open-policy-agent · dongjiang1989 · Apr 24, 2024 · Apr 24, 2024 · Apr 24, 2024 · Apr 25, 2024
@@ -0,0 +1,22 @@
+version: 1.0.0
+name: k8svolumeresources
+displayName: Container emptyDir Volume Resources
+createdAt: "2024-04-24T10:00:57Z"
+description: Container emptyDir volume resources to be within the specified maximum values.
+digest: cbff0bae172a3866c4097350e4c8b607b432356d1530873b011c127826792950
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumeresources
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Container emptyDir Volume Resources
+    Container emptyDir volume resources to be within the specified maximum values.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/volumeresources/1.0.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sVolumeRequests
+metadata:
+  name: container-emptydir-limit
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    volumesizelimit: 1Gi
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowed-pod
+  labels:
+    app: allowed-pod
+spec:
+  containers:
+  - name: allowed-pod
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+    volumeMounts:
+    - mountPath: /demo
+      name: demo-volume
+  volumes:
+  - name: demo-volume
+    emptyDir: 
+      sizeLimit: 16Mi
+      medium: Memory
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: disallowed-miss-pod
+  labels:
+    app: disallowed-miss-pod
+spec:
+  containers:
+  - name: disallowed-miss-pod
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+    volumeMounts:
+    - mountPath: /demo
+      name: demo-volume
+  volumes:
+  - name: demo-volume
+    emptyDir: {}
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: disallowed-muti-pod
+  labels:
+    app: disallowed-muti-pod
+spec:
+  containers:
+  - name: disallowed-muti-pod
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+    volumeMounts:
+    - mountPath: /demo
+      name: demo-volume
+    - mountPath: /demo-1
+      name: demo-volume-1
+  volumes:
+  - name: demo-volume
+    emptyDir: 
+      sizeLimit: 16Mi
+      medium: Memory
+  - name: demo-volume-1
+    emptyDir: 
+      sizeLimit: 2Gi
@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: volumeresources
+tests:
+- name: volumeresources
+  template: template.yaml
+  constraint: samples/container-emptydir-limit/constraint.yaml
+  cases:
+  - name: example-allowed-pod
+    object: samples/container-emptydir-limit/example_allowed_pod.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed-miss-pod
+    object: samples/container-emptydir-limit/example_disallowed_miss_pod.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed-muti-pod
+    object: samples/container-emptydir-limit/example_disallowed_muti_pod.yaml
+    assertions:
+    - violations: yes
@@ -0,0 +1,164 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8svolumerequests
+  annotations:
+    metadata.gatekeeper.sh/title: "Container emptyDir Volume Resources"
+    metadata.gatekeeper.sh/version: 1.0.0
+    description: >-
+      Container emptyDir volume resources to be within the specified maximum values.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sVolumeRequests
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            volumesizelimit:
+              description: "The maximum allowed emptyDir size limit on a volume."
+              type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8svolumerequests
+
+        violation[{"msg": msg}] {
+            vols := input.review.object.spec.volumes[_]
+            emptydir := vols.emptyDir
+            not has_key(emptydir, "sizeLimit")
+            msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name])
+        }
+
+        violation[{"msg": msg}] {
+            vols := input.review.object.spec.volumes[_]
+            emptydir_orig := vols.emptyDir.sizeLimit
+            size := canonify_size(emptydir_orig)
+            max_size_orig := input.parameters.volumesizelimit
+            max_size := canonify_size(max_size_orig)
+            size > max_size
+            msg := sprintf("volume <%v> size limit <%v> is higher than the maximum allowed of <%v>", [vols.name, emptydir_orig, max_size_orig])
+        }
+
+        has_key(object, key) {
+            type_name(object[key])
+        }
+
+        size_multiple("E") = 1000000000000000000000
+
+        # 10 ** 18
+        size_multiple("P") = 1000000000000000000
+
+        # 10 ** 15
+        size_multiple("T") = 1000000000000000
+
+        # 10 ** 12
+        size_multiple("G") = 1000000000000
+
+        # 10 ** 9
+        size_multiple("M") = 1000000000
+
+        # 10 ** 6
+        size_multiple("k") = 1000000
+
+        # 10 ** 3
+        size_multiple("") = 1000
+
+        # Kubernetes accepts millibyte precision when it probably shouldn't.
