Strona główna Odkrywaj Pomoc
Zaloguj się
akillibulut
/
porter
kopia lustrzana https://github.com/porter-dev/porter
2
0
Forkuj 0
Pliki Problemy 0 Wiki
Przeglądaj źródła

Merge pull request #2395 from porter-dev/belanger/fix-node-policies

Fix node policies and add checks for `descheduler` and `vpa` workloads
abelanger5 3 lat temu
rodzic
e6c96ac6ff b2168b5bf1
commit
d2782f511c
5 zmienionych plików z 45 dodań i 4 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 17 1
      internal/opa/config.yaml
  2. 25 0
      internal/opa/policies/node/healthy.rego
  3. 1 1
      internal/opa/policies/node/k8s_version.rego
  4. 1 1
      internal/opa/policies/node/porter_run_labels.rego
  5. 1 1
      internal/opa/policies/node/porter_run_taints.rego

+ 17 - 1
internal/opa/config.yaml
Wyświetl plik 

@@ -132,4 +132,20 @@ node:
 
   - path: "./policies/node/porter_run_taints.rego"
 
     name: "node.porter_run_taints"
 
   - path: "./policies/node/porter_run_labels.rego"
 
-    name: "node.porter_run_labels"
 
+    name: "node.porter_run_labels"
 
+  - path: "./policies/node/healthy.rego"
 
+    name: "node.healthy"
 
+descheduler:
 
+  kind: "helm_release"
 
+  match:
 
+    name: descheduler
 
+    namespace: kube-system
 
+  mustExist: true
 
+  policies: []
 
+vpa:
 
+  kind: "helm_release"
 
+  match:
 
+    name: vpa
 
+    namespace: kube-system
 
+  mustExist: true
 
+  policies: []

+ 25 - 0
internal/opa/policies/node/healthy.rego
Wyświetl plik 

@@ -0,0 +1,25 @@
 
+package node.healthy
 
+
 
+import future.keywords
 
+
 
+POLICY_ID := sprintf("healthy_%s", [input.metadata.name])
 
+
 
+POLICY_VERSION := "v0.0.1"
 
+
 
+POLICY_SEVERITY := "critical"
 
+
 
+POLICY_TITLE := sprintf("The node %s should be healthy", [input.metadata.name])
 
+
 
+POLICY_SUCCESS_MESSAGE := sprintf("Success: this node is healthy", [])
 
+
 
+# check if one of the node's conditions states that the kubelet is ready
 
+allow if {
 
+	some condition in input.status.conditions
 
+	condition.reason == "KubeletReady"
 
+	condition.status = "True"
 
+}
 
+
 
+FAILURE_MESSAGE contains msg if {
 
+	not allow
 
+	msg := sprintf("Failed: the node %s is not healthy", [input.metadata.name])
 
+}

+ 1 - 1
internal/opa/policies/node/k8s_version.rego
Wyświetl plik 

@@ -2,7 +2,7 @@ package node.k8s_version
 
 
 import future.keywords
 
 
-POLICY_ID := "k8s_version"
 
+POLICY_ID := sprintf("k8s_version_%s", [input.metadata.name])
 
 
 POLICY_VERSION := "v0.0.1"

+ 1 - 1
internal/opa/policies/node/porter_run_labels.rego
Wyświetl plik 

@@ -2,7 +2,7 @@ package node.porter_run_labels
 
 
 import future.keywords
 
 
-POLICY_ID := "porter_run_labels"
 
+POLICY_ID := sprintf("porter_run_labels_%s", [input.metadata.name])
 
 
 POLICY_VERSION := "v0.0.1"

+ 1 - 1
internal/opa/policies/node/porter_run_taints.rego
Wyświetl plik 

@@ -2,7 +2,7 @@ package node.porter_run_taints
 
 
 import future.keywords
 
 
-POLICY_ID := "porter_run_taints"
 
+POLICY_ID := sprintf("porter_run_taints_%s", [input.metadata.name])
 
 
 POLICY_VERSION := "v0.0.1"