+ To exempt a namespace with no resource requests/limits allocated in the daemonsets, the variable + {{.var_daemonset_limit_namespaces_exempt_regex}} is being flagged. + Namespaces matching the variable ocp4-var-daemonset-limit-namespaces-exempt-regex regex + are excluded from this check. + An example allowing an SCC named additional follows: +
++ apiVersion: compliance.openshift.io/v1alpha1 + kind: TailoredProfile + metadata: + name: moderate-exempt-reource-request-limits + spec: + description: Allows an additional scc + setValues: + - name: ocp4-var-daemonset-limit-namespaces-exempt-regex + rationale: set the value to namespaces to be exempted + value: "test1|test2" + extends: ocp4-moderate + title: Modified moderate to exempt a namespace with no resource requests/limits in daemonset ++
+ Finally, reference this TailoredProfile in a ScanSettingBinding +
+ # todo : better if we can keep openshift document link for this reference, rationale: |- diff --git a/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml b/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml index f1757d8e464..5218add1397 100644 --- a/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml +++ b/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml @@ -12,7 +12,36 @@ description: |- for a container to use more resource than its request for that resource specifies. However, a container is not allowed to use more than its resource limit. -# todo : better if we can keep openshift document link for this reference, ++ To exempt a namespace with no resource requests/limits allocated in the one or more deployments, the variable + var_deployment_limit_namespaces_exempt_regex is being flagged. + Namespaces matching the variable ocp4-var-deployment-limit-namespaces-exempt-regex regex + are excluded from this check. + An example allowing an SCC named additional follows: +
++ apiVersion: compliance.openshift.io/v1alpha1 + kind: TailoredProfile + metadata: + name: moderate-exempt-reource-request-limits + spec: + description: Allows an additional scc + setValues: + - name: ocp4-var-deployment-limit-namespaces-exempt-regex + rationale: set the value to namespaces to be exempted + value: "test1|test2" + extends: ocp4-moderate + title: Modified moderate to exempt a namespace with no resource requests/limits in deployment ++
+ Finally, reference this TailoredProfile in a ScanSettingBinding +
+ ++ To configure resource requests/limits for a deployement, follow the directions in + {{{ weblink(link="https://docs.openshift.com/container-platform/latest/applications/deployments/managing-deployment-processes.html#deployments-setting-resources_deployment-operations", + text="the documentation") }}} +
rationale: |- Resource requests/limits provide constraints that limit aggregate resource consumption @@ -20,13 +49,13 @@ rationale: |- application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly. +{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_deployment_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_deployment_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} identifiers: {} references: nist: SC-6 -{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_deployment_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_deployment_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} ocil_clause: 'Resource requests and limits is not set' diff --git a/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml b/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml index 046f20fde86..0859f551888 100644 --- a/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml +++ b/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml @@ -12,6 +12,31 @@ description: |- for a container to use more resource than its request for that resource specifies. However, a container is not allowed to use more than its resource limit. ++ To exempt a namespace with no resource requests/limits allocated in the one or more statefulsets, the variable + var_statefulset_limit_namespaces_exempt_regex is being flagged. + Namespaces matching the variable ocp4-var-statefulset-limit-namespaces-exempt-regex regex + are excluded from this check. + An example allowing an SCC named additional follows: +
++ apiVersion: compliance.openshift.io/v1alpha1 + kind: TailoredProfile + metadata: + name: moderate-exempt-reource-request-limits + spec: + description: Allows an additional scc + setValues: + - name: ocp4-var-statefulset-limit-namespaces-exempt-regex + rationale: set the value to namespaces to be exempted + value: "test1|test2" + extends: ocp4-moderate + title: Modified moderate to exempt a namespace with no resource requests/limits in statefulset ++
+ Finally, reference this TailoredProfile in a ScanSettingBinding +
+ # todo : better if we can keep openshift document link for this reference, rationale: |- @@ -20,14 +45,13 @@ rationale: |- application, it is important to tune based on memory and CPU consumption, allocating enough resources for the application to function properly. +{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_statefulset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_statefulset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} identifiers: {} references: nist: SC-6 -{{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_statefulset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_statefulset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null or .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null or .spec.template.spec.containers[].resources.limits.memory == null ) | .metadata.name ]' %}} - ocil_clause: 'Resource requests and limits is not set' ocil: |-