Merge pull request #3 from weaveworks/hpa-min-replica

support HorizontalPodAutoscaler in min replicas policy
weaveworks · Oct 5, 2022 · b682ed1 · b682ed1
2 parents 411312a + e69f588
commit b682ed1
Show file tree

Hide file tree

Showing 4 changed files with 1,816 additions and 1,816 deletions.
diff --git a/policies/ControllerMinimumReplicaCount/policy.rego b/policies/ControllerMinimumReplicaCount/policy.rego
@@ -2,41 +2,38 @@ package weave.advisor.pods.replica_count
 
 import future.keywords.in
 
-replica_count := input.parameters.replica_count
+min_replica_count := input.parameters.replica_count
 exclude_namespaces := input.parameters.exclude_namespaces
 exclude_label_key := input.parameters.exclude_label_key
 exclude_label_value := input.parameters.exclude_label_value
 
+controller_input := input.review.object
+
 violation[result] {
-  isExcludedNamespace == false
-  not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
-  not controller_input.spec.replicas >= replica_count
-  result = {
-    "issue detected": true,
-    "msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [replica_count, controller_input.spec.replicas]),
-    "violating_key": "spec.replicas",
-    "recommended_value": replica_count
-  }
+	isExcludedNamespace == false
+    not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
+	not replicas >= min_replica_count
+	result = {
+		"issue detected": true,
+		"msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]),
+		"violating_key": violating_key,
+		"recommended_value": min_replica_count,
+	}
 }
 
-
-# Controller input
-controller_input = input.review.object
-
-# controller_container acts as an iterator to get containers from the template
-controller_spec = controller_input.spec.template.spec {
-  contains_kind(controller_input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"})
-} else = controller_input.spec {
-  controller_input.kind == "Pod"
-} else = controller_input.spec.jobTemplate.spec.template.spec {
-  controller_input.kind == "CronJob"
+replicas := controller_input.spec.replicas {
+	controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
+} else := controller_input.spec.minReplicas {
+	controller_input.kind == "HorizontalPodAutoscaler"
 }
 
-contains_kind(kind, kinds) {
-  kinds[_] = kind
+violating_key := "spec.replicas" {
+	controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
+} else := "spec.minReplicas" {
+	controller_input.kind == "HorizontalPodAutoscaler"
 }
 
 isExcludedNamespace = true {
 	controller_input.metadata.namespace
 	controller_input.metadata.namespace in exclude_namespaces
-} else = false
+} else = false
diff --git a/policies/ControllerMinimumReplicaCount/policy.yaml b/policies/ControllerMinimumReplicaCount/policy.yaml
@@ -16,7 +16,13 @@ spec:
     https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment
   category: weave.categories.reliability
   severity: medium
-  targets: {kinds: [Deployment, ReplicationController, ReplicaSet, StatefulSet]}
+  targets:
+    kinds:
+      - Deployment
+      - StatefulSet
+      - ReplicaSet
+      - ReplicationController
+      - HorizontalPodAutoscaler
   standards:
     - id: weave.standards.soc2-type-i
       controls:
@@ -39,43 +45,40 @@ spec:
       type: string
       required: false
       value:
-  code: |
+  code: |-
     package weave.advisor.pods.replica_count
 
     import future.keywords.in
 
-    replica_count := input.parameters.replica_count
+    min_replica_count := input.parameters.replica_count
     exclude_namespaces := input.parameters.exclude_namespaces
     exclude_label_key := input.parameters.exclude_label_key
     exclude_label_value := input.parameters.exclude_label_value
 
+    controller_input := input.review.object
+
     violation[result] {
-      isExcludedNamespace == false
-      not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
-      not controller_input.spec.replicas >= replica_count
-      result = {
-        "issue detected": true,
-        "msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [replica_count, controller_input.spec.replicas]),
-        "violating_key": "spec.replicas",
-        "recommended_value": replica_count
-      }
+    	isExcludedNamespace == false
+        not exclude_label_value == controller_input.metadata.labels[exclude_label_key]
+    	not replicas >= min_replica_count
+    	result = {
+    		"issue detected": true,
+    		"msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]),
+    		"violating_key": violating_key,
+    		"recommended_value": min_replica_count,
+    	}
     }
 
-
-    # Controller input
-    controller_input = input.review.object
-
-    # controller_container acts as an iterator to get containers from the template
-    controller_spec = controller_input.spec.template.spec {
-      contains_kind(controller_input.kind, {"StatefulSet" , "DaemonSet", "Deployment", "Job"})
-    } else = controller_input.spec {
-      controller_input.kind == "Pod"
-    } else = controller_input.spec.jobTemplate.spec.template.spec {
-      controller_input.kind == "CronJob"
+    replicas := controller_input.spec.replicas {
+    	controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
+    } else := controller_input.spec.minReplicas {
+    	controller_input.kind == "HorizontalPodAutoscaler"
     }
 
-    contains_kind(kind, kinds) {
-      kinds[_] = kind
+    violating_key := "spec.replicas" {
+    	controller_input.kind in {"Deployment", "StatefulSet", "ReplicaSet", "ReplicationController"}
+    } else := "spec.minReplicas" {
+    	controller_input.kind == "HorizontalPodAutoscaler"
     }
 
     isExcludedNamespace = true {