Support open-policy-agent violation remediation

[jbrisbin]

We should support remediation for Open Policy Agent violations by providing recipes that are targeted to the standard Gatekeeper library policies.

Here are some general policies to support:

• [X] Policy: Restrict images to a specific set of repos.
  • [X] Search for image names that don't have repos or use specific repo.
  • [X] Update image names with given repo.
• [X] Policy: Restrict resource limits to a given maximum.
  • [X] Search for containers that have limits specified beyond a given maximum.
  • [X] Cap container resource limits that exceed the maximum.
• [ ] Policy: Restrict resource limits to a maximum ratio between requests and limits.
  • [X] Search for containers that have request/limit ratios that exceed a given maximum.
  • [ ] Cap container requests/limit ratios to a given maximum ratio. (No clear rule for which to adjust. MergeYaml?)
• [X] Policy: Disallow use of a set of specific image tags
  • [X] Search for containers that use image tags of any of the disallowed tags.
  • [X] Update container image name.
• [X] Policy: Block NodePort services
  • [X] Search for services that use NodePort
• [X] Policy: Disallow use of external IPs except for those in an approved list.
  • [X] Search for services that use external IPs that fall outside of the approved list of IPs.
  • [X] Map the external IPs of services to an approved IP.
• [X] Policy: Require ingress to be HTTPS only.
  • [X] Search for ingress configurations that don't disallow HTTP and don't configure TLS.
  • [X] Configure TLS and set the annotation to disallow HTTP on ingress configurations. (Use MergeYaml)
• [X] Policy: Require use of digest in the image tag.
  • [X] Search for containers that don't have an image SHA in their tag.
• [X] Policy: Require resources to have a given annotation with a specified regex.
  • [X] Search for manifests whose metadata annotations do not contain a given annotation and whose value doesn't match the given regex.
  • [X] Set metadata annotation and value on some resources. (Use MergeYaml)
• [X] Policy: Require resources to have a given label with a specified regex.
  • [X] Search for manifests whose metadata labels do not contain a given label and whose value doesn't match the given regex.
  • [X] Set metadata label and value on some resources. (Use MergeYaml)
• [X] Policy: Require pods to have readiness and/or liveness probes.
  • [X] Search for Pod specs that don't have liveness and/or readiness probes configured.
  • [X] Add liveness and readiness probes to Pod specs. (MergeYaml or similar)
• [ ] Policy: Require all ingress hosts to be unique.
  • [ ] Search for ingress configurations that have duplicate hostnames. (Needs cross-repo search)
  • [ ] Map hostnames for ingress configurations from one regex to a value.
• [ ] Policy: Require all services in a namespace to have unique selectors.
  • [ ] Search for services that have duplicate label selectors. (Needs cross-repo search)
  • [X] Update label selectors for services. (Use MergeYaml)

There are additional policies that have analogues as PodSecurityPolicies that we should also support.

TODO: psp list