C-0004 change type of memoryRequestMin and others to integer

Author: suhasgumma

configuration/policy-configuration-definition.yaml

@@ -48,21 +48,13 @@ spec:
                     type: integer
                   type: array
                 memoryLimitMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 memoryLimitMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 memoryRequestMax:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 memoryRequestMin:
-                  items:
-                    type: integer
-                  type: array
+                  type: integer
                 publicRegistries:
                   items:
                     type: string

controls/C-0004/policy.yaml

@@ -24,27 +24,27 @@ spec:
   validations:
     - expression: > 
         object.kind != 'Pod' || object.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) && 
-        params.settings.memoryRequestMin.all(mRm, mRm <= int(container.resources.requests.memory)) &&
-        params.settings.memoryRequestMax.all(mRm, mRm >= int(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin.all(mRm, mRm <= int(container.resources.limits.memory)) &&
-        params.settings.memoryLimitMax.all(mRm, mRm >= int(container.resources.limits.memory))))
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
       message: "Pods contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
 
     - expression: >
         ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) && 
-        params.settings.memoryRequestMin.all(mRm, mRm <= int(container.resources.requests.memory)) &&
-        params.settings.memoryRequestMax.all(mRm, mRm >= int(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin.all(mRm, mRm <= int(container.resources.limits.memory)) &&
-        params.settings.memoryLimitMax.all(mRm, mRm >= int(container.resources.limits.memory))))
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
       message: "Workloads contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"
 
     - expression: >
         object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) && 
-        params.settings.memoryRequestMin.all(mRm, mRm <= int(container.resources.requests.memory)) &&
-        params.settings.memoryRequestMax.all(mRm, mRm >= int(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
-        params.settings.memoryLimitMin.all(mRm, mRm <= int(container.resources.limits.memory)) &&
-        params.settings.memoryLimitMax.all(mRm, mRm >= int(container.resources.limits.memory))))
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
       message: "CronJob contains container/s with memory limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0004)"

test-resources/default-control-configuration.yaml

@@ -45,14 +45,10 @@ settings:
   - 5
   maxHighVulnerabilities:
   - 10
-  memoryLimitMax:
-  - 256
-  memoryLimitMin:
-  - 32
-  memoryRequestMax:
-  - 256
-  memoryRequestMin:
-  - 32
+  memoryLimitMax: 256
+  memoryLimitMin: 32
+  memoryRequestMax: 256
+  memoryRequestMin: 32
   publicRegistries:
   - docker.io
   - gcr.io