add more policies for cert-manager and update version policies

internal/opa/config.yaml

@@ -19,6 +19,18 @@ nginx:
     name: "nginx.memory_limits"
   - path: "./policies/nginx/wait_shutdown.rego"
     name: "nginx.wait_shutdown"
+cert-manager:
+  kind: "helm_release"
+  match:
+    name: cert-manager
+    namespace: cert-manager
+  policies:
+  - path: "./policies/cert-manager/cainjector_memory_limits.rego"
+    name: "cert_manager.cainjector_memory_limits"
+  - path: "./policies/cert-manager/controller_memory_limits.rego"
+    name: "cert_manager.controller_memory_limits"
+  - path: "./policies/cert-manager/webhook_memory_limits.rego"
+    name: "cert_manager.webhook_memory_limits"
 prometheus:
   kind: "helm_release"
   match:
@@ -35,6 +47,8 @@ prometheus:
     name: "prometheus.pushgateway_memory_limits"
   - path: "./policies/prometheus/nodeexporter_memory_limits.rego"
     name: "prometheus.nodeexporter_memory_limits"
+  - path: "./policies/prometheus/prometheus_version.rego"
+    name: "prometheus.version"
 nginx_pod:
   kind: "pod"
   match:

internal/opa/policies/cert-manager/cainjector_memory_limits.rego

@@ -0,0 +1,32 @@
+package cert_manager.cainjector_memory_limits
+
+import future.keywords
+
+# This policy tests for the existence of memory limits as a hard constraint. We look
+# for Helm values of the form:
+# 
+# resources:
+#   limits:
+#     memory: 512Mi
+#   requests:
+#     cpu: 50m
+#     memory: 512Mi
+
+POLICY_ID := "cainjector_memory_limits"
+
+POLICY_VERSION := "v0.0.1"
+
+POLICY_SEVERITY := "high"
+
+POLICY_TITLE := sprintf("Cert-manager CA injector should have memory limits set", [])
+
+POLICY_SUCCESS_MESSAGE := sprintf("Success: Cert-manager CA injector has memory limits set", [])
+
+allow if {
+	input.values.cainjector.resources.limits.memory
+}
+
+FAILURE_MESSAGE contains msg if {
+	not allow
+	msg := "Failed: Cert-manager CA injector does not have memory limits set"
+}

internal/opa/policies/cert-manager/controller_memory_limits.rego

@@ -0,0 +1,32 @@
+package cert_manager.controller_memory_limits
+
+import future.keywords
+
+# This policy tests for the existence of memory limits as a hard constraint. We look
+# for Helm values of the form:
+# 
+# resources:
+#   limits:
+#     memory: 512Mi
+#   requests:
+#     cpu: 50m
+#     memory: 512Mi
+
+POLICY_ID := "controller_memory_limits"
+
+POLICY_VERSION := "v0.0.1"
+
+POLICY_SEVERITY := "high"
+
+POLICY_TITLE := sprintf("Cert-manager controller should have memory limits set", [])
+
+POLICY_SUCCESS_MESSAGE := sprintf("Success: Cert-manager controller has memory limits set", [])
+
+allow if {
+	input.values.resources.limits.memory
+}
+
+FAILURE_MESSAGE contains msg if {
+	not allow
+	msg := "Failed: Cert-manager controller does not have memory limits set"
+}

internal/opa/policies/cert-manager/webhook_memory_limits.rego

@@ -0,0 +1,33 @@
+package cert_manager.webhook_memory_limits
+
+import future.keywords
+
+# This policy tests for the existence of memory limits as a hard constraint. We look
+# for Helm values of the form:
+# 
+# webhook:
+#   resources:
+#     limits:
+#       memory: 512Mi
+#     requests:
+#       cpu: 50m
+#       memory: 512Mi
+
+POLICY_ID := "webhook_memory_limits"
+
+POLICY_VERSION := "v0.0.1"
+
+POLICY_SEVERITY := "high"
+
+POLICY_TITLE := sprintf("Cert-manager webhook should have memory limits set", [])
+
+POLICY_SUCCESS_MESSAGE := sprintf("Success: Cert-manager webhook has memory limits set", [])
+
+allow if {
+	input.values.webhook.resources.limits.memory
+}
+
+FAILURE_MESSAGE contains msg if {
+	not allow
+	msg := "Failed: Cert-manager webhook does not have memory limits set"
+}

internal/opa/policies/nginx/nginx_version.rego

@@ -8,7 +8,7 @@ POLICY_VERSION := "v0.0.1"
 
 POLICY_SEVERITY := "high"
 
-latest_stable_version := "0.4.18"
+latest_stable_version := "4.0.18"
 
 POLICY_TITLE := sprintf("The NGINX version should be at least v%s", [latest_stable_version])
 
@@ -17,7 +17,7 @@ POLICY_SUCCESS_MESSAGE := sprintf("Success: NGINX version is up-to-date", [])
 trimmedVersion := trim_left(input.version, "v")
 
 # semver.compare returns -1 if latest_stable_version < trimmedVersion
-allow if semver.compare(latest_stable_version, trimmedVersion) == -1
+allow if semver.compare(latest_stable_version, trimmedVersion) <= 0
 
 FAILURE_MESSAGE contains msg if {
 	not allow

internal/opa/policies/prometheus/prometheus_version.rego

@@ -0,0 +1,25 @@
+package prometheus.version
+
+import future.keywords
+
+POLICY_ID := "prometheus_version"
+
+POLICY_VERSION := "v0.0.1"
+
+POLICY_SEVERITY := "high"
+
+latest_stable_version := "15.5.3"
+
+POLICY_TITLE := sprintf("The Prometheus version should be at least v%s", [latest_stable_version])
+
+POLICY_SUCCESS_MESSAGE := sprintf("Success: Prometheus version is up-to-date", [])
+
+trimmedVersion := trim_left(input.version, "v")
+
+# semver.compare returns -1 if latest_stable_version < trimmedVersion
+allow if semver.compare(latest_stable_version, trimmedVersion) <= 0
+
+FAILURE_MESSAGE contains msg if {
+	not allow
+	msg := sprintf("Failed: latest stable version is %s, but you are on %s", [latest_stable_version, trimmedVersion])
+}