +1,15 @@ -# @title RHCOP-OCP_REQ_INV-00004: Deployment has matching ServiceAccount -# -# If Deployment has 'spec.serviceAccountName' set, there should be matching ServiceAccount. -# If not, this would suggest a mistake. -# -# @kinds apps/Deployment +# METADATA +# title: 'RHCOP-OCP_REQ_INV-00004: Deployment has matching ServiceAccount' +# description: |- +# If Deployment has 'spec.serviceAccountName' set, there should be matching ServiceAccount. +# If not, this would suggest a mistake. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - apps +# kinds: +# - Deployment package ocp.requiresinventory.deployment_has_matching_serviceaccount import data.lib.konstraint.core as konstraint_core diff --git a/policy/ocp/requiresinventory/service-has-matching-servicemonitor/src.rego b/policy/ocp/requiresinventory/service-has-matching-servicemonitor/src.rego index 4bf545c2..bd162ba6 100644 --- a/policy/ocp/requiresinventory/service-has-matching-servicemonitor/src.rego +++ b/policy/ocp/requiresinventory/service-has-matching-servicemonitor/src.rego @@ -1,9 +1,15 @@ -# @title RHCOP-OCP_REQ_INV-00005: Service has matching ServiceMonitor -# -# All Service should have a matching ServiceMonitor, via 'spec.selector'. -# Service without a ServiceMonitor are not being monitored and should be questioned as to why. -# -# @kinds core/Service +# METADATA +# title: 'RHCOP-OCP_REQ_INV-00005: Service has matching ServiceMonitor' +# description: |- +# All Service should have a matching ServiceMonitor, via 'spec.selector'. +# Service without a ServiceMonitor are not being monitored and should be questioned as to why. +# custom: +# matchers: +# kinds: +# - apiGroups: +# - "" +# kinds: +# - Service package ocp.requiresinventory.service_has_matching_servicenonitor import data.lib.konstraint.core as konstraint_core diff --git a/policy/podman/history/contains-layer/src.rego b/policy/podman/history/contains-layer/src.rego index becfaac9..41e08d6b 100644 --- a/policy/podman/history/contains-layer/src.rego +++ b/policy/podman/history/contains-layer/src.rego @@ -1,11 +1,18 @@ -# @title RHCOP-PODMAN-00001: Image contains expected SHA in history +# METADATA +# title: 'RHCOP-PODMAN-00001: Image contains expected SHA in history' +# description: |- +# Most images are built from a subset of authorised base images in a company, +# this policy allows enforcement of that policy by checking for an expected SHA. # -# Most images are built from a subset of authorised base images in a company, -# this policy allows enforcement of that policy by checking for an expected SHA. -# -# @skip-constraint -# @kinds redhat-cop.github.com/PodmanHistory -# parameter expected_layer_ids array string +# parameter expected_layer_ids array string +# custom: +# matchers: +# kinds: +# - apiGroups: +# - redhat-cop.github.com +# kinds: +# - PodmanHistory +# skipConstraint: true package podman.history.contains_layer import data.lib.konstraint.core as konstraint_core diff --git a/policy/podman/images/image-size-not-greater-than/src.rego b/policy/podman/images/image-size-not-greater-than/src.rego index a01743a7..28e1f153 100644 --- a/policy/podman/images/image-size-not-greater-than/src.rego +++ b/policy/podman/images/image-size-not-greater-than/src.rego @@ -1,10 +1,17 @@ -# @title RHCOP-PODMAN-00002: Image size is not greater than an expected value +# METADATA +# title: 'RHCOP-PODMAN-00002: Image size is not greater than an expected value' +# description: |- +# Typically, the "smaller the better" rule applies to images so lets enforce that. # -# Typically, the "smaller the better" rule applies to images so lets enforce that. -# -# @skip-constraint -# @kinds redhat-cop.github.com/PodmanImages -# parameter image_size_upperbound integer +# parameter image_size_upperbound integer +# custom: +# matchers: +# kinds: +# - apiGroups: +# - redhat-cop.github.com +# kinds: +# - PodmanImages +# skipConstraint: true package podman.images.image_size_not_greater_than import data.lib.konstraint.core as konstraint_core