C-0050

suhasgumma · suhasgumma · commit 449f33fc2419 · 2023-01-12T11:41:31.000+05:30
diff --git a/configuration/policy-configuration-definition.yaml b/configuration/policy-configuration-definition.yaml
@@ -16,21 +16,13 @@ spec:
               type: object
               properties:
                 cpuLimitMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 cpuLimitMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 cpuRequestMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 cpuRequestMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 imageRepositoryAllowList:
                   items:
                     type: string
diff --git a/controls/C-0050/policy.yaml b/controls/C-0050/policy.yaml
@@ -0,0 +1,50 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0050-deny-resources-with-cpu-limit-or-request-not-set"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: > 
+        object.kind != 'Pod' || object.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) && 
+        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "Pods contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) && 
+        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "Workloads contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) && 
+        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "CronJob contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
diff --git a/controls/C-0050/tests.json b/controls/C-0050/tests.json
@@ -0,0 +1,51 @@
+[
+    {
+        "name": "Pod with container having cpu-request and limits not set is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request set and limits not set is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=2"
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request and limits set and both values in the limit is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=3",
+            "spec.containers.[0].resources.limits.cpu=3"
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request and limits set and values not in the limit is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=1",
+            "spec.containers.[0].resources.limits.cpu=6"
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu-request and limits not set is blocked",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu request and limits set and both values in the limit is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].resources.requests.cpu=3",
+            "spec.template.spec.containers.[0].resources.limits.cpu=3"
+        ]
+    }
+]
diff --git a/test-resources/default-control-configuration.yaml b/test-resources/default-control-configuration.yaml
@@ -3,14 +3,10 @@ kind: ControlConfiguration
 metadata:
   name: placeholder
 settings:
-  cpuLimitMax:
-  - 0
-  cpuLimitMin:
-  - 0
-  cpuRequestMax:
-  - 0
-  cpuRequestMin:
-  - 0
+  cpuLimitMax: 5
+  cpuLimitMin: 1
+  cpuRequestMax: 5
+  cpuRequestMin: 1
   imageRepositoryAllowList:
   - gcr.io
   insecureCapabilities:
