implement custom checks, implement resource ranges as custom check

FairwindsOps · Jan 2, 2020 · 5efa416 · 5efa416
1 parent 7b0fe81
commit 5efa416
Show file tree

Hide file tree

Showing 12 changed files with 464 additions and 487 deletions.
diff --git a/checks/cpuLimitsMissing.yaml b/checks/cpuLimitsMissing.yaml
@@ -0,0 +1,29 @@
+name: CPULimitsMissing
+id: cpuLimitsMissing
+successMessage: CPU limits are set
+failureMessage: CPU limits should be set
+category: Resources
+target: Container
+containers:
+  exclude:
+  - initContainer
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  required:
+  - resources
+  properties:
+    resources:
+      type: object
+      required:
+      - limits
+      properties:
+        limits:
+          type: object
+          required:
+          - cpu
+          properties:
+            cpu:
+              type: string
+              not:
+                const: ''
diff --git a/checks/cpuRequestsMissing.yaml b/checks/cpuRequestsMissing.yaml
@@ -0,0 +1,29 @@
+name: CPURequestsMissing
+id: cpuRequestsMissing
+successMessage: CPU requests are set
+failureMessage: CPU requests should be set
+category: Resources
+target: Container
+containers:
+  exclude:
+  - initContainer
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  required:
+  - resources
+  properties:
+    resources:
+      type: object
+      required:
+      - requests
+      properties:
+        requests:
+          type: object
+          required:
+          - cpu
+          properties:
+            cpu:
+              type: string
+              not:
+                const: ''
diff --git a/checks/memoryLimitsMissing.yaml b/checks/memoryLimitsMissing.yaml
@@ -0,0 +1,29 @@
+name: MemoryLimitsMissing
+id: memoryLimitsMissing
+successMessage: Memory limits are set
+failureMessage: Memory limits should be set
+category: Resources
+target: Container
+containers:
+  exclude:
+  - initContainer
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  required:
+  - resources
+  properties:
+    resources:
+      type: object
+      required:
+      - limits
+      properties:
+        limits:
+          type: object
+          required:
+          - memory
+          properties:
+            memory:
+              type: string
+              not:
+                const: ''
diff --git a/checks/memoryRequestsMissing.yaml b/checks/memoryRequestsMissing.yaml
@@ -0,0 +1,29 @@
+name: MemoryRequestsMissing
+id: memoryRequestsMissing
+successMessage: Memory requests are set
+failureMessage: Memory requests should be set
+category: Resources
+target: Container
+containers:
+  exclude:
+  - initContainer
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  required:
+  - resources
+  properties:
+    resources:
+      type: object
+      required:
+      - requests
+      properties:
+        requests:
+          type: object
+          required:
+          - memory
+          properties:
+            memory:
+              type: string
+              not:
+                const: ''
diff --git a/examples/config-full.yaml b/examples/config-full.yaml
@@ -1,45 +1,11 @@
 resources:
   cpuRequestsMissing: warning
-  cpuRequestRanges:
-    warning:
-      below: 50m
-      above: 1000m
-    error:
-      below: 500m
-      above: 2000m
   cpuLimitsMissing: warning
-  cpuLimitRanges:
-    warning:
-      below: 50m
-      above: 1000m
-    error:
-      below: 500m
-      above: 2000m
   memoryRequestsMissing: warning
-  memoryRequestRanges:
-    warning:
-      below: 50M
-      above: 2G
-    error:
-      below: 100M
-      above: 4G
   memoryLimitsMissing: warning
-  memoryLimitRanges:
-    warning:
-      below: 50M
-      above: 2G
-    error:
-      below: 100M
-      above: 4G
 images:
   tagNotSpecified: error
   pullPolicyNotAlways: warning
-  whitelist:
-    error:
-      - gcr.io/*
-  blacklist:
-    warning:
-      - docker.io/*
 healthChecks:
   readinessProbeMissing: warning
   livenessProbeMissing: warning
@@ -53,16 +19,8 @@ security:
   runAsPrivileged: error
   notReadOnlyRootFileSystem: warning
   privilegeEscalationAllowed: error
-  capabilities:
-    error:
-      ifAnyAdded:
-        - SYS_ADMIN
-        - ALL
-      ifAnyNotDropped:
-        - ALL
-    warning:
-      ifAnyAddedBeyond:
-        - NONE
+  dangerousCapabilities: error
+  insecureCapabilities: warning
 controllers_to_scan:
   - Deployments
   - StatefulSets

