From aaa895db6e94b7d0848298fbedcf6b14e30ad64a Mon Sep 17 00:00:00 2001 From: serboctor Date: Wed, 31 May 2023 16:36:57 +0300 Subject: [PATCH 1/4] Upgrade api version in sample policies --- docs/getting-started.md | 36 +++---- docs/policy.md | 7 +- ...rContainerAllowingPrivilegeEscalation.yaml | 6 +- policies/ControllerContainerBlockSysctls.yaml | 28 ++--- .../ControllerContainerRunningAsRoot.yaml | 102 +++++++++--------- policies/ControllerMinimumReplicaCount.yaml | 30 +++--- policies/ControllerReadOnlyFileSystem.yaml | 48 +-------- 7 files changed, 104 insertions(+), 153 deletions(-) diff --git a/docs/getting-started.md b/docs/getting-started.md index 899161ef..f6d80643 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -14,16 +14,10 @@ If you are not using flux, you need to have both [Helm](https://helm.sh/docs/int By default, the policy agent is configured to enforce policies using kubernetes admisson controller, and publish the violation events to Kubernetes Events. For advanced configurations, please check [here](../helm/values.yaml). -To install Weave Policy Agent, you can use Flux and HelmRelease as part of GitOps ecosystem, or you can directly install the agent using just Helm. +To install Weave Policy Agent, you can use Flux and HelmRelease as part of GitOps ecosystem, or you can directly install the agent using just Helm. ### Using HelmRelease and Flux -Create `policy-system` namespace to install the chart in - - ```bash - kubectl create ns policy-system - ``` - In your flux repo in the cluster's directory, create the following `HelmRepository` and `HelmRelease` manifests that reference the policy helm chart, push the new files to your repository. Note: You can create these manifests in another directory, just make sure the directory is getting reconciled by flux. @@ -86,6 +80,8 @@ spec: version: 2.3.0 interval: 10m0s targetNamespace: policy-system + install: + createNamespace: true values: caCertificate: "" certificate: "" @@ -148,9 +144,9 @@ Check the installation status using the below command, you should expect the pod ## Installing Policies -Weave Policy Agent uses policies custom resources to validate resources compliance. Policy custom resource follows this definition ([Policy CRD](../helm/crds/pac.weave.works_policies.yaml)), and it consists of policy code and policy meta data. Policy code is written in OPA Rego Language. +Weave Policy Agent uses policies custom resources to validate resources compliance. Policy custom resource follows this definition ([Policy CRD](../helm/crds/pac.weave.works_policies.yaml)), and it consists of policy code and policy meta data. Policy code is written in OPA Rego Language. -To get started, you can use the default policies found [here](../policies/), which covers some kubernetes and flux best practices. +To get started, you can use the default policies found [here](../policies/), which covers some kubernetes and flux best practices. ### Using Flux Kustomization @@ -194,7 +190,7 @@ Create `policies` directory and create the following `kustomization.yaml` file, ``` bash kubectl apply -k policies -``` +```
kustomization.yaml - Click to expand .. @@ -218,17 +214,17 @@ kubectl get policies ### View Policies in WeaveGitOps -If you have WeaveGitOps UI installed on your cluster, you can use it to explore the policies installed on the cluster, as well as, explore the details on each policy. +If you have WeaveGitOps UI installed on your cluster, you can use it to explore the policies installed on the cluster, as well as, explore the details on each policy. ## Explore Violations -With the agent and policies installed, Weave Policy Agent will prevent any resource that violate the relevant polices from being created or updated. +With the agent and policies installed, Weave Policy Agent will prevent any resource that violate the relevant polices from being created or updated. -When using flux, flux reconcilation will fail if one of your application resources is violating any of the policies. +When using flux, flux reconcilation will fail if one of your application resources is violating any of the policies. -You should be able to see an error like this: +You should be able to see an error like this:
