3 лет назад · 2086bf159a
--- a/internal/opa/config.yaml
+++ b/internal/opa/config.yaml
@@ -56,7 +56,7 @@ prometheus:
 
				     name: "prometheus.version"
			
 
				 nginx_pod:
			
 
				   kind: "pod"
			
 
				-  overrideSeverity: "critical"
			
 
				+  override_severity: "critical"
			
 
				   match:
			
 
				     namespace: ingress-nginx
			
 
				     labels:
			
@@ -68,6 +68,7 @@ nginx_pod:
 
				     name: "pod.running"
			
 
				 prometheus_server_pod:
			
 
				   kind: "pod"
			
 
				+  override_severity: "critical"
			
 
				   match:
			
 
				     namespace: monitoring
			
 
				     labels:
			
@@ -146,6 +147,7 @@ node:
 
				 descheduler:
			
 
				   kind: "helm_release"
			
 
				   match:
			
 
				+    kubernetes_service: eks
			
 
				     name: descheduler
			
 
				     namespace: kube-system
			
 
				   mustExist: true
			
@@ -153,7 +155,38 @@ descheduler:
 
				 vpa:
			
 
				   kind: "helm_release"
			
 
				   match:
			
 
				+    kubernetes_service: eks
			
 
				     name: vpa
			
 
				     namespace: kube-system
			
 
				   mustExist: true
			
 
				-  policies: []
			
 
				+  policies: []
			
 
				+coredns:
			
 
				+  kind: "pod"
			
 
				+  match:
			
 
				+    kubernetes_service: eks
			
 
				+    namespace: kube-system
			
 
				+    labels:
			
 
				+      eks.amazonaws.com/component: "coredns"
			
 
				+  policies:
			
 
				+  - path: "./policies/pod/running.rego"
			
 
				+    name: "pod.running"
			
 
				+cluster_autoscaler:
			
 
				+  kind: "pod"
			
 
				+  match:
			
 
				+    kubernetes_service: eks
			
 
				+    namespace: kube-system
			
 
				+    labels:
			
 
				+      app.kubernetes.io/name: "aws-cluster-autoscaler"
			
 
				+  policies:
			
 
				+  - path: "./policies/pod/running.rego"
			
 
				+    name: "pod.running"
			
 
				+load_balancer_controller:
			
 
				+  kind: "pod"
			
 
				+  match:
			
 
				+    kubernetes_service: eks
			
 
				+    namespace: kube-system
			
 
				+    labels:
			
 
				+      app.kubernetes.io/name: "aws-load-balancer-controller"
			
 
				+  policies:
			
 
				+  - path: "./policies/pod/running.rego"
			
 
				+    name: "pod.running"
			
--- a/internal/opa/loader.go
+++ b/internal/opa/loader.go
@@ -16,7 +16,7 @@ type ConfigFilePolicyCollection struct {
 
				 	Kind             string             `json:"kind"`
			
 
				 	Match            MatchParameters    `json:"match"`
			
 
				 	MustExist        bool               `json:"mustExist"`
			
 
				-	OverrideSeverity string             `json:"overrideSeverity"`
			
 
				+	OverrideSeverity string             `json:"override_severity"`
			
 
				 	Policies         []ConfigFilePolicy `json:"policies"`
			
 
				 }
			
 
				 
			
--- a/internal/opa/opa.go
+++ b/internal/opa/opa.go
@@ -11,6 +11,7 @@ import (
 
				 	"github.com/porter-dev/porter/api/types"
			
 
				 	"github.com/porter-dev/porter/internal/helm"
			
 
				 	"github.com/porter-dev/porter/internal/kubernetes"
			
 
				+	"github.com/porter-dev/porter/internal/models"
			
 
				 	"github.com/porter-dev/porter/pkg/logger"
			
 
				 	"helm.sh/helm/v3/pkg/release"
			
 
				 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
			
@@ -26,6 +27,7 @@ type KubernetesPolicies struct {
 
				 type KubernetesOPARunner struct {
			
 
				 	*KubernetesPolicies
			
 
				 
			
 
				+	cluster       *models.Cluster
			
 
				 	k8sAgent      *kubernetes.Agent
			
 
				 	dynamicClient dynamic.Interface
			
 
				 }
			
@@ -48,11 +50,17 @@ type KubernetesOPAQueryCollection struct {
 
				 }
			
 
				 
			
 
				 type MatchParameters struct {
			
 
				+	// global cluster match parameters
			
 
				+
			
 
				+	// KubernetesService is a matching service kind, like `eks`
			
 
				+	KubernetesService string `json:"kubernetes_service"`
			
 
				+
			
 
				+	// parameters for Helm releases
			
 
				 	Name      string `json:"name"`
			
 
				 	Namespace string `json:"namespace"`
			
 
				-
			
 
				 	ChartName string `json:"chart_name"`
			
 
				 
			
 
				+	// generic labels parameter
			
 
				 	Labels map[string]string `json:"labels"`
			
 
				 
			
 
				 	// parameters for CRDs
			
@@ -84,8 +92,8 @@ type rawQueryResult struct {
 
				 	FailureMessage []string `mapstructure:"FAILURE_MESSAGE"`
			
 
				 }
			
 
				 
			
 
				-func NewRunner(policies *KubernetesPolicies, k8sAgent *kubernetes.Agent, dynamicClient dynamic.Interface) *KubernetesOPARunner {
			
 
				-	return &KubernetesOPARunner{policies, k8sAgent, dynamicClient}
			
 
				+func NewRunner(policies *KubernetesPolicies, cluster *models.Cluster, k8sAgent *kubernetes.Agent, dynamicClient dynamic.Interface) *KubernetesOPARunner {
			
 
				+	return &KubernetesOPARunner{policies, cluster, k8sAgent, dynamicClient}
			
 
				 }
			
 
				 
			
 
				 func (runner *KubernetesOPARunner) GetRecommendations(categories []string) ([]*OPARecommenderQueryResult, error) {
			
@@ -116,6 +124,12 @@ func (runner *KubernetesOPARunner) GetRecommendations(categories []string) ([]*O
 
				 			var currResults []*OPARecommenderQueryResult
			
 
				 			var err error
			
 
				 
			
 
				+			// look at global match parameters
			
 
				+			if s := queryCollection.Match.KubernetesService; s != "" && strings.ToLower(string(runner.cluster.ToClusterType().Service)) != s {
			
 
				+				fmt.Printf("skipping %s as it does not match the cluster service", name)
			
 
				+				continue
			
 
				+			}
			
 
				+
			
 
				 			switch queryCollection.Kind {
			
 
				 			case HelmRelease:
			
 
				 				currResults, err = runner.runHelmReleaseQueries(name, queryCollection)
			
--- a/workers/jobs/recommender.go
+++ b/workers/jobs/recommender.go
@@ -224,7 +224,7 @@ func (n *recommender) Run() error {
 
				 			continue
			
 
				 		}
			
 
				 
			
 
				-		runner := opa.NewRunner(n.policies, k8sAgent, dynamicClient)
			
 
				+		runner := opa.NewRunner(n.policies, cluster, k8sAgent, dynamicClient)
			
 
				 
			
 
				 		queryResults, err := runner.GetRecommendations(n.categories)