Add rules for node and pod affinity (#65)

* Add rules for node and pod affinity

Signed-off-by: wwwil <[email protected]>

* Remove Pod affinity rule

Signed-off-by: wwwil <[email protected]>

* Add Rego rules and test for node affinity rule

Signed-off-by: wwwil <[email protected]>

Author: wwwil

preflight-packages/jetstack.io/pods/pods.rego

@@ -186,3 +186,12 @@ deployments_across_multiple_namespaces[message] {
 	pod.metadata.namespace == "default"
 	message := sprintf("pod '%s' is running in default namespace", [pod.metadata.name])
 }
+
+# Affinity
+
+# Node affinity used
+node_affinity_used[message] {
+	pod := pods.items[_]
+	pod.spec.nodeSelector
+	message := sprintf("pod '%s' is using node selector", [pod.metadata.name])
+}

preflight-packages/jetstack.io/pods/pods_test.rego

@@ -1826,3 +1826,64 @@ test_deployments_across_multiple_namespaces_multiple_default {
 		}
 	)
 }
+
+# Affinity
+
+# Node affinity used
+test_node_affinity_used_used {
+	output := node_affinity_used with input as pods(
+		[
+			{
+				"metadata": {
+					"name": "foo",
+					"namespace": "default"
+				},
+				"spec": {
+					"affinity": {
+    					"nodeAffinity": {
+							"requiredDuringSchedulingIgnoredDuringExecution": {
+        						"nodeSelectorTerms": [
+        							{
+										"matchExpressions": [
+											{
+												"key": "kubernetes.io/e2e-az-name",
+												"operator": "In",
+												"values": [
+													"e2e-az1",
+													"e2e-az2"
+												]
+											}
+										]
+									}
+								]
+							}
+						}
+					}
+				}
+			}
+		]
+	)
+	assert_allowed(output)
+}
+test_node_affinity_used_node_selector {
+	output := node_affinity_used with input as pods(
+		[
+			{
+				"metadata": {
+					"name": "foo",
+					"namespace": "default"
+				},
+				"spec": {
+					"nodeSelector": {
+						"disktype": "ssd"
+					}
+				}
+			}
+		]
+	)
+	assert_violates(output,
+		{
+			"pod 'foo' is using node selector"
+		}
+	)
+}

preflight-packages/jetstack.io/pods/policy-manifest.yaml

@@ -277,3 +277,24 @@ sections:
       section to include a `namespace`.
     links:
     - "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/"
+- id: affinity
+  name: Affinity
+  rules:
+  - id: node_affinity_used
+    name: Node affinity used
+    description: >
+      In some cases it may be preferable or required for a Pod to run on a
+      particular Node. This is usually when some Nodes have different resources,
+      such as additional memory or SSD storage, that is beneficial or required
+      for certain workloads.
+    remediation: >
+      Pods can be assigned to nodes using `nodeSelector`, however this is a very
+      limited constraint. Instead it's recommended that `nodeAffinity` is used
+      as it greatly expands the types of constraints you can express. There are
+      two types of node affinity; 
+      `requiredDuringSchedulingIgnoredDuringExecution` which specifies a hard
+      requirement, and `preferredDuringSchedulingIgnoredDuringExecution` which
+      specifies a preference. Full details of the constraints can be found in
+      the linked documentation.
+    links:
+    - "https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity"