open-policy-agent · apeabody · Jun 28, 2023 · Jun 12, 2023 · Jun 28, 2023
@@ -114,7 +114,7 @@ jobs:
           make require-suites
   require_sync:
     runs-on: ubuntu-latest
-    name: "Require a sync.yaml file and metadata.gatekeeper.sh/requiresSyncData annotation for every template.yaml using data.inventory"
+    name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory"
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0

@@ -78,6 +78,7 @@ generate-website-docs:
 unit-test:
 	cd $(ARTIFACTHUB_SCRIPT_DIR); go test -v
 	cd $(VALIDATE_SCRIPT_DIR); go test -v
+	cd $(REQUIRE_SYNC_SCRIPT_DIR); go test -v
 
 .PHONY: generate-artifacthub-artifacts
 generate-artifacthub-artifacts:

@@ -0,0 +1,22 @@
+version: 1.0.1
+name: k8shorizontalpodautoscaler
+displayName: Horizontal Pod Autoscaler
+createdAt: "2023-06-12T20:47:46Z"
+description: Disallow the following scenarios when deploying `HorizontalPodAutoscalers` 1. Deployment of HorizontalPodAutoscalers with `.spec.minReplicas` or `.spec.maxReplicas` outside the ranges defined in the constraint 2. Deployment of HorizontalPodAutoscalers where the difference between `.spec.minReplicas` and `.spec.maxReplicas` is less than the configured `minimumReplicaSpread` 3. Deployment of HorizontalPodAutoscalers that do not reference a valid `scaleTargetRef` (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet).
+digest: 6ad69d08a3b11e856a1366f8dcdb370ca05ab83d8278d0e0df9698fd8b973e72
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/horizontalpodautoscaler
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Horizontal Pod Autoscaler
+    Disallow the following scenarios when deploying `HorizontalPodAutoscalers` 1. Deployment of HorizontalPodAutoscalers with `.spec.minReplicas` or `.spec.maxReplicas` outside the ranges defined in the constraint 2. Deployment of HorizontalPodAutoscalers where the difference between `.spec.minReplicas` and `.spec.maxReplicas` is less than the configured `minimumReplicaSpread` 3. Deployment of HorizontalPodAutoscalers that do not reference a valid `scaleTargetRef` (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet).
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/horizontalpodautoscaler/1.0.1/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,16 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sHorizontalPodAutoscaler
+metadata:
+  name: horizontal-pod-autoscaler
+spec:
+  enforcementAction: deny
+  match:
+    kinds:
+      - apiGroups: ["autoscaling"]
+        kinds: ["HorizontalPodAutoscaler"]
+  parameters:
+    minimumReplicaSpread: 1
+    enforceScaleTargetRef: true
+    ranges:
+    - min_replicas: 3
+      max_replicas: 6
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: nginx-hpa-allowed
+  namespace: default
+spec:
+  minReplicas: 3
+  maxReplicas: 6
+  metrics:
+  - resource:
+      name: cpu
+      target:
+        averageUtilization: 900
+        type: Utilization
+    type: Resource
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: nginx-hpa-disallowed-replicas
+  namespace: default
+spec:
+  minReplicas: 2
+  maxReplicas: 7
+  metrics:
+  - resource:
+      name: cpu
+      target:
+        averageUtilization: 900
+        type: Utilization
+    type: Resource
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: nginx-hpa-disallowed-replicaspread
+  namespace: default
+spec:
+  minReplicas: 4
+  maxReplicas: 4
+  metrics:
+  - resource:
+      name: cpu
+      target:
+        averageUtilization: 900
+        type: Utilization
+    type: Resource
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: nginx-hpa-disallowed-scaletarget
+  namespace: default
+spec:
+  minReplicas: 3
+  maxReplicas: 6
+  metrics:
+  - resource:
+      name: cpu
+      target:
+        averageUtilization: 900
+        type: Utilization
+    type: Resource
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: nginx-deployment-missing
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  namespace: default
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+      example: allowed-deployment
+  template:
+    metadata:
+      labels:
+        app: nginx
+        example: allowed-deployment
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
@@ -0,0 +1,33 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: horizontalpodautoscaler
+tests:
+- name: horizontal-pod-autoscaler
+  template: template.yaml
+  constraint: samples/horizontalpodautoscaler/constraint.yaml
+  cases:
+  - name: example-allowed-hpa
+    object: samples/horizontalpodautoscaler/example_allowed_hpa.yaml
+    inventory:
+    - samples/horizontalpodautoscaler/example_inventory.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed-hpa-replicas
+    object: samples/horizontalpodautoscaler/example_disallowed_hpa_replicas.yaml
+    inventory:
+    - samples/horizontalpodautoscaler/example_inventory.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed-hpa-replicaspread
+    object: samples/horizontalpodautoscaler/example_disallowed_hpa_replicaspread.yaml
+    inventory:
+    - samples/horizontalpodautoscaler/example_inventory.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed-scaletarget
+    object: samples/horizontalpodautoscaler/example_disallowed_hpa_scaletarget.yaml
+    inventory:
+    - samples/horizontalpodautoscaler/example_inventory.yaml
+    assertions:
+    - violations: yes
@@ -0,0 +1,14 @@
+apiVersion: config.gatekeeper.sh/v1alpha1
+kind: Config
+metadata:
+  name: config
+  namespace: "gatekeeper-system"
+spec:
+  sync:
+    syncOnly:
+      - group: "apps"
+        version: "v1"
+        kind: "Deployment"
+      - group: "apps"
+        version: "v1"
+        kind: "StatefulSet"
@@ -0,0 +1,102 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8shorizontalpodautoscaler
+  annotations:
+    metadata.gatekeeper.sh/title: "Horizontal Pod Autoscaler"
+    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/requires-sync-data: |
+      "[
+        [
+          {
+            "groups":["apps"],
+            "versions": ["v1"],
+            "kinds": ["Deployment"]
+          },
+          {
