-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathControllerMinimumReplicaCount.yaml
66 lines (59 loc) · 2.13 KB
/
ControllerMinimumReplicaCount.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
apiVersion: pac.weave.works/v2beta3
kind: Policy
metadata:
name: weave.policies.containers-minimum-replica-count
spec:
id: weave.policies.containers-minimum-replica-count
name: Containers Minimum Replica Count
enforce: true
description: "Use this Policy to to check the replica count of your workloads. The value set in the Policy is greater than or equal to the amount desired, so if the replica count is lower than what is specified, the Policy will be in violation. \n"
how_to_solve: |
The replica count should be a value equal or greater than what is set in the Policy.
```
spec:
replicas: <replica_count>
```
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment
category: weave.categories.reliability
severity: medium
targets:
kinds:
- Deployment
- StatefulSet
- ReplicaSet
- ReplicationController
- HorizontalPodAutoscaler
standards:
- id: weave.standards.soc2-type-i
controls:
- weave.controls.soc2-type-i.2.1.1
tags: [soc2-type1]
parameters:
- name: replica_count
type: integer
required: true
value: 2
code: |
package weave.advisor.pods.replica_count
import future.keywords.in
min_replica_count := input.parameters.replica_count
controller_input := input.review.object
violation[result] {
not replicas >= min_replica_count
result = {
"issue detected": true,
"msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]),
"violating_key": violating_key,
"recommended_value": min_replica_count,
}
}
replicas := controller_input.spec.replicas {
controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
} else := controller_input.spec.minReplicas {
controller_input.kind == "HorizontalPodAutoscaler"
}
violating_key := "spec.replicas" {
controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
} else := "spec.minReplicas" {
controller_input.kind == "HorizontalPodAutoscaler"
}