+        # https://github.com/kubernetes/kubernetes/issues/28741
+        # 10 ** 0
+        size_multiple("m") = 1
+
+        # 1000 * 2 ** 10
+        size_multiple("Ki") = 1024000
+
+        # 1000 * 2 ** 20
+        size_multiple("Mi") = 1048576000
+
+        # 1000 * 2 ** 30
+        size_multiple("Gi") = 1073741824000
+
+        # 1000 * 2 ** 40
+        size_multiple("Ti") = 1099511627776000
+
+        # 1000 * 2 ** 50
+        size_multiple("Pi") = 1125899906842624000
+
+        # 1000 * 2 ** 60
+        size_multiple("Ei") = 1152921504606846976000
+
+        canonify_size(orig) = new {
+        	is_number(orig)
+        	new := orig * 1000
+        }
+
+        get_suffix(size) = suffix {
+        	is_string(size)
+        	count(size) > 0
+        	suffix := substring(size, count(size) - 1, -1)
+        	size_multiple(suffix)
+        }
+
+        get_suffix(size) = suffix {
+        	is_string(size)
+        	count(size) > 1
+        	suffix := substring(size, count(size) - 2, -1)
+        	size_multiple(suffix)
+        }
+
+        get_suffix(size) = suffix {
+        	is_string(size)
+        	count(size) > 1
+        	not size_multiple(substring(size, count(size) - 1, -1))
+        	not size_multiple(substring(size, count(size) - 2, -1))
+        	suffix := ""
+        }
+
+        get_suffix(size) = suffix {
+        	is_string(size)
+        	count(size) == 1
+        	not size_multiple(substring(size, count(size) - 1, -1))
+        	suffix := ""
+        }
+
+        get_suffix(size) = suffix {
+        	is_string(size)
+        	count(size) == 0
+        	suffix := ""
+        }
+
+        canonify_size(orig) = new {
+        	is_number(orig)
+        	new := orig * 1000
+        }
+
+        canonify_size(orig) = new {
+        	not is_number(orig)
+        	suffix := get_suffix(orig)
+        	raw := replace(orig, suffix, "")
+        	regex.match("^[0-9]+(\\.[0-9]+)?$", raw)
+        	new := to_number(raw) * size_multiple(suffix)
+        }
+      libs:
+        - |
+          package lib.exempt_container
+
+          is_exempt(container) {
+              exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+              img := container.image
+              exemption := exempt_images[_]
+              _matches_exemption(img, exemption)
+          }
+
+          _matches_exemption(img, exemption) {
+              not endswith(exemption, "*")
+              exemption == img
+          }
+
+          _matches_exemption(img, exemption) {
+              endswith(exemption, "*")
+              prefix := trim_suffix(exemption, "*")
+              startswith(img, prefix)
+          }
@@ -30,3 +30,4 @@ resources:
 - uniqueserviceselector
 - verifydeprecatedapi
 - storageclass
+- volumeresources
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sVolumeRequests
+metadata:
+  name: container-emptydir-limit
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    volumesizelimit: 1Gi
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: allowed-pod
+  labels:
+    app: allowed-pod
+spec:
+  containers:
+  - name: allowed-pod
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+    volumeMounts:
+    - mountPath: /demo
+      name: demo-volume
+  volumes:
+  - name: demo-volume
+    emptyDir: 
+      sizeLimit: 16Mi
+      medium: Memory
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: disallowed-miss-pod
+  labels:
+    app: disallowed-miss-pod
+spec:
+  containers:
+  - name: disallowed-miss-pod
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+    volumeMounts:
+    - mountPath: /demo
+      name: demo-volume
+  volumes:
+  - name: demo-volume
+    emptyDir: {}
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: disallowed-muti-pod
+  labels:
+    app: disallowed-muti-pod
+spec:
+  containers:
+  - name: disallowed-muti-pod
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+    volumeMounts:
+    - mountPath: /demo
+      name: demo-volume
+    - mountPath: /demo-1
+      name: demo-volume-1
+  volumes:
+  - name: demo-volume
+    emptyDir: 
+      sizeLimit: 16Mi
+      medium: Memory
+  - name: demo-volume-1
+    emptyDir: 
+      sizeLimit: 2Gi