/
namespace.sp
85 lines (69 loc) · 3.08 KB
/
namespace.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
locals {
namespace_common_tags = merge(local.kubernetes_compliance_common_tags, {
service = "Kubernetes/Namespace"
})
}
control "namespace_limit_range_default_cpu_limit" {
title = "Namespaces should have default CPU limit in limitRange policy"
description = "Administrators should use default limitRange policy for CPU limit for each namespace."
query = query.namespace_limit_range_default_cpu_limit
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}
control "namespace_resource_quota_cpu_limit" {
title = "Namespaces should be restricted on CPU usage with resourceQuota CPU limit"
description = "Administrators should use resourceQuota CPU limit to restrict namespaces CPU usage."
query = query.namespace_resource_quota_cpu_limit
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}
control "namespace_limit_range_default_cpu_request" {
title = "Namespaces should have default CPU request in limitRange policy"
description = "Administrators should use default limitRange policy for CPU request for each namespace."
query = query.namespace_limit_range_default_cpu_request
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}
control "namespace_resource_quota_cpu_request" {
title = "Namespaces should have resourceQuota CPU request"
description = "Administrators should use resourceQuota CPU request for each namespace."
query = query.namespace_resource_quota_cpu_request
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}
control "namespace_limit_range_default_memory_limit" {
title = "Namespaces should have default memory limit in limitRange policy"
description = "Administrators should use default limitRange policy for memory limit for each namespace."
query = query.namespace_limit_range_default_memory_limit
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}
control "namespace_resource_quota_memory_limit" {
title = "Namespaces should be restricted on memory usage with resourceQuota memory limit"
description = "Administrators should use resourceQuota memory limit to restrict namespaces memory usage."
query = query.namespace_resource_quota_memory_limit
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}
control "namespace_limit_range_default_memory_request" {
title = "Namespaces should have default memory request in limitRange policy"
description = "Administrators should use default limitRange policy for memory request for each namespace."
query = query.namespace_limit_range_default_memory_request
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}
control "namespace_resource_quota_memory_request" {
title = "Namespaces should have resourceQuota memory request"
description = "Administrators should use resourceQuota memory request for each namespace."
query = query.namespace_resource_quota_memory_request
tags = merge(local.namespace_common_tags, {
nsa_cisa_v1 = "true"
})
}