Merge pull request #33 from reactiveops/rs/config

Updating Config Syntax
FairwindsOps · Mar 28, 2019 · fb19d32 · fb19d32
2 parents 2c64e6c + d607d48
commit fb19d32
Show file tree

Hide file tree

Showing 20 changed files with 942 additions and 541 deletions.
diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2018 ReactiveOps
+   Copyright 2019 ReactiveOps
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

diff --git a/config.yml b/config.yml
@@ -1,35 +1,78 @@
 resources:
-  requests:
-    cpu:
-      min: 50m
-      max: 1
-    memory:
-      min: 100M
-      max: 3G
-  limits:
-    cpu:
-      min: 150m
-      max: 2
-    memory:
-      min: 150M
-      max: 4G
-healthChecks:
-  readiness:
-    require: true
-  liveness:
-    require: true
+  cpuRequestsMissing: warning
+  cpuRequestRanges:
+    warning:
+      below: 50m
+      above: 1000m
+    error:
+      below: 500m
+      above: 2000m
+  cpuLimitsMissing: warning
+  cpuLimitRanges:
+    warning:
+      below: 50m
+      above: 1000m
+    error:
+      below: 500m
+      above: 2000m
+  memoryRequestsMissing: warning
+  memoryRequestRanges:
+    warning:
+      below: 50M
+      above: 2G
+    error:
+      below: 100M
+      above: 4G
+  memoryLimitsMissing: warning
+  memoryLimitRanges:
+    warning:
+      below: 50M
+      above: 2G
+    error:
+      below: 100M
+      above: 4G
 images:
-  tagRequired: true
-  whitelistRepos:
-    - gcr.io
-hostNetwork:
-  hostAlias:
-    require: true
-  hostIPC:
-    require: true
-  hostNetwork:
-    require: true
-  hostPID:
-    require: true
-  hostPort:
-    require: true
+  tagNotSpecified: error
+  pullPolicyNotAlways: warning
+  whitelist:
+    error:
+      - gcr.io/*
+  blacklist:
+    warning:
+      - docker.io/*
+healthChecks:
+  readinessProbeMissing: warning
+  livenessProbeMissing: warning
+networking:
+  hostAliasSet: error
+  hostIPCSet: error
+  hostNetworkSet: error
+  hostPIDSet: error
+  hostPortSet: error
+security:
+  runAsPriviliged: warning
+  notReadOnlyRootFileSystem: warning
+  runAsNonRoot: warning
+  capabilities:
+    blacklist:
+      error:
+        - CHOWN
+        - SYS_CHROOT
+        - AUDIT_WRITE
+    whitelist:
+      warning:
+        - CHOWN
+        - DAC_OVERRIDE
+        - FSETID
+        - FOWNER
+        - MKNOD
+        - NET_RAW
+        - SETGID
+        - SETUID
+        - SETFCAP
+        - SETPCAP
+        - NET_BIND_SERVICE
+        - SYS_CHROOT
+        - KILL
+        - AUDIT_WRITE
+
diff --git a/deploy/all.yaml b/deploy/all.yaml
@@ -76,40 +76,82 @@ metadata:
 data:
   config.yml: |
     resources:
-      requests:
-        cpu:
-          min: 0.1
-          max: 1
-        memory:
-          min: 10m
-          max: 2000M
-      limits:
-        cpu:
-          min: 0.1
-          max: 1
-        memory:
-          min: 10m
-          max: 2000M
-    healthChecks:
-      readiness:
-        require: true
-      liveness:
-        require: true
+      cpuRequestsMissing: warning
+      cpuRequestRanges:
+        warning:
+          below: 50m
+          above: 1000m
+        error:
+          below: 500m
+          above: 2000m
+      cpuLimitsMissing: warning
+      cpuLimitRanges:
+        warning:
+          below: 50m
+          above: 1000m
+        error:
+          below: 500m
+          above: 2000m
+      memoryRequestsMissing: warning
+      memoryRequestRanges:
+        warning:
+          below: 50M
+          above: 2G
+        error:
+          below: 100M
+          above: 4G
+      memoryLimitsMissing: warning
+      memoryLimitRanges:
+        warning:
+          below: 50M
+          above: 2G
+        error:
+          below: 100M
+          above: 4G
     images:
-      tagRequired: true
-      whitelistRepos:
-        - gcr.io
-    hostNetwork:
-      hostAlias:
-        require: true
-      hostIPC:
-        require: true
-      hostNetwork:
-        require: true
-      hostPID:
-        require: true
-      hostPort:
-        require: true
+      tagNotSpecified: error
+      pullPolicyNotAlways: warning
+      whitelist:
+        error:
+          - gcr.io/*
+      blacklist:
+        warning:
+          - docker.io/*
+    healthChecks:
+      readinessProbeMissing: warning
+      livenessProbeMissing: warning
+    networking:
+      hostAliasSet: error
+      hostIPCSet: error
+      hostNetworkSet: error
+      hostPIDSet: error
+      hostPortSet: error
+    security:
+      runAsPriviliged: warning
+      notReadOnlyRootFileSystem: warning
+      runAsNonRoot: warning
+      capabilities:
+        blacklist:
+          error:
+            - CHOWN
+            - SYS_CHROOT
+            - AUDIT_WRITE
+        whitelist:
+          warning:
+            - CHOWN
+            - DAC_OVERRIDE
+            - FSETID
+            - FOWNER
+            - MKNOD
+            - NET_RAW
+            - SETGID
+            - SETUID
+            - SETFCAP
+            - SETPCAP
+            - NET_BIND_SERVICE
+            - SYS_CHROOT
+            - KILL
+            - AUDIT_WRITE
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment

