Add variable reference for resource_requests_limits rules

applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml

@@ -12,6 +12,31 @@ description: |-
   for a container to use more resource than its request for that resource specifies.
   However, a container is not allowed to use more than its resource limit.
 
+  <p>
+  To exempt a namespace with no resource requests/limits allocated in the daemonsets, the variable
+  {{.var_daemonset_limit_namespaces_exempt_regex}} is being flagged.
+  Namespaces matching the variable <tt>ocp4-var-daemonset-limit-namespaces-exempt-regex</tt> regex
+  are excluded from this check.
+  An example allowing an SCC named <tt>additional</tt> follows:
+  </p>
+  <pre>
+  apiVersion: compliance.openshift.io/v1alpha1
+  kind: TailoredProfile
+  metadata:
+    name: moderate-exempt-reource-request-limits
+  spec:
+    description: Allows an additional scc
+    setValues:
+    - name: ocp4-var-daemonset-limit-namespaces-exempt-regex
+      rationale: set the value to namespaces to be exempted
+      value: "test1|test2"
+    extends: ocp4-moderate
+    title: Modified moderate to exempt a namespace with no resource requests/limits in daemonset
+  </pre>
+  <p>
+  Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>
+  </p>
+
 # todo : better if we can keep openshift document link for this reference,
 
 rationale: |-

applications/openshift/general/resource_requests_limits_in_deployment/rule.yml

@@ -12,21 +12,50 @@ description: |-
   for a container to use more resource than its request for that resource specifies.
   However, a container is not allowed to use more than its resource limit.
 
-# todo : better if we can keep openshift document link for this reference,
+  <p>
+  To exempt a namespace with no resource requests/limits allocated in the one or more deployments, the variable
+  var_deployment_limit_namespaces_exempt_regex is being flagged.
+  Namespaces matching the variable <tt>ocp4-var-deployment-limit-namespaces-exempt-regex</tt> regex
+  are excluded from this check.
+  An example allowing an SCC named <tt>additional</tt> follows:
+  </p>
+  <pre>
+  apiVersion: compliance.openshift.io/v1alpha1
+  kind: TailoredProfile
+  metadata:
+    name: moderate-exempt-reource-request-limits
+  spec:
+    description: Allows an additional scc
+    setValues:
+    - name: ocp4-var-deployment-limit-namespaces-exempt-regex
+      rationale: set the value to namespaces to be exempted
+      value: "test1|test2"
+    extends: ocp4-moderate
+    title: Modified moderate to exempt a namespace with no resource requests/limits in deployment
+  </pre>
+  <p>
+  Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>
+  </p>
+
+  <p>
+  To configure resource requests/limits for a deployement, follow the directions in
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/applications/deployments/managing-deployment-processes.html#deployments-setting-resources_deployment-operations",
+              text="the documentation") }}}
+  </p>
 
 rationale: |-
   Resource requests/limits provide constraints that limit aggregate resource consumption
   per container. This helps prevent resource starvation. When deploying your
   application, it is important to tune based on memory and CPU consumption,
   allocating enough resources for the application to function properly.
 
+{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_deployment_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_deployment_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]' %}}
 
 identifiers: {}
 
 references:
   nist: SC-6
 
-{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_deployment_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_deployment_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]' %}}
 
 ocil_clause: 'Resource requests and limits is not set'
 

applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml

@@ -12,6 +12,31 @@ description: |-
   for a container to use more resource than its request for that resource specifies.
   However, a container is not allowed to use more than its resource limit.
 
+  <p>
+  To exempt a namespace with no resource requests/limits allocated in the one or more statefulsets, the variable
+  var_statefulset_limit_namespaces_exempt_regex is being flagged.
+  Namespaces matching the variable <tt>ocp4-var-statefulset-limit-namespaces-exempt-regex</tt> regex
+  are excluded from this check.
+  An example allowing an SCC named <tt>additional</tt> follows:
+  </p>
+  <pre>
+  apiVersion: compliance.openshift.io/v1alpha1
+  kind: TailoredProfile
+  metadata:
+    name: moderate-exempt-reource-request-limits
+  spec:
+    description: Allows an additional scc
+    setValues:
+    - name: ocp4-var-statefulset-limit-namespaces-exempt-regex
+      rationale: set the value to namespaces to be exempted
+      value: "test1|test2"
+    extends: ocp4-moderate
+    title: Modified moderate to exempt a namespace with no resource requests/limits in statefulset
+  </pre>
+  <p>
+  Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>
+  </p>
+
 # todo : better if we can keep openshift document link for this reference,
 
 rationale: |-
@@ -20,14 +45,13 @@ rationale: |-
   application, it is important to tune based on memory and CPU consumption,
   allocating enough resources for the application to function properly.
 
+{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_statefulset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_statefulset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]' %}}
 
 identifiers: {}
 
 references:
   nist: SC-6
 
-{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_statefulset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_statefulset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]' %}}
-
 ocil_clause: 'Resource requests and limits is not set'
 
 ocil: |-