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -23,21 +23,22 @@ import (
 	"strings"
 
 	packr "github.com/gobuffalo/packr/v2"
-	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/util/yaml"
 )
 
 // Configuration contains all of the config for the validation checks.
 type Configuration struct {
-	DisplayName        string                `json:"displayName"`
-	Resources          Resources             `json:"resources"`
-	HealthChecks       HealthChecks          `json:"healthChecks"`
-	Images             Images                `json:"images"`
-	Networking         Networking            `json:"networking"`
-	Security           Security              `json:"security"`
-	ControllersToScan  []SupportedController `json:"controllers_to_scan"`
-	Exemptions         []Exemption           `json:"exemptions"`
-	DisallowExemptions bool                  `json:"disallowExemptions"`
+	DisplayName        string                 `json:"displayName"`
+	Resources          Resources              `json:"resources"`
+	HealthChecks       HealthChecks           `json:"healthChecks"`
+	Images             Images                 `json:"images"`
+	Networking         Networking             `json:"networking"`
+	Security           Security               `json:"security"`
+	Checks             map[string]Severity    `json:"checks"`
+	ControllersToScan  []SupportedController  `json:"controllers_to_scan"`
+	CustomChecks       map[string]SchemaCheck `json:"customChecks"`
+	Exemptions         []Exemption            `json:"exemptions"`
+	DisallowExemptions bool                   `json:"disallowExemptions"`
 }
 
 // Exemption represents an exemption to normal rules
@@ -48,26 +49,10 @@ type Exemption struct {
 
 // Resources contains config for resource requests and limits.
 type Resources struct {
-	CPURequestsMissing    Severity       `json:"cpuRequestsMissing"`
-	CPURequestRanges      ResourceRanges `json:"cpuRequestRanges"`
-	CPULimitsMissing      Severity       `json:"cpuLimitsMissing"`
-	CPULimitRanges        ResourceRanges `json:"cpuLimitRanges"`
-	MemoryRequestsMissing Severity       `json:"memoryRequestsMissing"`
-	MemoryRequestRanges   ResourceRanges `json:"memoryRequestRanges"`
-	MemoryLimitsMissing   Severity       `json:"memoryLimitsMissing"`
-	MemoryLimitRanges     ResourceRanges `json:"memoryLimitRanges"`
-}
-
-// ResourceRanges contains config for requests or limits for a specific resource.
-type ResourceRanges struct {
-	Warning ResourceRange `json:"warning"`
-	Error   ResourceRange `json:"error"`
-}
-
-// ResourceRange can contain below and above conditions for validation.
-type ResourceRange struct {
-	Below *resource.Quantity `json:"below"`
-	Above *resource.Quantity `json:"above"`
+	CPURequestsMissing    Severity `json:"cpuRequestsMissing"`
+	CPULimitsMissing      Severity `json:"cpuLimitsMissing"`
+	MemoryRequestsMissing Severity `json:"memoryRequestsMissing"`
+	MemoryLimitsMissing   Severity `json:"memoryLimitsMissing"`
 }
 
 // HealthChecks contains config for readiness and liveness probes.
@@ -140,9 +125,14 @@ func Parse(rawBytes []byte) (Configuration, error) {
 	for {
 		if err := d.Decode(&conf); err != nil {
 			if err == io.EOF {
-				return conf, nil
+				break
 			}
 			return conf, fmt.Errorf("Decoding config failed: %v", err)
 		}
 	}
+	for key, check := range conf.CustomChecks {
+		check.ID = key
+		conf.CustomChecks[key] = check
+	}
+	return conf, nil
 }