web: kind: "helm_release" match: chart_name: "web" policies: - path: "./policies/web/web_version.rego" name: "web.version" nginx: kind: "helm_release" match: name: nginx-ingress namespace: ingress-nginx mustExist: true policies: - path: "./policies/nginx/nginx_version.rego" name: "nginx.version" - path: "./policies/nginx/nginx_topology_spread_constraints.rego" name: "nginx.topology_spread_constraints" - path: "./policies/nginx/memory_limits.rego" name: "nginx.memory_limits" - path: "./policies/nginx/wait_shutdown.rego" name: "nginx.wait_shutdown" cert-manager: kind: "helm_release" match: name: cert-manager namespace: cert-manager mustExist: true policies: - path: "./policies/cert-manager/cert_manager_version.rego" name: "cert_manager.version" - path: "./policies/cert-manager/cainjector_memory_limits.rego" name: "cert_manager.cainjector_memory_limits" - path: "./policies/cert-manager/controller_memory_limits.rego" name: "cert_manager.controller_memory_limits" - path: "./policies/cert-manager/webhook_memory_limits.rego" name: "cert_manager.webhook_memory_limits" prometheus: kind: "helm_release" match: name: prometheus namespace: monitoring mustExist: true policies: - path: "./policies/prometheus/server_memory_limits.rego" name: "prometheus.server_memory_limits" - path: "./policies/prometheus/alertmanager_memory_limits.rego" name: "prometheus.alertmanager_memory_limits" - path: "./policies/prometheus/kubestatemetrics_memory_limits.rego" name: "prometheus.kubestatemetrics_memory_limits" - path: "./policies/prometheus/pushgateway_memory_limits.rego" name: "prometheus.pushgateway_memory_limits" - path: "./policies/prometheus/nodeexporter_memory_limits.rego" name: "prometheus.nodeexporter_memory_limits" - path: "./policies/prometheus/prometheus_version.rego" name: "prometheus.version" nginx_pod: kind: "pod" override_severity: "critical" match: namespace: ingress-nginx labels: app.kubernetes.io/component: "controller" app.kubernetes.io/instance: "nginx-ingress" app.kubernetes.io/name: "ingress-nginx" policies: - path: "./policies/pod/running.rego" name: "pod.running" prometheus_server_pod: kind: "pod" override_severity: "critical" match: namespace: monitoring labels: app: "prometheus" component: "server" release: "prometheus" policies: - path: "./policies/pod/running.rego" name: "pod.running" prometheus_alertmanager_pod: kind: "pod" match: namespace: monitoring labels: app: "prometheus" component: "alertmanager" release: "prometheus" policies: - path: "./policies/pod/running.rego" name: "pod.running" porter_agent_pod: kind: "pod" match: namespace: porter-agent-system labels: control-plane: "controller-manager" policies: - path: "./policies/pod/running.rego" name: "pod.running" porter_agent_loki_pod: kind: "pod" match: namespace: porter-agent-system labels: app: "loki" name: "porter-agent-loki" policies: - path: "./policies/pod/running.rego" name: "pod.running" porter_agent_promtail_daemonset: kind: "daemonset" match: namespace: porter-agent-system labels: app.kubernetes.io/instance: "porter-agent" app.kubernetes.io/name: "promtail" policies: - path: "./policies/daemonset/running.rego" name: "daemonset.running" certificates: kind: "crd_list" match: group: cert-manager.io version: v1 resource: certificates policies: - path: "./policies/certificates/expiry_two_weeks.rego" name: "certificates.expiry_two_weeks" - path: "./policies/certificates/expired.rego" name: "certificates.expired" node: kind: "crd_list" match: group: core version: v1 resource: nodes policies: - path: "./policies/node/k8s_version.rego" name: "node.k8s_version" - path: "./policies/node/porter_run_taints.rego" name: "node.porter_run_taints" - path: "./policies/node/porter_run_labels.rego" name: "node.porter_run_labels" - path: "./policies/node/healthy.rego" name: "node.healthy" descheduler: kind: "helm_release" match: kubernetes_service: eks name: descheduler namespace: kube-system mustExist: true policies: [] vpa: kind: "helm_release" match: kubernetes_service: eks name: vpa namespace: kube-system mustExist: true policies: [] coredns: kind: "pod" match: kubernetes_service: eks namespace: kube-system labels: eks.amazonaws.com/component: "coredns" policies: - path: "./policies/pod/running.rego" name: "pod.running" cluster_autoscaler: kind: "pod" match: kubernetes_service: eks namespace: kube-system labels: app.kubernetes.io/name: "aws-cluster-autoscaler" policies: - path: "./policies/pod/running.rego" name: "pod.running" load_balancer_controller: kind: "pod" match: kubernetes_service: eks namespace: kube-system labels: app.kubernetes.io/name: "aws-load-balancer-controller" policies: - path: "./policies/pod/running.rego" name: "pod.running"