add more information for recommender policies and add low/critical severities

internal/opa/config.yaml

@@ -56,6 +56,7 @@ prometheus:
     name: "prometheus.version"
 nginx_pod:
   kind: "pod"
+  override_severity: "critical"
   match:
     namespace: ingress-nginx
     labels:
@@ -116,4 +117,6 @@ certificates:
     resource: certificates
   policies:
   - path: "./policies/certificates/expiry_two_weeks.rego"
-    name: "certificates.expiry_two_weeks"
+    name: "certificates.expiry_two_weeks"
+  - path: "./policies/certificates/expired.rego"
+    name: "certificates.expired"

internal/opa/loader.go

@@ -13,10 +13,11 @@ import (
 type ConfigFile map[string]ConfigFilePolicyCollection
 
 type ConfigFilePolicyCollection struct {
-	Kind      string             `yaml:"kind"`
-	Match     MatchParameters    `yaml:"match"`
-	MustExist bool               `yaml:"mustExist"`
-	Policies  []ConfigFilePolicy `yaml:"policies"`
+	Kind             string             `yaml:"kind"`
+	Match            MatchParameters    `yaml:"match"`
+	MustExist        bool               `yaml:"mustExist"`
+	OverrideSeverity string             `yaml:"override_severity"`
+	Policies         []ConfigFilePolicy `yaml:"policies"`
 }
 
 type ConfigFilePolicy struct {

internal/opa/opa.go

@@ -39,10 +39,11 @@ const (
 )
 
 type KubernetesOPAQueryCollection struct {
-	Kind      KubernetesBuiltInKind
-	Match     MatchParameters
-	MustExist bool
-	Queries   []rego.PreparedEvalQuery
+	Kind             KubernetesBuiltInKind
+	Match            MatchParameters
+	MustExist        bool
+	OverrideSeverity string
+	Queries          []rego.PreparedEvalQuery
 }
 
 type MatchParameters struct {
@@ -158,7 +159,7 @@ func (runner *KubernetesOPARunner) runHelmReleaseQueries(name string, collection
 						ObjectID:       fmt.Sprintf("helm_release/%s/%s/%s", collection.Match.Namespace, collection.Match.Name, "exists"),
 						CategoryName:   name,
 						PolicyVersion:  "v0.0.1",
-						PolicySeverity: "high",
+						PolicySeverity: getSeverity("high", collection),
 						PolicyTitle:    fmt.Sprintf("The helm release %s must exist", collection.Match.Name),
 						PolicyMessage:  "The helm release was not found on the cluster",
 					},
@@ -172,7 +173,7 @@ func (runner *KubernetesOPARunner) runHelmReleaseQueries(name string, collection
 				ObjectID:       fmt.Sprintf("helm_release/%s/%s/%s", collection.Match.Namespace, collection.Match.Name, "exists"),
 				CategoryName:   name,
 				PolicyVersion:  "v0.0.1",
-				PolicySeverity: "high",
+				PolicySeverity: getSeverity("high", collection),
 				PolicyTitle:    fmt.Sprintf("The helm release %s must exist", collection.Match.Name),
 				PolicyMessage:  "The helm release was found",
 			})
@@ -232,6 +233,7 @@ func (runner *KubernetesOPARunner) runHelmReleaseQueries(name string, collection
 					rawQueryRes,
 					fmt.Sprintf("helm_release/%s/%s/%s", helmRelease.Namespace, helmRelease.Name, rawQueryRes.PolicyID),
 					name,
+					collection,
 				))
 			}
 		}
@@ -240,6 +242,14 @@ func (runner *KubernetesOPARunner) runHelmReleaseQueries(name string, collection
 	return res, nil
 }
 
+func getSeverity(defaultSeverity string, collection KubernetesOPAQueryCollection) string {
+	if collection.OverrideSeverity != "" {
+		return collection.OverrideSeverity
+	}
+
+	return defaultSeverity
+}
+
 func (runner *KubernetesOPARunner) runPodQueries(name string, collection KubernetesOPAQueryCollection) ([]*OPARecommenderQueryResult, error) {
 	res := make([]*OPARecommenderQueryResult, 0)
 
