OCPBUGS-304: exclude rhacs-operator namespace from resource limit rules

[Vincent056]

Added three new variables to be able to exclude namespaces:

var_daemonset_limit_namespaces_exempt_regex for rule resource_requests_limits_in_daemonset var_deployment_limit_namespaces_exempt_regex for rule resource_requests_limits_in_deployment var_statefulset_limit_namespaces_exempt_regex for rule resource_requests_limits_in_statefulset

rhacs-operator namespace has also been excluded by default.

Link to Jira Bug: https://issues.redhat.com/browse/OCPBUGS-304, https://issues.redhat.com/browse/CMP-2400

Additional namespace should be excluded using those variables

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12307
This image was built from commit: 5798710

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12307

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12307 make deploy-local

[yuumasato]

/test 4.15-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate

[yuumasato]

Nit, not necessary to merge this PR.

The result of the jquery is quite uncanny. So I was playing with it and got to this:
https://jqplay.org/s/v33KOMdUaoM9X8j

[yuumasato]

CI issues related to the malformed condition, I think

     helpers.go:872: Result - Name: e2e-moderate-resource-requests-limits-in-daemonset - Status: PASS - Severity: medium
    helpers.go:1060: Rule e2e-moderate-resource-requests-limits-in-daemonset matched expected result
    helpers.go:872: Result - Name: e2e-moderate-resource-requests-limits-in-deployment - Status: FAIL - Severity: medium
    helpers.go:879: E2E-FAILURE: The expected result for the e2e-moderate-resource-requests-limits-in-deployment rule didn't match. Expected 'PASS', Got 'FAIL'
    helpers.go:872: Result - Name: e2e-moderate-resource-requests-limits-in-statefulset - Status: FAIL - Severity: medium
    helpers.go:879: E2E-FAILURE: The expected result for the e2e-moderate-resource-requests-limits-in-statefulset rule didn't match. Expected 'PASS', Got 'FAIL' 

[yuumasato]

@Vincent056 Why is https://issues.redhat.com/browse/CMP-2400 linked?
Do you plan to address this rule?
https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/general/resource_requests_quota_per_project/rule.yml

[Vincent056]

@yuumasato thanks for the review!

@Vincent056 Why is https://issues.redhat.com/browse/CMP-2400 linked?
Do you plan to address this rule?
https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/general/resource_requests_quota_per_>project/rule.yml

I have submitted a new pr for CMP 2400 here: #12344

[Vincent056]

https://jqplay.org/s/v33KOMdUaoM9X8j

this is a nice tool!

[yuumasato]

/test 4.15-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate

[BhargaviGudi]

/hold for test

[yuumasato]

/packit retest-failed

[rhmdnd]

I suppose we could bake the openshift-, kube-, and rhacs-operator strings into the variable as the default, since that's effectively what this is doing, just in a more rigid way.

[yuumasato]

That is an interesting idea, but that would / could complicate the user experience a little bit.
To keep the "default" behavior of ignoring namespaces begining with openshift- and kube- and exactly matching rhcas-operator they would have to add these same values on their tailorings. Otherwise, the rules would start to check the default list of ignored namespaces.

For example:

Kind: TailoredProfile
...
spec:
  setValue:
  - name: var_daemonset_limit_namespaces_exempt_regex
    rationale: Set my org exceptions
    value: "my_namespace_1|my_namespace_2"

This would end up dropping the default skipped namespaces, instead of adding to the list of skipped namespaces.

[yuumasato]

Nit: However we could move the default skipped namespaces to a jq variable with the aim of simplifying the jq filter.

[xiaojiey]

verification pass with ghcr.io/complianceascode/k8scontent:12307

1. Create 2 namespaces test1 and test2, and create daemonset, deployment, statefulset without resource limits.
2. Create tp and ssb.
% cat tp.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  name: limits-test
  namespace: openshift-compliance
spec:
  description: Test
  setValues:
  - name: upstream-ocp4-var-daemonset-limit-namespaces-exempt-regex
    value: "test1|test2"
    rationale: test
  - name: upstream-ocp4-var-deployment-limit-namespaces-exempt-regex
    value: "test1|test2"
    rationale: test
  - name: upstream-ocp4-var-statefulset-limit-namespaces-exempt-regex
    value: "test1|test2"
    rationale: test
  extends: upstream-ocp4-high
  title: My modified nist profile with a custom value
% oc apply -f tp.yaml 
tailoredprofile.compliance.openshift.io/limits-test created
% cat ssb_high_u.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: cis-compliance
  namespace: openshift-compliance
profiles:
  - name: limits-test
    kind: TailoredProfile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
% cat ssb_high_u2.yaml 
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
  name: high-profile-compliance
  namespace: openshift-compliance
profiles:
  - name: upstream-ocp4-high
    kind: Profile
    apiGroup: compliance.openshift.io/v1alpha1
settingsRef:
  name: default
  kind: ScanSetting
  apiGroup: compliance.openshift.io/v1alpha1
% oc apply -f ssb_high_u.yaml 
scansettingbinding.compliance.openshift.io/cis-compliance created
% oc apply -f ssb_high_u2.yaml 
scansettingbinding.compliance.openshift.io/high-profile-compliance created
3. Check the result:
% oc get ccr | grep resource-requests-limit
limits-test-resource-requests-limits-in-daemonset                            PASS     medium
limits-test-resource-requests-limits-in-deployment                           PASS     medium
limits-test-resource-requests-limits-in-statefulset                          PASS     medium
upstream-ocp4-high-resource-requests-limits-in-daemonset                     FAIL     medium
upstream-ocp4-high-resource-requests-limits-in-deployment                    FAIL     medium
upstream-ocp4-high-resource-requests-limits-in-statefulset                   FAIL     medium
% oc get rule upstream-ocp4-resource-requests-limits-in-daemonset  -o=jsonpath={.instructions}
Run the following command to retrieve a list of daemonsets that does not have resource requests and limits:
$  oc get daemonset.apps  --all-namespaces -o json  | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not)  | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]'
Make sure that there is output nothing in the result.
Is it the case that Resource requests and limits is not set?%                                                                                                                                                  %  oc get daemonset.apps  --all-namespaces -o json  | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not)  | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]'
[
  "hello-daemonset",
  "hello-daemonset",
  "hello-daemonset",
  "hello-daemonset"
]
% oc get rule upstream-ocp4-resource-requests-limits-in-deployment  -o=jsonpath={.instructions}
Run the following command to retrieve a list of deployments that does not have resource requests and limits:
$  oc get deployment.apps  --all-namespaces -o json  | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]'
Make sure that there is output nothing in the result.
Is it the case that Resource requests and limits is not set?%                                                                                                                                                  % oc get deployment.apps  --all-namespaces -o json  | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]'
[
  "nginx-deployment",
  "nginx-deployment"
]

% oc get rule upstream-ocp4-resource-requests-limits-in-statefulset  -o=jsonpath={.instructions}
Run the following command to retrieve a list of statefulsets that does not have resource requests and limits:
$  oc get statefulset.apps --all-namespaces -o json  | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]'
Make sure that there is output nothing in the result.
Is it the case that Resource requests and limits is not set?%                                                                                                                                                  
% oc get statefulset.apps --all-namespaces -o json  | jq '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and (true)) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]'
[
  "hello-statefulset",
  "hello-statefulset"
]

[xiaojiey]

/unhold

[yuumasato]

@Vincent056 you might need to rebase for Gate / Build, Test on Fedora Latest (Container) (push) to pass

[codeclimate]

Code Climate has analyzed commit 5798710 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.