Cloud Governance Tool
Project description
Cloud Governance
What is it?
Cloud Governance tool provides a lightweight and flexible framework for deploying cloud management policies focusing
on cost optimize and security.
We have implemented several pruning policies.
When monitoring the resources, we found that most of the cost leakage is from available volumes, unused NAT gateways,
and unattached Public IPv4 addresses (Starting from February 2024, public IPv4 addresses are chargeable whether they are
used or not).
| Providers | Disks | NatGateway | PublicIp | Snapshots | InstanceIdle | TagResources | EC2Stop | ocp_cleanup | ClusterRun | EmptyBucket | EmptyRoles |
|---|---|---|---|---|---|---|---|---|---|---|---|
| AWS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Azure | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ |
List of Policies:
AWS Polices!
- instance_idle
- instance_run
- unattached_volume
- zombie_cluster_resource
- ip_unattached
- zombie_snapshots
- unused_nat_gateway
- s3_inactive
- unused_access_key
- empty_roles
- tag_resources
- tag_iam_user
- cost_over_usage
- cluster_run
Azure Polices!
- instance_idle
- unattached_volume
- ip_unattached
- unused_nat_gateway
IBM Polices!
- tag_baremetal
- tag_vm
- tag_resources
Check out policy summary here!
Reference:
- Checkout blog: Optimizing cloud resource management with cloud governance
- The cloud-governance package is placed in PyPi
- The cloud-governance container image is placed in Quay.io
- The cloud-governance readthedocs link is ReadTheDocs
Table of Contents
Installation
Download cloud-governance image from quay.io
podman pull quay.io/cloud-governance/cloud-governance
Environment variables configurations:
| Key | Value | Description |
|---|---|---|
| AWS_ACCESS_KEY_ID | required | AWS access key |
| AWS_SECRET_ACCESS_KEY | required | AWS Secret key |
| AWS_DEFAULT_REGION | required | AWS Region, default set to us-east-2 |
| BUCKET_NAME | optional | Cloud bucket Name, to store data |
| policy | required | check here for policies list |
| dry_run | optional | default set to "yes", supported only two: yes/ no |
| log_level | optional | default set to INFO |
| LDAP_HOST_NAME | optional | ldap hostnames |
| es_host | optional | Elasticsearch Host |
| es_port | optional | Elasticsearch Port |
| es_index | optional | Elasticsearch Index, to push the data. default to cloud-governance-es-index |
| GOOGLE_APPLICATION_CREDENTIALS | optional | GCP creds, to access google resources. i.e Sheets, Docs |
| AZURE_CLIENT_SECRET | required | Azure Client Secret |
| AZURE_TENANT_ID | Azure Tenant Id | |
| AZURE_ACCOUNT_ID | Azure Account Id | |
| AZURE_CLIENT_ID | Azure Client Id | |
| GCP_DATABASE_NAME | GCP BigQuery database name, used to generate cost reports | |
| GCP_DATABASE_TABLE_NAME | GCP BigQuery TableName, used to generate cost reports | |
| IBM_API_USERNAME | IBM Account Username | |
| IBM_API_KEY | IBM Account Classic Infrastructure key | |
| IBM_CLOUD_API_KEY | IBM Cloud API Key | |
| IBM_CUSTOM_TAGS_LIST | pass string with separated with comma. i.e: "env: test, team: dev" |
AWS Configuration
Create IAM User with Read/Delete Permissions and create S3 bucket.
- Follow the instructions README.md.
IBM Configuration
- Create classic infrastructure API key
- Create IBM CLOUD API key to use tag_resources policy
Run Policies
AWS
- Passing environment variables
podman run --rm --name cloud-governance \
-e policy="zombie_cluster_resource" \
-e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
-e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
-e AWS_DEFAULT_REGION="us-east-2" \
-e dry_run="yes" \
"quay.io/cloud-governance/cloud-governance"
- Using involvement file config
- Create env.yaml file, and mount it to /tmp/env.yaml else mount to anypath and pass env DEFAULT_CONFIG_PATH where you mounted
AWS_ACCESS_KEY_ID: ""
AWS_SECRET_ACCESS_KEY: ""
AWS_DEFAULT_REGION: "us-east-2"
policy: "zombie_cluster_resource"
dry_run: "yes"
es_host: ""
es_port: ""
es_index: ""
podman run --rm --name cloud-governance \
-v "env.yaml":"/tmp/env.yaml" \
--net="host" \
"quay.io/cloud-governance/cloud-governance"
Run Policy Using Pod
Run as a pod job via OpenShift
Job Pod: cloud-governance.yaml
Configmaps: cloud_governance_configmap.yaml
Quay.io Secret: quayio_secret.sh
AWS Secret: cloud_governance_secret.yaml
* Need to convert secret key to base64 [run_base64.py](pod_yaml/run_base64.py)
Pytest
Cloud-governance integration tests using pytest
python3 -m venv governance
source governance/bin/activate
(governance) $ python -m pip install --upgrade pip
(governance) $ pip install coverage
(governance) $ pip install pytest
(governance) $ git clone https://github.com/redhat-performance/cloud-governance
(governance) $ cd cloud-governance
(governance) $ coverage run -m pytest
(governance) $ deactivate
rm -rf *governance*
Post Installation
Delete cloud-governance image
sudo podman rmi quay.io/cloud-governance/cloud-governance
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cloud_governance-1.1.417.tar.gz.
File metadata
- Download URL: cloud_governance-1.1.417.tar.gz
- Upload date:
- Size: 223.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
99db8c3a3352b9f9f4c10d0146449bcde110781c0ed68755b0bdccafc8e8b28e
|
|
| MD5 |
aa6ad5b37ad375a57c2fadbf5466fef5
|
|
| BLAKE2b-256 |
3080d4c40a25877197fdab9f0e0c6d3502a32621e35e7ee4c051fc4f781c02d2
|
File details
Details for the file cloud_governance-1.1.417-py3-none-any.whl.
File metadata
- Download URL: cloud_governance-1.1.417-py3-none-any.whl
- Upload date:
- Size: 322.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
16d413e47fa11d14fdac2987f3a4519390e381e7365b75b9aa069b23ab857448
|
|
| MD5 |
35b8e6c613d4026c611992e845d55f2b
|
|
| BLAKE2b-256 |
938cb7507ee3b627d5fbacf7acd987016657cf1d03b1a0dc8b8842325bdf059f
|
