From 40f96444da9467980b862a084c4a76489dcb3713 Mon Sep 17 00:00:00 2001
From: jpelletier1 <44589723+jpelletier1@users.noreply.github.com>
Date: Fri, 17 Nov 2023 09:19:15 -0500
Subject: [PATCH] Create enforce-specific-policies.yaml (#838)

New automation rule template for enforcing specific policies during admission
---
 .../examples/enforce-specific-policies.yaml   | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 plugins/automation/examples/enforce-specific-policies.yaml

diff --git a/plugins/automation/examples/enforce-specific-policies.yaml b/plugins/automation/examples/enforce-specific-policies.yaml
new file mode 100644
index 000000000..bc022c917
--- /dev/null
+++ b/plugins/automation/examples/enforce-specific-policies.yaml
@@ -0,0 +1,47 @@
+name: "Enforce specific policies and manage exceptions for Admission Controller"
+description: "Enforce specific policies at the time of admission, including exception management via annotation"
+context: "AdmissionController"
+reportType: ""
+cluster: ""
+repository: ""
+action: |
+  //READ ME: Configure the policies to enforce
+  //To do this, enter the eventType found under the Policies page into the policiesToEnforce array below
+  policiesToEnforce = ["memoryRequestsMissing", "cpuRequestsMissing"];
+
+
+  //--------------------------------------------
+  //Enforcement Logic - Modify at your own risk!
+  //--------------------------------------------
+
+  //Step 1: Make an enforcement decision for the Admission Controller. 
+  //If the Action Item matches a policy to enforce, then increase the severity to Critical.
+  if (policiesToEnforce.length > 0) {
+    if (policiesToEnforce.indexOf(ActionItem.EventType) !== -1) {
+
+        //Enforce the policy specified in the policiesToEnforce object
+        ActionItem.Severity = CRITICAL_SEVERITY;
+    }else{
+
+        //Since this EventType isn't in our policy to enforce list, then lower severity
+        ActionItem.Severity = LOW_SEVERITY;
+        ActionItem.Resolution = WORKING_AS_INTENDED_RESOLUTION;
+    }
+  }else{
+    //Since this EventType isn't in our policy to enforce list, then lower severity
+    ActionItem.Severity = LOW_SEVERITY;
+    ActionItem.Resolution = WORKING_AS_INTENDED_RESOLUTION;
+  }
+
+  //Step 2: Deterine if the deployment should bypass the  Admission Controller.
+  //Admission Controller will grant an exception if a YAML annotation like this exists: insights.fairwinds.com/ignore: "memoryRequestsMissing"
+  policyException = ActionItem.ResourceAnnotations["insights.fairwinds.com/ignore"];
+  if (policyException) {
+    exceptions = policyException.split(",");
+    
+    if (exceptions.indexOf(ActionItem.EventType) !== -1) {
+        //Reduce severity and resolve this ActionItem so it can bypass the Admission Controller
+        ActionItem.Severity = LOW_SEVERITY;
+        ActionItem.Resolution = WORKING_AS_INTENDED_RESOLUTION;
+    }
+  }
\ No newline at end of file