remove controllerrevision

Signed-off-by: David Wertenteil <dwertent@armosec.io>
dwertent · Aug 6, 2023 · 445a068 · 445a068
1 parent 693cb02
commit 445a068
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 97 deletions.
diff --git a/controls/C-0212-thedefaultnamespaceshouldnotbeused.json b/controls/C-0212-thedefaultnamespaceshouldnotbeused.json
@@ -25,7 +25,6 @@
         "resourcequota-in-default-namespace",
         "service-in-default-namespace",
         "serviceaccount-in-default-namespace",
-        "controllerrevision-in-default-namespace",
         "endpointslice-in-default-namespace",
         "horizontalpodautoscaler-in-default-namespace",
         "lease-in-default-namespace",

diff --git a/exceptions/k8s-system.json b/exceptions/k8s-system.json
@@ -0,0 +1,71 @@
+[
+    {
+        "name": "system-resources",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "attributes": {
+            "systemException": true
+        },
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "kube-system"
+                }
+            },
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "kube-public"
+                }
+            },
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "namespace": "kube-node-lease"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {}
+        ]
+    },
+    {
+        "name": "exclude-system-namespaces",
+        "policyType": "postureExceptionPolicy",
+        "actions": [
+            "alertOnly"
+        ],
+        "attributes": {
+            "systemException": true
+        },
+        "resources": [
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "kind": "Namespace",
+                    "name": "kube-system"
+                }
+            },
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "kind": "Namespace",
+                    "name": "kube-public"
+                }
+            },
+            {
+                "designatorType": "Attributes",
+                "attributes": {
+                    "kind": "Namespace",
+                    "name": "kube-node-lease"
+                }
+            }
+        ],
+        "posturePolicies": [
+            {}
+        ]
+    }
+]
diff --git a/rules/controllerrevision-in-default-namespace/raw.rego b/rules/controllerrevision-in-default-namespace/raw.rego
diff --git a/rules/controllerrevision-in-default-namespace/rule.metadata.json b/rules/controllerrevision-in-default-namespace/rule.metadata.json
diff --git a/rules/controllerrevision-in-default-namespace/test/controllerrevision/expected.json b/rules/controllerrevision-in-default-namespace/test/controllerrevision/expected.json
diff --git a/...rollerrevision-in-default-namespace/test/controllerrevision/input/controllerrevision.yaml b/...rollerrevision-in-default-namespace/test/controllerrevision/input/controllerrevision.yaml