diff --git a/main.go b/main.go
@@ -1,4 +1,4 @@
-// Copyright 2018 ReactiveOps
+// Copyright 2019 ReactiveOps
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@ package main
 
 import (
 	"flag"
+	"fmt"
+	"io/ioutil"
 	glog "log"
 	"net/http"
 	"os"
@@ -24,7 +26,7 @@ import (
 	conf "github.com/reactiveops/fairwinds/pkg/config"
 	"github.com/reactiveops/fairwinds/pkg/dashboard"
 	"github.com/reactiveops/fairwinds/pkg/kube"
-	"github.com/reactiveops/fairwinds/pkg/validator"
+	fwebhook "github.com/reactiveops/fairwinds/pkg/webhook"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	apitypes "k8s.io/apimachinery/pkg/types"
@@ -36,9 +38,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
-// FairwindsName is used for Kubernetes resource naming
-var FairwindsName = "fairwinds"
-var log = logf.Log.WithName(FairwindsName)
+var log = logf.Log.WithName("fairwinds")
 
 func main() {
 	dashboard := flag.Bool("dashboard", false, "Runs the webserver for Fairwinds dashboard.")
@@ -87,7 +87,7 @@ func startDashboardServer(c conf.Configuration, port int) {
 	})
 	portStr := strconv.Itoa(port)
 	glog.Println("Starting Fairwinds dashboard server on port " + portStr)
-	glog.Fatal(http.ListenAndServe(":" + portStr, nil))
+	glog.Fatal(http.ListenAndServe(":"+portStr, nil))
 }
 
 func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool, port int) {
@@ -102,25 +102,33 @@ func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool
 		os.Exit(1)
 	}
 
+	fairwindsResourceName := "fairwinds"
+	fairwindsNamespaceBytes, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	fairwindsNamespace := string(fairwindsNamespaceBytes)
+	if fairwindsNamespace == "" {
+		fmt.Printf("could not determine current namespace, creating resources in %s namespace\n", fairwindsResourceName)
+		fairwindsNamespace = fairwindsResourceName
+	}
+
 	entryLog.Info("setting up webhook server")
-	as, err := webhook.NewServer(FairwindsName, mgr, webhook.ServerOptions{
+	as, err := webhook.NewServer(fairwindsResourceName, mgr, webhook.ServerOptions{
 		Port:                          int32(port),
 		CertDir:                       "/tmp/cert",
 		DisableWebhookConfigInstaller: &disableWebhookConfigInstaller,
 		BootstrapOptions: &webhook.BootstrapOptions{
-			ValidatingWebhookConfigName: FairwindsName,
+			ValidatingWebhookConfigName: fairwindsResourceName,
 			Secret: &apitypes.NamespacedName{
-				Namespace: FairwindsName,
-				Name:      FairwindsName,
+				Namespace: fairwindsNamespace,
+				Name:      fairwindsResourceName,
 			},
 
 			Service: &webhook.Service{
-				Namespace: FairwindsName,
-				Name:      FairwindsName,
+				Namespace: fairwindsNamespace,
+				Name:      fairwindsResourceName,
 
 				// Selectors should select the pods that runs this webhook server.
 				Selectors: map[string]string{
-					"app": FairwindsName,
+					"app": fairwindsResourceName,
 				},
 			},
 		},
@@ -132,8 +140,8 @@ func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool
 		glog.Println("Fairwinds webhook server listening on port " + strconv.Itoa(port))
 	}
 
-	p := validator.NewWebhook("pod", mgr, validator.Validator{Config: c}, &corev1.Pod{})
-	d := validator.NewWebhook("deploy", mgr, validator.Validator{Config: c}, &appsv1.Deployment{})
+	p := fwebhook.NewWebhook("pod", mgr, fwebhook.Validator{Config: c}, &corev1.Pod{})
+	d := fwebhook.NewWebhook("deploy", mgr, fwebhook.Validator{Config: c}, &appsv1.Deployment{})
 	entryLog.Info("registering webhooks to the webhook server")
 	if err = as.Register(p, d); err != nil {
 		entryLog.Error(err, "unable to register webhooks in the admission server")