Home Explore Help
Sign In
akillibulut
/
porter
mirror of https://github.com/porter-dev/porter
2
0
Fork 0
Files Issues 0 Wiki
Branch: jusrhee-patch-1
Branches Tags
porter
/
internal
/
opa
/
config.yaml

config.yaml 5.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192 
  1. web:
    2. 

  2.   kind: "helm_release"
    3. 

  3.   match:
    4. 

  4.     chart_name: "web"
    5. 

  5.   policies:
    6. 

  6.   - path: "./policies/web/web_version.rego"
    7. 

  7.     name: "web.version"
    8. 

  8. nginx:
    9. 

  9.   kind: "helm_release"
    10. 

  10.   match:
    11. 

  11.     name: nginx-ingress
    12. 

  12.     namespace: ingress-nginx
    13. 

  13.   mustExist: true
    14. 

  14.   policies:
    15. 

  15.   - path: "./policies/nginx/nginx_version.rego"
    16. 

  16.     name: "nginx.version"
    17. 

  17.   - path: "./policies/nginx/nginx_topology_spread_constraints.rego"
    18. 

  18.     name: "nginx.topology_spread_constraints"
    19. 

  19.   - path: "./policies/nginx/memory_limits.rego"
    20. 

  20.     name: "nginx.memory_limits"
    21. 

  21.   - path: "./policies/nginx/wait_shutdown.rego"
    22. 

  22.     name: "nginx.wait_shutdown"
    23. 

  23. cert-manager:
    24. 

  24.   kind: "helm_release"
    25. 

  25.   match:
    26. 

  26.     name: cert-manager
    27. 

  27.     namespace: cert-manager
    28. 

  28.   mustExist: true
    29. 

  29.   policies:
    30. 

  30.   - path: "./policies/cert-manager/cert_manager_version.rego"
    31. 

  31.     name: "cert_manager.version"
    32. 

  32.   - path: "./policies/cert-manager/cainjector_memory_limits.rego"
    33. 

  33.     name: "cert_manager.cainjector_memory_limits"
    34. 

  34.   - path: "./policies/cert-manager/controller_memory_limits.rego"
    35. 

  35.     name: "cert_manager.controller_memory_limits"
    36. 

  36.   - path: "./policies/cert-manager/webhook_memory_limits.rego"
    37. 

  37.     name: "cert_manager.webhook_memory_limits"
    38. 

  38. prometheus:
    39. 

  39.   kind: "helm_release"
    40. 

  40.   match:
    41. 

  41.     name: prometheus
    42. 

  42.     namespace: monitoring
    43. 

  43.   mustExist: true
    44. 

  44.   policies:
    45. 

  45.   - path: "./policies/prometheus/server_memory_limits.rego"
    46. 

  46.     name: "prometheus.server_memory_limits"
    47. 

  47.   - path: "./policies/prometheus/alertmanager_memory_limits.rego"
    48. 

  48.     name: "prometheus.alertmanager_memory_limits"
    49. 

  49.   - path: "./policies/prometheus/kubestatemetrics_memory_limits.rego"
    50. 

  50.     name: "prometheus.kubestatemetrics_memory_limits"
    51. 

  51.   - path: "./policies/prometheus/pushgateway_memory_limits.rego"
    52. 

  52.     name: "prometheus.pushgateway_memory_limits"
    53. 

  53.   - path: "./policies/prometheus/nodeexporter_memory_limits.rego"
    54. 

  54.     name: "prometheus.nodeexporter_memory_limits"
    55. 

  55.   - path: "./policies/prometheus/prometheus_version.rego"
    56. 

  56.     name: "prometheus.version"
    57. 

  57. nginx_pod:
    58. 

  58.   kind: "pod"
    59. 

  59.   override_severity: "critical"
    60. 

  60.   match:
    61. 

  61.     namespace: ingress-nginx
    62. 

  62.     labels:
    63. 

  63.       app.kubernetes.io/component: "controller"
    64. 

  64.       app.kubernetes.io/instance: "nginx-ingress"
    65. 

  65.       app.kubernetes.io/name: "ingress-nginx"
    66. 

  66.   policies:
    67. 

  67.   - path: "./policies/pod/running.rego"
    68. 

  68.     name: "pod.running"
    69. 

  69. prometheus_server_pod:
    70. 

  70.   kind: "pod"
    71. 

  71.   override_severity: "critical"
    72. 

  72.   match:
    73. 

  73.     namespace: monitoring
    74. 

  74.     labels:
    75. 

  75.       app: "prometheus"
    76. 

  76.       component: "server"
    77. 

  77.       release: "prometheus"
    78. 

  78.   policies:
    79. 

  79.   - path: "./policies/pod/running.rego"
    80. 

  80.     name: "pod.running"
    81. 

  81. prometheus_alertmanager_pod:
    82. 

  82.   kind: "pod"
    83. 

  83.   match:
    84. 

  84.     namespace: monitoring
    85. 

  85.     labels:
    86. 