Admission controller violation error - Click to expand .. @@ -240,7 +236,7 @@ You should be able to see an error like this: Entity : deployment/nginx-deployment in namespace: default Occurrences: - Replica count must be greater than or equal to '2'; found '1'. - ): error when creating "deployment.yaml": admission webhook "admission.agent.weaveworks" denied the request: + ): error when creating "deployment.yaml": admission webhook "admission.agent.weaveworks" denied the request: ================================================================== Policy : weave.policies.containers-minimum-replica-count Entity : deployment/nginx-deployment in namespace: default @@ -251,7 +247,7 @@ You should be able to see an error like this:
### Violating Deployment Example -If you don't have a violating application/resource on your cluster, you can use the following Deployment as an example to try the agent out. +If you don't have a violating application/resource on your cluster, you can use the following Deployment as an example to try the agent out. This deployment is violating `Containers Minimum Replica Count` policy by having 1 replicas instead of min. 2 replicas. @@ -297,7 +293,7 @@ Since Kubernetes events are configured as a sink for the admission mode, you can ### Check violations via WeaveGitOps UI -If you have WeaveGitOps UI installed, you can find each policy violations listed in Violations tab inside each policy. +If you have WeaveGitOps UI installed, you can find each policy violations listed in Violations tab inside each policy. @@ -305,11 +301,11 @@ If you have WeaveGitOps UI installed, you can find each policy violations listed Your next step is to start fix policy violations, for that you can follow the remediation steps listed in each policy, apply them to the violating resources, and re-apply the resource or let flux sync the updated manifest. -Remediation steps are aavailable in the policy custom resource `yaml`, under the `how_to_resolve` section. +Remediation steps are aavailable in the policy custom resource `yaml`, under the `how_to_resolve` section. ![how to solve](./imgs/how-to-solve.png) -The remediation steps also are viewable using WeaveGitOps UI in each policy page. +The remediation steps also are viewable using WeaveGitOps UI in each policy page. @@ -319,7 +315,7 @@ To fix the violation on the deployment example, simply update the `replicas` cou ## Exclude Namespaces -Usually, you will have certain namespaces that you need to be excluded from policy evaluation, because they are vital to how your cluster operate and you don't want them affected by policy violations, for example `kube-system` and `flux-system`. +Usually, you will have certain namespaces that you need to be excluded from policy evaluation, because they are vital to how your cluster operate and you don't want them affected by policy violations, for example `kube-system` and `flux-system`. To prevent the agent from scanning certain namespaces and stop deployments, you can add these namespaces to `excludeNamespaces` in the Policy Agent helm chart values file. diff --git a/docs/policy.md b/docs/policy.md index ea287cdc..321d3c01 100644 --- a/docs/policy.md +++ b/docs/policy.md @@ -11,13 +11,13 @@ You can find the cutom resource schema [here](../config/crd/bases/pac.weave.work ## Policy Library -Here is the Weaveworks [Policy Library](https://github.com/weaveworks/policy-library) +Weaveworks offers an extensive policy library to Weave GitOps Enterprise customers. The library contains over 100 policies that cover security, best practices, and standards like SOC2, GDPR, PCI-DSS, HIPAA, Mitre Attack and