+            "groups":["apps"],
+            "versions": ["v1"],
+            "kinds": ["StatefulSet"]
+          }
+        ]
+      ]"
+    description: >-
+      Disallow the following scenarios when deploying `HorizontalPodAutoscalers`
+      1. Deployment of HorizontalPodAutoscalers with `.spec.minReplicas` or `.spec.maxReplicas` outside the ranges defined in the constraint
+      2. Deployment of HorizontalPodAutoscalers where the difference between `.spec.minReplicas` and `.spec.maxReplicas` is less than the configured `minimumReplicaSpread`
+      3. Deployment of HorizontalPodAutoscalers that do not reference a valid `scaleTargetRef` (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet).
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sHorizontalPodAutoscaler
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            enforceScaleTargetRef:
+              description: If set to true it validates the HPA scaleTargetRef exists
+              type: boolean
+            minimumReplicaSpread:
+              description: If configured it enforces the minReplicas and maxReplicas in an HPA must have a spread of at least this many replicas
+              type: integer
+            ranges:
+              type: array
+              description: Allowed ranges for numbers of replicas.  Values are inclusive.
+              items:
+                type: object
+                description: A range of allowed replicas.  Values are inclusive.
+                properties:
+                  min_replicas:
+                    description: The minimum number of replicas allowed, inclusive.
+                    type: integer
+                  max_replicas:
+                    description: The maximum number of replicas allowed, inclusive.
+                    type: integer
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8shorizontalpodautoscaler
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "HorizontalPodAutoscaler"
+          hpa := input.review.object
+
+          not input_replica_limit(hpa)
+          msg := sprintf("The %v <%v> minReplicas %v or maxReplicas %v is not allowed: %v. Allowed ranges: %v", [hpa.kind, hpa.metadata.name, hpa.spec.minReplicas, hpa.spec.maxReplicas, input.parameters.ranges])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "HorizontalPodAutoscaler"
+          hpa := input.review.object
+
+          not input_replica_spread(hpa)
+
+          msg := sprintf("The %v <%v> is configured with minReplicas %v and maxReplicas %v which is a spread of %v replica(s). The spread must be at least %v replica(s)", [hpa.kind, hpa.metadata.name, hpa.spec.minReplicas, hpa.spec.maxReplicas, hpa.spec.maxReplicas - hpa.spec.minReplicas, input.parameters.minimumReplicaSpread])
+        }
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "HorizontalPodAutoscaler"
+          hpa := input.review.object
+          input.parameters.enforceScaleTargetRef
+
+          not data.inventory.namespace[hpa.metadata.namespace][hpa.spec.scaleTargetRef.apiVersion][hpa.spec.scaleTargetRef.kind][hpa.spec.scaleTargetRef.name]
+          msg := sprintf("The HorizontalPodAutoscaler <%v> has a scaleTargetRef of <%v/%v> but it does not exist. The scaleTargetRef for the HorizontalPodAutoscaler must exist", [hpa.metadata.name, hpa.spec.scaleTargetRef.kind, hpa.spec.scaleTargetRef.name])
+        }
+
+        input_replica_limit(hpa) {
+            count(input.parameters.ranges) > 0
+            range := input.parameters.ranges[_]
+            value_within_range(range, hpa.spec.minReplicas, hpa.spec.maxReplicas)
+        }
+
+        value_within_range(range, min_provided, max_provided) {
+            range.min_replicas <= min_provided
+            range.max_replicas >= max_provided
+        }
+
+        input_replica_spread(hpa) {
+            input.parameters.minimumReplicaSpread
+            (hpa.spec.maxReplicas - hpa.spec.minReplicas) >= input.parameters.minimumReplicaSpread
+        }
@@ -0,0 +1,25 @@
+version: 1.0.3
+name: k8spoddisruptionbudget
+displayName: Pod Disruption Budget
+createdAt: "2023-06-12T20:47:47Z"
+description: |-
+    Disallow the following scenarios when deploying PodDisruptionBudgets or resources that implement the replica subresource (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment of PodDisruptionBudgets with .spec.maxUnavailable == 0 2. Deployment of PodDisruptionBudgets with .spec.minAvailable == .spec.replicas of the resource with replica subresource This will prevent PodDisruptionBudgets from blocking voluntary disruptions such as node draining.
+    https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+digest: b5f0b45b6b1894cf43f6b40970557afb9549b6541760c9481bc8acfc3c572815
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/poddisruptionbudget
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Pod Disruption Budget
+    Disallow the following scenarios when deploying PodDisruptionBudgets or resources that implement the replica subresource (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment of PodDisruptionBudgets with .spec.maxUnavailable == 0 2. Deployment of PodDisruptionBudgets with .spec.minAvailable == .spec.replicas of the resource with replica subresource This will prevent PodDisruptionBudgets from blocking voluntary disruptions such as node draining.
+    https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/poddisruptionbudget/1.0.3/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPodDisruptionBudget
+metadata:
+  name: pod-distruption-budget
+spec:
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment", "ReplicaSet", "StatefulSet"]
+      - apiGroups: ["policy"]
+        kinds: ["PodDisruptionBudget"]
+      - apiGroups: [""]
+        kinds: ["ReplicationController"]
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment-allowed-1
+  namespace: default
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+      example: allowed-deployment-1
+  template:
+    metadata:
+      labels:
+        app: nginx
+        example: allowed-deployment-1
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80