  86.       app: "prometheus"
    87. 

  87.       component: "alertmanager"
    88. 

  88.       release: "prometheus"
    89. 

  89.   policies:
    90. 

  90.   - path: "./policies/pod/running.rego"
    91. 

  91.     name: "pod.running"
    92. 

  92. porter_agent_pod:
    93. 

  93.   kind: "pod"
    94. 

  94.   match:
    95. 

  95.     namespace: porter-agent-system
    96. 

  96.     labels:
    97. 

  97.       control-plane: "controller-manager"
    98. 

  98.   policies:
    99. 

  99.   - path: "./policies/pod/running.rego"
    100. 

  100.     name: "pod.running"
    101. 

  101. porter_agent_loki_pod:
    102. 

  102.   kind: "pod"
    103. 

  103.   match:
    104. 

  104.     namespace: porter-agent-system
    105. 

  105.     labels:
    106. 

  106.       app: "loki"
    107. 

  107.       name: "porter-agent-loki"
    108. 

  108.   policies:
    109. 

  109.   - path: "./policies/pod/running.rego"
    110. 

  110.     name: "pod.running"
    111. 

  111. porter_agent_promtail_daemonset:
    112. 

  112.   kind: "daemonset"
    113. 

  113.   match:
    114. 

  114.     namespace: porter-agent-system
    115. 

  115.     labels:
    116. 

  116.       app.kubernetes.io/instance: "porter-agent"
    117. 

  117.       app.kubernetes.io/name: "promtail"
    118. 

  118.   policies:
    119. 

  119.   - path: "./policies/daemonset/running.rego"
    120. 

  120.     name: "daemonset.running"
    121. 

  121. certificates:
    122. 

  122.   kind: "crd_list"
    123. 

  123.   match:
    124. 

  124.     group: cert-manager.io
    125. 

  125.     version: v1
    126. 

  126.     resource: certificates
    127. 

  127.   policies:
    128. 

  128.   - path: "./policies/certificates/expiry_two_weeks.rego"
    129. 

  129.     name: "certificates.expiry_two_weeks"
    130. 

  130.   - path: "./policies/certificates/expired.rego"
    131. 

  131.     name: "certificates.expired"
    132. 

  132. node:
    133. 

  133.   kind: "crd_list"
    134. 

  134.   match:
    135. 

  135.     group: core
    136. 

  136.     version: v1
    137. 

  137.     resource: nodes
    138. 

  138.   policies:
    139. 

  139.   - path: "./policies/node/k8s_version.rego"
    140. 

  140.     name: "node.k8s_version"
    141. 

  141.   - path: "./policies/node/porter_run_taints.rego"
    142. 

  142.     name: "node.porter_run_taints"
    143. 

  143.   - path: "./policies/node/porter_run_labels.rego"
    144. 

  144.     name: "node.porter_run_labels"
    145. 

  145.   - path: "./policies/node/healthy.rego"
    146. 

  146.     name: "node.healthy"
    147. 

  147. descheduler:
    148. 

  148.   kind: "helm_release"
    149. 

  149.   match:
    150. 

  150.     kubernetes_service: eks
    151. 

  151.     name: descheduler
    152. 

  152.     namespace: kube-system
    153. 

  153.   mustExist: true
    154. 

  154.   policies: []
    155. 

  155. vpa:
    156. 

  156.   kind: "helm_release"
    157. 

  157.   match:
    158. 

  158.     kubernetes_service: eks
    159. 

  159.     name: vpa
    160. 

  160.     namespace: kube-system
    161. 

  161.   mustExist: true
    162. 

  162.   policies: []
    163. 

  163. coredns:
    164. 

  164.   kind: "pod"
    165. 

  165.   match:
    166. 

  166.     kubernetes_service: eks
    167. 

  167.     namespace: kube-system
    168. 

  168.     labels:
    169. 

  169.       eks.amazonaws.com/component: "coredns"
    170. 

  170.   policies:
    171. 

  171.   - path: "./policies/pod/running.rego"
    172. 

  172.     name: "pod.running"
    173. 

  173. cluster_autoscaler:
    174. 

  174.   kind: "pod"
    175. 

  175.   match:
    176. 

  176.     kubernetes_service: eks
    177. 

  177.     namespace: kube-system
    178. 

  178.     labels:
    179. 

  179.       app.kubernetes.io/name: "aws-cluster-autoscaler"
    180. 

  180.   policies:
    181. 

  181.   - path: "./policies/pod/running.rego"
    182. 

  182.     name: "pod.running"
    183. 

  183. load_balancer_controller:
    184. 

  184.   kind: "pod"
    185. 

  185.   match:
    186. 

  186.     kubernetes_service: eks
    187. 

  187.     namespace: kube-system
    188. 

  188.     labels:
    189. 

  189.       app.kubernetes.io/name: "aws-load-balancer-controller"
    190. 

  190.   policies:
    191. 

  191.   - path: "./policies/pod/running.rego"
    192. 

  192.     name: "pod.running"
    193.