Merge "Add disallowed images policy to library"

2017-07-25 20:05:15 +00:00 · 2017-07-25 20:05:15 +00:00 · 42b3cf292c
parent 4859d9a603 c4a1844a27
commit 42b3cf292c
2 changed files with 70 additions and 0 deletions
--- a/library/disallowed_images/disallowed_images.yaml
+++ b/library/disallowed_images/disallowed_images.yaml
@ -0,0 +1,57 @@
+---
+name: DisallowedServerImages
+description: "Warn/error on any server using an image that is not permitted"
+rules:
+  -
+    comment: "User should customize this.  Permitted image name."
+    rule: >
+      permitted_image_names('permitted_image')
+  -
+    comment: "User should customize this.  Permitted image tag."
+    rule: >
+      permitted_image_tags('permitted_tag')
+  -
+    rule: >
+      images_permitted_by_name(image_id) :-
+        glancev2:tags(image_id=image_id, tag=tag),
+        not permitted_image_names(tag)
+  -
+    rule: >
+      servers_with_image_permitted_by_name(server_id, server_name) :-
+        nova:servers(id=server_id, name=server_name, image_id=image_id),
+        images_permitted_by_name(image_id)
+  -
+    rule: >
+      images_with_some_non_permitted_tag(image_id) :-
+        glancev2:tags(image_id=image_id, tag=tag),
+        not permitted_image_tags(tag)
+  -
+    rule: >
+      servers_with_some_non_permitted_image_tag(server_id, server_name) :-
+        nova:servers(id=server_id, name=server_name, image_id=image_id),
+        images_with_some_non_permitted_tag(image_id)
+  -
+    rule: >
+      images_with_no_permitted_tag(image_id) :-
+        glancev2:tags(image_id=image_id, tag=tag),
+        not images_with_some_permitted_tag(image_id)
+  -
+    rule: >
+      servers_with_no_permitted_image_tag(server_id, server_name) :-
+        nova:servers(id=server_id, name=server_name),
+        images_with_no_permitted_tag(image_id)
+  -
+    rule: >
+      images_with_some_permitted_tag(image_id) :-
+        glancev2:tags(image_id=image_id, tag=tag),
+        permitted_image_tags(tag)
+  -
+    rule: >
+      warning(server_id) :-
+        servers_with_some_non_permitted_image_tag(server_id, _),
+        not servers_with_image_permitted_by_name(server_id, _)
+  -
+    rule: >
+      error(server_id) :-
+        servers_with_no_permitted_image_tag(server_id, _),
+        not servers_with_image_permitted_by_name(server_id, _)
--- a/library/disallowed_images/pause_disallowed_images.yaml
+++ b/library/disallowed_images/pause_disallowed_images.yaml
@ -0,0 +1,13 @@
+---
+name: PauseDisallowedServerImages
+description: "Pause any server using an image that is not permitted"
+depends-on:
+  - DisallowedServerImages
+rules:
+  -
+    comment: "Remediation: Pause any VM not approved by image name or tag"
+    rule: >
+      execute[nova:servers.pause(id)] :- 
+        DisallowedServerImages:servers_with_no_permitted_image_tag(id, _),
+        not DisallowedServerImages:servers_with_image_permitted_by_name(id, _),
+        nova:servers(id,status='ACTIVE')