Add variable reference for resource_requests_limits rules

xiaojiey · xiaojiey · commit 5359ffad5c96 · 2025-02-08T15:37:02.000+08:00
diff --git a/applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml b/applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml
@@ -12,6 +12,31 @@ description: |-
   for a container to use more resource than its request for that resource specifies.
   However, a container is not allowed to use more than its resource limit.
 
+  <p>
+  To exempt a namespace with no resource requests/limits allocated in the daemonsets, the variable
+  {{.var_daemonset_limit_namespaces_exempt_regex}} is being flagged.
+  Namespaces matching the variable <tt>ocp4-var-daemonset-limit-namespaces-exempt-regex</tt> regex
+  are excluded from this check.
+  An example allowing an SCC named <tt>additional</tt> follows:
+  </p>
+  <pre>
+  apiVersion: compliance.openshift.io/v1alpha1
+  kind: TailoredProfile
+  metadata:
+    name: moderate-exempt-reource-request-limits
+  spec:
+    description: Allows an additional scc
+    setValues:
+    - name: ocp4-var-daemonset-limit-namespaces-exempt-regex
+      rationale: set the value to namespaces to be exempted
+      value: "test1|test2"
+    extends: ocp4-moderate
+    title: Modified moderate to exempt a namespace with no resource requests/limits in daemonset
+  </pre>
+  <p>
+  Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>
+  </p>
+
 # todo : better if we can keep openshift document link for this reference,
 
 rationale: |-
@@ -25,6 +50,7 @@ identifiers: {}
 
 references:
   nist: SC-6
+
 {{% set jqfilter = '[ .items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not)  | select(.metadata.namespace != "rhacs-operator" and ({{if ne .var_daemonset_limit_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_daemonset_limit_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | select( .spec.template.spec.containers[].resources.requests.cpu == null  or  .spec.template.spec.containers[].resources.requests.memory == null or .spec.template.spec.containers[].resources.limits.cpu == null  or  .spec.template.spec.containers[].resources.limits.memory == null )  | .metadata.name ]' %}}
 ocil_clause: 'Resource requests and limits is not set'
 
diff --git a/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml b/applications/openshift/general/resource_requests_limits_in_deployment/rule.yml
@@ -12,7 +12,36 @@ description: |-
   for a container to use more resource than its request for that resource specifies.
   However, a container is not allowed to use more than its resource limit.
 
-# todo : better if we can keep openshift document link for this reference,
+  <p>
+  To exempt a namespace with no resource requests/limits allocated in the one or more deployments, the variable
+  {{.var_deployment_limit_namespaces_exempt_regex}}  is being flagged.
+  Namespaces matching the variable <tt>ocp4-var-deployment-limit-namespaces-exempt-regex</tt> regex
+  are excluded from this check.
+  An example allowing an SCC named <tt>additional</tt> follows:
+  </p>
+  <pre>
+  apiVersion: compliance.openshift.io/v1alpha1
+  kind: TailoredProfile
+  metadata:
+    name: moderate-exempt-reource-request-limits
+  spec:
+    description: Allows an additional scc
+    setValues:
+    - name: ocp4-var-deployment-limit-namespaces-exempt-regex
+      rationale: set the value to namespaces to be exempted
+      value: "test1|test2"
+    extends: ocp4-moderate
+    title: Modified moderate to exempt a namespace with no resource requests/limits in deployment
+  </pre>
+  <p>
+  Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>
+  </p>
+
+  <p>
+  To configure resource requests/limits for a deployement, follow the directions in
+  {{{ weblink(link="https://docs.openshift.com/container-platform/latest/applications/deployments/managing-deployment-processes.html#deployments-setting-resources_deployment-operations",
+              text="the documentation") }}}
+  </p>
 
 rationale: |-
   Resource requests/limits provide constraints that limit aggregate resource consumption
diff --git a/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml b/applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml
@@ -12,6 +12,31 @@ description: |-
   for a container to use more resource than its request for that resource specifies.
   However, a container is not allowed to use more than its resource limit.
 
+  <p>
+  To exempt a namespace with no resource requests/limits allocated in the one or more statefulsets, the variable
+  {{.var_statefulset_limit_namespaces_exempt_regex}}  is being flagged.
+  Namespaces matching the variable <tt>ocp4-var-statefulset-limit-namespaces-exempt-regex</tt> regex
+  are excluded from this check.
+  An example allowing an SCC named <tt>additional</tt> follows:
+  </p>
+  <pre>
+  apiVersion: compliance.openshift.io/v1alpha1
+  kind: TailoredProfile
+  metadata:
+    name: moderate-exempt-reource-request-limits
+  spec:
+    description: Allows an additional scc
+    setValues:
+    - name: ocp4-var-statefulset-limit-namespaces-exempt-regex
+      rationale: set the value to namespaces to be exempted
+      value: "test1|test2"
+    extends: ocp4-moderate
+    title: Modified moderate to exempt a namespace with no resource requests/limits in statefulset
+  </pre>
+  <p>
+  Finally, reference this <tt>TailoredProfile</tt> in a <tt>ScanSettingBinding</tt>
+  </p>
+
 # todo : better if we can keep openshift document link for this reference,
 
 rationale: |-