more. ## Tenant Policy It is used in [Multi Tenancy](https://docs.gitops.weave.works/docs/enterprise/multi-tenancy/) feature in [Weave GitOps Enterprise](https://docs.gitops.weave.works/docs/enterprise/intro/) -Tenant policies has a special tag `tenancy`. +Tenant policies has a special tag `tenancy`. ## Mutating Resources @@ -28,7 +28,7 @@ Starting from version `v2.2.0`, the policy agent will support mutating resources To enable mutating resources policies must have field `mutate` set to `true` and the rego code should return the `violating_key` and the `recommended_value` in the violation response. The mutation webhook will use the `violating_key` and `recommended_value` to mutate the resource and return the new mutated resource. -Example +Example ``` result = { @@ -38,4 +38,3 @@ result = { "recommended_value": min_replica_count } ``` - diff --git a/policies/ControllerContainerAllowingPrivilegeEscalation.yaml b/policies/ControllerContainerAllowingPrivilegeEscalation.yaml index 8e72be6c..fdec7f7a 100644 --- a/policies/ControllerContainerAllowingPrivilegeEscalation.yaml +++ b/policies/ControllerContainerAllowingPrivilegeEscalation.yaml @@ -1,4 +1,4 @@ -apiVersion: pac.weave.works/v2beta1 +apiVersion: pac.weave.works/v2beta2 kind: Policy metadata: name: weave.policies.containers-running-with-privilege-escalation @@ -106,6 +106,6 @@ spec: } isExcludedNamespace = true { - controller_input.metadata.namespace - controller_input.metadata.namespace in exclude_namespaces + controller_input.metadata.namespace + controller_input.metadata.namespace in exclude_namespaces } else = false diff --git a/policies/ControllerContainerBlockSysctls.yaml b/policies/ControllerContainerBlockSysctls.yaml index 505ef76b..c0e7e374 100644 --- a/policies/ControllerContainerBlockSysctls.yaml +++ b/policies/ControllerContainerBlockSysctls.yaml @@ -1,4 +1,4 @@ -apiVersion: pac.weave.works/v2beta1 +apiVersion: pac.weave.works/v2beta2 kind: Policy metadata: name: weave.policies.container-block-sysctl @@ -54,33 +54,33 @@ spec: exclude_label_value := input.parameters.exclude_label_value violation[result] { - isExcludedNamespace == false - not exclude_label_value == controller_input.metadata.labels[exclude_label_key] + isExcludedNamespace == false + not exclude_label_value == controller_input.metadata.labels[exclude_label_key] controller_spec.securityContext.sysctls - result = { - "issue detected": true, - "msg": "Adding sysctls could lead to unauthorized escalated privileges to the underlying node", - "violating_key": "spec.template.spec.securityContext.sysctls" - } + result = { + "issue detected": true, + "msg": "Adding sysctls could lead to unauthorized escalated privileges to the underlying node", + "violating_key": "spec.template.spec.securityContext.sysctls" + } } ###### Functions isArrayContains(array, str) { - array[_] = str + array[_] = str } # Initial Setup controller_input = input.review.object controller_spec = controller_input.spec.template.spec { - isArrayContains({"StatefulSet", "DaemonSet", "Deployment", "Job", "ReplicaSet"}, controller_input.kind) + isArrayContains({"StatefulSet", "DaemonSet", "Deployment", "Job", "ReplicaSet"}, controller_input.kind) } else = controller_input.spec { - controller_input.kind == "Pod" + controller_input.kind == "Pod" } else = controller_input.spec.jobTemplate.spec.template.spec { - controller_input.kind == "CronJob" + controller_input.kind == "CronJob" } isExcludedNamespace = true { - controller_input.metadata.namespace - controller_input.metadata.namespace in exclude_namespaces + controller_input.metadata.namespace + controller_input.metadata.namespace in exclude_namespaces } else = false diff --git a/policies/ControllerContainerRunningAsRoot.yaml b/policies/ControllerContainerRunningAsRoot.yaml index 9b013028..a786eb4e 100644 --- a/policies/ControllerContainerRunningAsRoot.yaml +++ b/policies/ControllerContainerRunningAsRoot.yaml @@ -1,4 +1,4 @@ -apiVersion: pac.weave.works/v2beta1 +apiVersion: pac.weave.works/v2beta2 kind: Policy metadata: name: weave.policies.container-running-as-root @@ -55,77 +55,77 @@ spec: # Check for missing securityContext.runAsNonRoot (missing in both, pod and container) violation[result] { - isExcludedNamespace == false - not exclude_label_value == controller_input.metadata.labels[exclude_label_key] - - controller_spec.securityContext - not controller_spec.securityContext.runAsNonRoot - not controller_spec.securityContext.runAsNonRoot == false - - some i - containers := controller_spec.containers[i] - containers.securityContext - not containers.securityContext.runAsNonRoot - not containers.securityContext.runAsNonRoot == false - - result = { - "issue detected": true, - "msg": sprintf("Container missing spec.template.spec.containers[%v].securityContext.runAsNonRoot while Pod spec.template.spec.securityContext.runAsNonRoot is not defined as well.", [i]), - "violating_key": sprintf("spec.template.spec.containers[%v].securityContext", [i]), - } + isExcludedNamespace == false + not exclude_label_value == controller_input.metadata.labels[exclude_label_key] + + controller_spec.securityContext + not controller_spec.securityContext.runAsNonRoot + not controller_spec.securityContext.runAsNonRoot == false + + some i + containers := controller_spec.containers[i] + containers.securityContext + not containers.securityContext.runAsNonRoot + not containers.securityContext.runAsNonRoot == false + + result = { + "issue detected": true, + "msg": sprintf("Container missing spec.template.spec.containers[%v].securityContext.runAsNonRoot while Pod spec.template.spec.securityContext.runAsNonRoot is not defined as well.", [i]), + "violating_key": sprintf("spec.template.spec.containers[%v].securityContext", [i]), + } } # Container security context # Check if containers.securityContext.runAsNonRoot exists and = false violation[result] { - isExcludedNamespace == false - not exclude_label_value == controller_input.metadata.labels[exclude_label_key] - - some i - containers := controller_spec.containers[i] - containers.securityContext - containers.securityContext.runAsNonRoot == false - - result = { - "issue detected": true, - "msg": sprintf("Container spec.template.spec.containers[%v].securityContext.runAsNonRoot should be set to true ", [i]), - "violating_key": sprintf("spec.template.spec.containers[%v].securityContext.runAsNonRoot", [i]), - "recommended_value": true, - } + isExcludedNamespace == false + not exclude_label_value == controller_input.metadata.labels[exclude_label_key] + + some i + containers := controller_spec.containers[i] + containers.securityContext + containers.securityContext.runAsNonRoot == false + + result = { + "issue detected": true, + "msg": sprintf("Container spec.template.spec.containers[%v].securityContext.runAsNonRoot should be set to true ", [i]), + "violating_key": sprintf("spec.template.spec.containers[%v].securityContext.runAsNonRoot", [i]), + "recommended_value": true, + } } # Pod security context # Check if spec.securityContext.runAsNonRoot exists and = false violation[result] { - isExcludedNamespace == false - not exclude_label_value == controller_input.metadata.labels[exclude_label_key] - - controller_spec.securityContext - controller_spec.securityContext.runAsNonRoot == false - - result = { - "issue detected": true, - "msg": "Pod spec.template.spec.securityContext.runAsNonRoot should be set to true", - "violating_key": "spec.template.spec.securityContext.runAsNonRoot", - "recommended_value": true, - } + isExcludedNamespace == false + not exclude_label_value == controller_input.metadata.labels[exclude_label_key] + + controller_spec.securityContext + controller_spec.securityContext.runAsNonRoot == false + + result = { + "issue detected": true, + "msg": "Pod spec.template.spec.securityContext.runAsNonRoot should be set to