github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/use_limit_range_test.rego

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/advanced/optional/use_limit_range_test.rego (about)

     1  package builtin.kubernetes.KSV039
     2  
     3  test_use_limit_range_configure {
     4  	r := deny with input as {
     5  		"apiVersion": "v1",
     6  		"kind": "LimitRange",
     7  		"metadata": {"name": "core-resource-limits"},
     8  		"spec": {"limits": [
     9  			{
    10  				"type": "Pod",
    11  				"max": {
    12  					"cpu": "2",
    13  					"memory": "1Gi",
    14  				},
    15  				"min": {
    16  					"cpu": "200m",
    17  					"memory": "6Mi",
    18  				},
    19  			},
    20  			{
    21  				"type": "Container",
    22  				"max": {
    23  					"cpu": "2",
    24  					"memory": "1Gi",
    25  				},
    26  				"min": {
    27  					"cpu": "100m",
    28  					"memory": "4Mi",
    29  				},
    30  				"default": {
    31  					"cpu": "300m",
    32  					"memory": "200Mi",
    33  				},
    34  				"defaultRequest": {
    35  					"cpu": "200m",
    36  					"memory": "100Mi",
    37  				},
    38  				"maxLimitRequestRatio": {"cpu": "10"},
    39  			},
    40  		]},
    41  	}
    42  
    43  	count(r) == 0
    44  }
    45  
    46  test_use_limit_range_no_limits {
    47  	r := deny with input as {
    48  		"apiVersion": "v1",
    49  		"kind": "LimitRange",
    50  		"metadata": {"name": "core-resource-limits"},
    51  		"spec": {},
    52  	}
    53  
    54  	r[_].msg == "limit range policy with a default request and limit, min and max request, for each container should be configure"
    55  }
    56  
    57  test_use_limit_range_no_min {
    58  	r := deny with input as {
    59  		"apiVersion": "v1",
    60  		"kind": "LimitRange",
    61  		"metadata": {"name": "core-resource-limits"},
    62  		"spec": {"limits": [
    63  			{
    64  				"type": "Pod",
    65  				"max": {
    66  					"cpu": "2",
    67  					"memory": "1Gi",
    68  				},
    69  			},
    70  			{
    71  				"type": "Container",
    72  				"max": {
    73  					"cpu": "2",
    74  					"memory": "1Gi",
    75  				},
    76  				"default": {
    77  					"cpu": "300m",
    78  					"memory": "200Mi",
    79  				},
    80  				"defaultRequest": {
    81  					"cpu": "200m",
    82  					"memory": "100Mi",
    83  				},
    84  				"maxLimitRequestRatio": {"cpu": "10"},
    85  			},
    86  		]},
    87  	}
    88  
    89  	r[_].msg == "limit range policy with a default request and limit, min and max request, for each container should be configure"
    90  }
    91  
    92  test_use_limit_range_no_max {
    93  	r := deny with input as {
    94  		"apiVersion": "v1",
    95  		"kind": "LimitRange",
    96  		"metadata": {"name": "core-resource-limits"},
    97  		"spec": {"limits": [
    98  			{
    99  				"type": "Pod",
   100  				"min": {
   101  					"cpu": "200m",
   102  					"memory": "6Mi",
   103  				},
   104  			},
   105  			{
   106  				"type": "Container",
   107  				"min": {
   108  					"cpu": "100m",
   109  					"memory": "4Mi",
   110  				},
   111  				"default": {
   112  					"cpu": "300m",
   113  					"memory": "200Mi",
   114  				},
   115  				"defaultRequest": {
   116  					"cpu": "200m",
   117  					"memory": "100Mi",
   118  				},
   119  				"maxLimitRequestRatio": {"cpu": "10"},
   120  			},
   121  		]},
   122  	}
   123  
   124  	r[_].msg == "limit range policy with a default request and limit, min and max request, for each container should be configure"
   125  }
   126  
   127  test_use_limit_range_no_default {
   128  	r := deny with input as {
   129  		"apiVersion": "v1",
   130  		"kind": "LimitRange",
   131  		"metadata": {"name": "core-resource-limits"},
   132  		"spec": {"limits": [
   133  			{
   134  				"type": "Pod",
   135  				"max": {
   136  					"cpu": "2",
   137  					"memory": "1Gi",
   138  				},
   139  				"min": {
   140  					"cpu": "200m",
   141  					"memory": "6Mi",
   142  				},
   143  			},
   144  			{
   145  				"type": "Container",
   146  				"max": {
   147  					"cpu": "2",
   148  					"memory": "1Gi",
   149  				},
   150  				"min": {
   151  					"cpu": "100m",
   152  					"memory": "4Mi",
   153  				},
   154  				"defaultRequest": {
   155  					"cpu": "200m",
   156  					"memory": "100Mi",
   157  				},
   158  				"maxLimitRequestRatio": {"cpu": "10"},
   159  			},
   160  		]},
   161  	}
   162  
   163  	r[_].msg == "limit range policy with a default request and limit, min and max request, for each container should be configure"
   164  }
   165  
   166  test_use_limit_range_default_request {
   167  	r := deny with input as {
   168  		"apiVersion": "v1",
   169  		"kind": "LimitRange",
   170  		"metadata": {"name": "core-resource-limits"},
   171  		"spec": {"limits": [
   172  			{
   173  				"type": "Pod",
   174  				"max": {
   175  					"cpu": "2",
   176  					"memory": "1Gi",
   177  				},
   178  				"min": {
   179  					"cpu": "200m",
   180  					"memory": "6Mi",
   181  				},
   182  			},
   183  			{
   184  				"type": "Container",
   185  				"max": {
   186  					"cpu": "2",
   187  					"memory": "1Gi",
   188  				},
   189  				"min": {
   190  					"cpu": "100m",
   191  					"memory": "4Mi",
   192  				},
   193  				"default": {
   194  					"cpu": "300m",
   195  					"memory": "200Mi",
   196  				},
   197  				"maxLimitRequestRatio": {"cpu": "10"},
   198  			},
   199  		]},
   200  	}
   201  
   202  	r[_].msg == "limit range policy with a default request and limit, min and max request, for each container should be configure"
   203  }