Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add job to workloads library #34

Merged
merged 1 commit into from
Jul 30, 2020
Merged

Add job to workloads library #34

merged 1 commit into from
Jul 30, 2020

Conversation

jpreese
Copy link
Collaborator

@jpreese jpreese commented Jul 29, 2020

Noticed this when doing some rework on our kubernetes manifests. Policy was not failing on a Kubernetes Job that had an invalid image registry host specified.

@jpreese
Copy link
Collaborator Author

jpreese commented Jul 30, 2020

Aside: What are your thoughts on all of the is_daemonset , is_deployment , etc rules? We don't use any of them, and I'm not sure how much value breaking all of those kinds really provides.

We could just remove all of them, and then change the pods[pod] rule to:

pods[pod] {
  pod = core.resource
}

pods[pod] {
  pod = core.resource.spec.template
}

Which drastically cuts down on the size.

I do kind of like is_workload, we use it in a couple policies as just containers[_] isn't as friendly. Though I think I would prefer workloads.has_container or another name that says container. Seems odd to create an abstraction around the word container.

workloads.has_container
workloads.containers[_].resources.requests.cpu

jalseth
jalseth approved these changes Jul 30, 2020
View reviewed changes
Copy link
Collaborator

@jalseth jalseth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, LGTM!

Regarding the is_something rules, I agree they should be removed. I'll have a PR up soon which adds quite a few security related policies and also includes a bit of a refactor on the libraries to make them more concise while maintaining readability.

@jalseth jalseth merged commit a917c91 into main Jul 30, 2020
@jalseth jalseth deleted the add-job branch July 30, 2020 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jalseth jalseth jalseth approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jpreese @jalseth