@@ -287,6 +297,7 @@ func (runner *KubernetesOPARunner) runPodQueries(name string, collection Kuberne
 					rawQueryRes,
 					fmt.Sprintf("pod/%s/%s", pod.Namespace, pod.Name),
 					name,
+					collection,
 				))
 			}
 		}
@@ -334,6 +345,7 @@ func (runner *KubernetesOPARunner) runCRDListQueries(name string, collection Kub
 					rawQueryRes,
 					fmt.Sprintf("%s/%s/%s/%s", collection.Match.Group, collection.Match.Version, collection.Match.Resource, rawQueryRes.PolicyID),
 					name,
+					collection,
 				))
 			}
 		}
@@ -342,7 +354,7 @@ func (runner *KubernetesOPARunner) runCRDListQueries(name string, collection Kub
 	return res, nil
 }
 
-func rawQueryResToRecommenderQueryResult(rawQueryRes *rawQueryResult, objectID, categoryName string) *OPARecommenderQueryResult {
+func rawQueryResToRecommenderQueryResult(rawQueryRes *rawQueryResult, objectID, categoryName string, collection KubernetesOPAQueryCollection) *OPARecommenderQueryResult {
 	queryRes := &OPARecommenderQueryResult{
 		ObjectID:     objectID,
 		CategoryName: categoryName,
@@ -357,7 +369,7 @@ func rawQueryResToRecommenderQueryResult(rawQueryRes *rawQueryResult, objectID,
 
 	queryRes.PolicyMessage = message
 	queryRes.Allow = rawQueryRes.Allow
-	queryRes.PolicySeverity = rawQueryRes.PolicySeverity
+	queryRes.PolicySeverity = getSeverity(rawQueryRes.PolicySeverity, collection)
 	queryRes.PolicyTitle = rawQueryRes.PolicyTitle
 	queryRes.PolicyVersion = rawQueryRes.PolicyVersion
 

internal/opa/policies/certificates/expired.rego

@@ -0,0 +1,26 @@
+package certificates.expired
+
+import future.keywords
+
+POLICY_ID := sprintf("certificates_expired_%s_%s", [input.metadata.namespace, input.metadata.name])
+
+POLICY_VERSION := "v0.0.1"
+
+POLICY_SEVERITY := "critical"
+
+POLICY_TITLE := sprintf("Certificate %s/%s should not be expired", [input.metadata.namespace, input.metadata.name])
+
+POLICY_SUCCESS_MESSAGE := sprintf("Success: certificate %s/%s is not expired", [input.metadata.namespace, input.metadata.name])
+
+allow if {
+	not rfc3339_expired(input.status.notAfter)
+}
+
+FAILURE_MESSAGE contains msg if {
+	rfc3339_expired(input.status.notAfter)
+	msg := sprintf("Certificate expired at %s", [input.status.notAfter])
+}
+
+rfc3339_expired(a) if {
+	time.parse_rfc3339_ns(a) < time.now_ns()
+}

internal/opa/policies/web/web_version.rego

@@ -6,13 +6,13 @@ POLICY_ID := "web_version"
 
 POLICY_VERSION := "v0.0.1"
 
-POLICY_SEVERITY := "high"
+POLICY_SEVERITY := "low"
 
 latest_stable_version := "0.50.0"
 
-POLICY_TITLE := sprintf("The web version should be at least v%s", [latest_stable_version])
+POLICY_TITLE := sprintf("The web version for application %s/%s should be at least v%s", [input.namespace, input.name, latest_stable_version])
 
-POLICY_SUCCESS_MESSAGE := sprintf("Success: web version is up-to-date", [])
+POLICY_SUCCESS_MESSAGE := sprintf("Success: web version for %s/%s is up-to-date", [input.namespace, input.name])
 
 trimmedVersion := trim_left(input.version, "v")
 
@@ -21,5 +21,5 @@ allow if semver.compare(latest_stable_version, trimmedVersion) == -1
 
 FAILURE_MESSAGE contains msg if {
 	not allow
-	msg := sprintf("Failed: latest stable version is %s, but you are on %s", [latest_stable_version, trimmedVersion])
+	msg := sprintf("Failed: latest stable version is %s, but %s/%s is on %s", [latest_stable_version, input.namespace, input.name, trimmedVersion])
 }