-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create enforce-specific-policies.yaml (#838)
New automation rule template for enforcing specific policies during admission
- Loading branch information
1 parent
04f1a39
commit 40f9644
Showing
1 changed file
with
47 additions
and
0 deletions.
There are no files selected for viewing
47 changes: 47 additions & 0 deletions
47
plugins/automation/examples/enforce-specific-policies.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| name: "Enforce specific policies and manage exceptions for Admission Controller" | ||
| description: "Enforce specific policies at the time of admission, including exception management via annotation" | ||
| context: "AdmissionController" | ||
| reportType: "" | ||
| cluster: "" | ||
| repository: "" | ||
| action: | | ||
| //READ ME: Configure the policies to enforce | ||
| //To do this, enter the eventType found under the Policies page into the policiesToEnforce array below | ||
| policiesToEnforce = ["memoryRequestsMissing", "cpuRequestsMissing"]; | ||
| //-------------------------------------------- | ||
| //Enforcement Logic - Modify at your own risk! | ||
| //-------------------------------------------- | ||
| //Step 1: Make an enforcement decision for the Admission Controller. | ||
| //If the Action Item matches a policy to enforce, then increase the severity to Critical. | ||
| if (policiesToEnforce.length > 0) { | ||
| if (policiesToEnforce.indexOf(ActionItem.EventType) !== -1) { | ||
| //Enforce the policy specified in the policiesToEnforce object | ||
| ActionItem.Severity = CRITICAL_SEVERITY; | ||
| }else{ | ||
| //Since this EventType isn't in our policy to enforce list, then lower severity | ||
| ActionItem.Severity = LOW_SEVERITY; | ||
| ActionItem.Resolution = WORKING_AS_INTENDED_RESOLUTION; | ||
| } | ||
| }else{ | ||
| //Since this EventType isn't in our policy to enforce list, then lower severity | ||
| ActionItem.Severity = LOW_SEVERITY; | ||
| ActionItem.Resolution = WORKING_AS_INTENDED_RESOLUTION; | ||
| } | ||
| //Step 2: Deterine if the deployment should bypass the Admission Controller. | ||
| //Admission Controller will grant an exception if a YAML annotation like this exists: insights.fairwinds.com/ignore: "memoryRequestsMissing" | ||
| policyException = ActionItem.ResourceAnnotations["insights.fairwinds.com/ignore"]; | ||
| if (policyException) { | ||
| exceptions = policyException.split(","); | ||
| if (exceptions.indexOf(ActionItem.EventType) !== -1) { | ||
| //Reduce severity and resolve this ActionItem so it can bypass the Admission Controller | ||
| ActionItem.Severity = LOW_SEVERITY; | ||
| ActionItem.Resolution = WORKING_AS_INTENDED_RESOLUTION; | ||
| } | ||
| } |