true", + "violating_key": "spec.template.spec.securityContext.runAsNonRoot", + "recommended_value": true, + } } controller_input = input.review.object controller_spec = controller_input.spec.template.spec { - contains(controller_input.kind, {"StatefulSet", "DaemonSet", "Deployment", "Job", "ReplicaSet"}) + contains(controller_input.kind, {"StatefulSet", "DaemonSet", "Deployment", "Job", "ReplicaSet"}) } else = controller_input.spec { - controller_input.kind == "Pod" + controller_input.kind == "Pod" } else = controller_input.spec.jobTemplate.spec.template.spec { - controller_input.kind == "CronJob" + controller_input.kind == "CronJob" } contains(kind, kinds) { - kinds[_] = kind + kinds[_] = kind } isExcludedNamespace = true { - controller_input.metadata.namespace - controller_input.metadata.namespace in exclude_namespaces + controller_input.metadata.namespace + controller_input.metadata.namespace in exclude_namespaces } else = false diff --git a/policies/ControllerMinimumReplicaCount.yaml b/policies/ControllerMinimumReplicaCount.yaml index e20977db..f1f172d0 100644 --- a/policies/ControllerMinimumReplicaCount.yaml +++ b/policies/ControllerMinimumReplicaCount.yaml @@ -27,7 +27,7 @@ spec: - id: weave.standards.soc2-type-i controls: - weave.controls.soc2-type-i.2.1.1 - tags: [soc2-type1, tenancy] + tags: [soc2-type1] parameters: - name: replica_count type: integer @@ -58,30 +58,30 @@ spec: controller_input := input.review.object violation[result] { - isExcludedNamespace == false + isExcludedNamespace == false not exclude_label_value == controller_input.metadata.labels[exclude_label_key] - not replicas >= min_replica_count - result = { - "issue detected": true, - "msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]), - "violating_key": violating_key, - "recommended_value": min_replica_count, - } + not replicas >= min_replica_count + result = { + "issue detected": true, + "msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]), + "violating_key": violating_key, + "recommended_value": min_replica_count, + } } replicas := controller_input.spec.replicas { - controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"} + controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"} } else := controller_input.spec.minReplicas { - controller_input.kind == "HorizontalPodAutoscaler" + controller_input.kind == "HorizontalPodAutoscaler" } violating_key := "spec.replicas" { - controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"} + controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"} } else := "spec.minReplicas" { - controller_input.kind == "HorizontalPodAutoscaler" + controller_input.kind == "HorizontalPodAutoscaler" } isExcludedNamespace = true { - controller_input.metadata.namespace - controller_input.metadata.namespace in exclude_namespaces + controller_input.metadata.namespace + controller_input.metadata.namespace in exclude_namespaces } else = false diff --git a/policies/ControllerReadOnlyFileSystem.yaml b/policies/ControllerReadOnlyFileSystem.yaml index e5b31798..e3d01cf4 100644 --- a/policies/ControllerReadOnlyFileSystem.yaml +++ b/policies/ControllerReadOnlyFileSystem.yaml @@ -1,4 +1,4 @@ -apiVersion: pac.weave.works/v2beta1 +apiVersion: pac.weave.works/v2beta2 kind: Policy metadata: name: weave.policies.containers-read-only-root-filesystem @@ -36,48 +36,4 @@ spec: type: string required: false value: - code: |- - package weave.advisor.podSecurity.enforce_ro_fs - - import future.keywords.in - - read_only = input.parameters.read_only - exclude_namespaces := input.parameters.exclude_namespaces - exclude_label_key := input.parameters.exclude_label_key - exclude_label_value := input.parameters.exclude_label_value - - violation[result] { - isExcludedNamespace == false - not exclude_label_value == controller_input.metadata.labels[exclude_label_key] - some i - containers := controller_spec.containers[i] - root_fs := containers.securityContext.readOnlyRootFilesystem - not root_fs == read_only - result = { - "issue detected": true, - "msg": sprintf("readOnlyRootFilesystem should equal '%v'; detected '%v'", [read_only, root_fs]), - "recommended_value": read_only, - "violating_key": sprintf("spec.template.spec.containers[%v].securityContext.readOnlyRootFilesystem", [i]) - } - } - - # Controller input - controller_input = input.review.object - - # controller_container acts as an iterator to get containers from the template - controller_spec = controller_input.spec.template.spec { - contains_kind(controller_input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"}) - } else = controller_input.spec { - controller_input.kind == "Pod" - } else = controller_input.spec.jobTemplate.spec.template.spec { - controller_input.kind == "CronJob" - } - - contains_kind(kind, kinds) { - kinds[_] = kind - } - - isExcludedNamespace = true { - controller_input.metadata.namespace - controller_input.metadata.namespace in exclude_namespaces - } else = false + code: "package weave.advisor.podSecurity.enforce_ro_fs\n\nimport future.keywords.in\n\nread_only = input.parameters.read_only\nexclude_namespaces := input.parameters.exclude_namespaces\nexclude_label_key := input.parameters.exclude_label_key\nexclude_label_value := input.parameters.exclude_label_value\n\nviolation[result] {\n isExcludedNamespace == false\n not exclude_label_value == controller_input.metadata.labels[exclude_label_key]\n some i\n containers := controller_spec.containers[i]\n root_fs := containers.securityContext.readOnlyRootFilesystem\n not root_fs == read_only\n result = {\n \"issue detected\": true,\n \"msg\": sprintf(\"readOnlyRootFilesystem should equal '%v'; detected '%v'\", [read_only, root_fs]),\n \"recommended_value\": read_only,\n \"violating_key\": sprintf(\"spec.template.spec.containers[%v].securityContext.readOnlyRootFilesystem\", [i]) \n }\n}\n\n# Controller input\ncontroller_input = input.review.object\n\n# controller_container acts as an iterator to get containers from the template\ncontroller_spec = controller_input.spec.template.spec {\n contains_kind(controller_input.kind, {\"StatefulSet\" , \"DaemonSet\", \"Deployment\", \"Job\"})\n} else = controller_input.spec {\n controller_input.kind == \"Pod\"\n} else = controller_input.spec.jobTemplate.spec.template.spec {\n controller_input.kind == \"CronJob\"\n}\n\ncontains_kind(kind, kinds) {\n kinds[_] = kind\n}\n\nisExcludedNamespace = true {\n\tcontroller_input.metadata.namespace\n\tcontroller_input.metadata.namespace in exclude_namespaces\n} else = false\n" From 2ce352f14941f4e482ba9529d5651155696bedef Mon Sep 17 00:00:00 2001 From: serboctor Date: Wed, 31 May 2023 17:08:30 +0300 Subject: [PATCH 2/4] Change code format in ControllerReadOnlyFileSystem policy --- policies/ControllerReadOnlyFileSystem.yaml | 46 +++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/policies/ControllerReadOnlyFileSystem.yaml b/policies/ControllerReadOnlyFileSystem.yaml index e3d01cf4..7e60097b 100644 --- a/policies/ControllerReadOnlyFileSystem.yaml +++ b/policies/ControllerReadOnlyFileSystem.yaml @@ -36,4 +36,48 @@ spec: type: string required: false value: - code: "package weave.advisor.podSecurity.enforce_ro_fs\n\nimport future.keywords.in\n\nread_only = input.parameters.read_only\nexclude_namespaces := input.parameters.exclude_namespaces\nexclude_label_key := input.parameters.exclude_label_key\nexclude_label_value := input.parameters.exclude_label_value\n\nviolation[result] {\n isExcludedNamespace == false\n not exclude_label_value == controller_input.metadata.labels[exclude_label_key]\n some i\n containers := controller_spec.containers[i]\n root_fs := containers.securityContext.readOnlyRootFilesystem\n not root_fs == read_only\n result = {\n \"issue detected\": true,\n \"msg\": sprintf(\"readOnlyRootFilesystem should equal '%v'; detected '%v'\", [read_only, root_fs]),\n \"recommended_value\": read_only,\n \"violating_key\": sprintf(\"spec.template.spec.containers[%v].securityContext.readOnlyRootFilesystem\", [i]) \n }\n}\n\n# Controller input\ncontroller_input = input.review.object\n\n# controller_container acts as an iterator to get containers from the template\ncontroller_spec = controller_input.spec.template.spec {\n contains_kind(controller_input.kind, {\"StatefulSet\" , \"DaemonSet\", \"Deployment\", \"Job\"})\n} else = controller_input.spec {\n controller_input.kind == \"Pod\"\n} else = controller_input.spec.jobTemplate.spec.template.spec {\n controller_input.kind == \"CronJob\"\n}\n\ncontains_kind(kind, kinds) {\n kinds[_] = kind\n}\n\nisExcludedNamespace = true {\n\tcontroller_input.metadata.namespace\n\tcontroller_input.metadata.namespace in exclude_namespaces\n} else = false\n" + code: | + package weave.advisor.podSecurity.enforce_ro_fs + + import future.keywords.in + + read_only = input.parameters.read_only + exclude_namespaces := input.parameters.exclude_namespaces + exclude_label_key := input.parameters.exclude_label_key + exclude_label_value := input.parameters.exclude_label_value + + violation[result] { + isExcludedNamespace == false + not exclude_label_value == controller_input.metadata.labels[exclude_label_key] + some i + containers := controller_spec.containers[i] + root_fs := containers.securityContext.readOnlyRootFilesystem + not root_fs == read_only + result = { + "issue detected": true, + "msg": sprintf("readOnlyRootFilesystem should equal '%v'; detected '%v'", [read_only, root_fs]), + "recommended_value": read_only, + "violating_key": sprintf("spec.template.spec.containers[%v].securityContext.readOnlyRootFilesystem", [i]) + } + } + + # Controller input + controller_input = input.review.object + + # controller_container acts as an iterator to get containers from the template + controller_spec = controller_input.spec.template.spec { + contains_kind(controller_input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"}) + } else = controller_input.spec { + controller_input.kind == "Pod" + } else = controller_input.spec.jobTemplate.spec.template.spec { + controller_input.kind == "CronJob" + } + + contains_kind(kind, kinds) { + kinds[_] = kind + } + + isExcludedNamespace = true { + controller_input.metadata.namespace + controller_input.metadata.namespace in exclude_namespaces + } else = false From bd97837400f04232769f70592f8c2b3383276936 Mon Sep 17 00:00:00 2001 From: serboctor Date: Wed, 31 May 2023 17:35:39 +0300 Subject: [PATCH 3/4] Unify policy code formating in policy examples --- policies/ControllerMinimumReplicaCount.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/ControllerMinimumReplicaCount.yaml b/policies/ControllerMinimumReplicaCount.yaml index f1f172d0..64a15d61 100644 --- a/policies/ControllerMinimumReplicaCount.yaml +++ b/policies/ControllerMinimumReplicaCount.yaml @@ -45,7 +45,7 @@ spec: type: string required: false value: - code: |- + code: | package weave.advisor.pods.replica_count import future.keywords.in From 3ea3a2c91bd628051cf6efa83d1502d6e55c99a2 Mon Sep 17 00:00:00 2001 From: Sara Abdelmessih Date: Thu, 1 Jun 2023 12:34:24 +0300 Subject: [PATCH 4/4] Update docs/policy.md Co-authored-by: Mostafa Megahid --- docs/policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/policy.md b/docs/policy.md index 321d3c01..fba4273d 100644 --- a/docs/policy.md +++ b/docs/policy.md @@ -11,7 +11,7 @@ You can find the cutom resource schema [here](../config/crd/bases/pac.weave.work ## Policy Library -Weaveworks offers an extensive policy library to Weave GitOps Enterprise customers. The library contains over 100 policies that cover security, best practices, and standards like SOC2, GDPR, PCI-DSS, HIPAA, Mitre Attack and more. +Weaveworks offers an extensive policy library to Weave GitOps Assured and Enterprise customers. The library contains over 150 policies that cover security, best practices, and standards like SOC2, GDPR, PCI-DSS, HIPAA, Mitre Attack, and more. ## Tenant Policy