CMP-2400: exclusion of the namespace for rule ocp4-resource-requests-…

…quota-per-project Excluded RHACS from the default namespace check. We don't want to releax our rule too much for optional operator, as it might incress security risk, instead user should use tailoredprofile to set the exclusion regex. Added a new variable 'var_resource_requests_quota_per_project_exempt_regex'
ComplianceAsCode · Aug 28, 2024 · c741919 · c741919
1 parent ec2429f
commit c741919
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/applications/openshift/general/resource_requests_quota_per_project/rule.yml b/applications/openshift/general/resource_requests_quota_per_project/rule.yml
@@ -48,13 +48,13 @@ references:
 
 {{% set resourcequotas_api_path = '/api/v1/resourcequotas' %}}
 {{% set namespaces_api_path = '/api/v1/namespaces' %}}
-{{% set resourcequotas_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique' %}}
-{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]' %}}
+{{% set resourcequotas_for_non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and .metadata.namespace != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.namespace | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}) | .metadata.namespace] | unique' %}}
+{{% set non_ctlplane_namespaces_filter = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}))]' %}}
 
 ocil_clause: 'Resource requests and limits is not set per project'
 
 # same as above except filters the names only. Used in OCIL only, not in the 'warnings attribute'
-{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]' %}}
+{{% set non_ctlplane_namespaces_filter_names = '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and .metadata.name != "rhacs-operator" and ({{if ne .var_resource_requests_quota_per_project_exempt_regex "None"}}.metadata.name | test("{{.var_resource_requests_quota_per_project_exempt_regex}}") | not{{else}}true{{end}}) | .metadata.name]' %}}
 
 ocil: |-
     Verify that the every non-control plane namespace has an appropriate ResourceQuota.

diff --git a/applications/openshift/general/var_resource_requests_quota_per_project_exempt_regex.var b/applications/openshift/general/var_resource_requests_quota_per_project_exempt_regex.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Namespaces exempt of Resource Requests Quota per Project checks'
+
+description: |-
+    Namespaces regular expression explicitly allowed
+    through deployment resource filters, e.g. setting value to
+    "namespace1|namespace2" will exempt namespace
+    "namespace1" and "namespace2" for deployment resource limit checks.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+  default: "None"