Cloud Governance
What is it?
Cloud Governance tool provides a lightweight and flexible framework for deploying cloud management policies focusing
on cost optimize and security.
We have implemented several pruning policies.
When monitoring the resources, we found that most of the cost leakage is from available volumes, unused NAT gateways,
and unattached Public IPv4 addresses (Starting from February 2024, public IPv4 addresses are chargeable whether they are
used or not).
This tool support the following policies: policy
Real time Openshift Cluster cost, User cost
instance_idle: Monitor the idle instances based on the instance metrics for the last 7 days.
CPU Percent < 2%
Network < 5KiB
instance_run: List the running ec2 instances.
unattached_volume: Identify and remove the available EBS volumes.
zombie_cluster_resource: Identify the non-live cluster resource and delete those resources by resolving dependency. We are deleting more than 20 cluster resources.
Ebs, Snapshots, AMI, Load Balancer
VPC, Subnets, Route tables, DHCP, Internet Gateway, NatGateway, Network Interface, ElasticIp, Network ACL, Security Group, VPC Endpoint
S3
IAM User, IAM Role
ip_unattached: Identify the unattached public IPv4 addresses.
zombie_snapshots: Identify the snapshots, which are abandoned by the AMI.
unused_nat_gateway: Identify the unused NatGateway by monitoring the active connection count.
s3_inactive: Identify the empty s3 buckets, causing the resource quota issues.
empty_roles: Identify the empty roles that do not have any attached policies to them.
ebs_in_use: list in use volumes.
tag_resources: Update cluster and non cluster resource tags fetching from the user tags or from the mandatory tags
tag_non_cluster: tag ec2 resources (instance, volume, ami, snapshot) by instance name
tag_iam_user: update the user tags from the csv file
cost_explorer: Get data from cost explorer and upload to ElasticSearch
gitleaks: scan GitHub repository git leak (security scan)
cost_over_usage: send mail to aws user if over usage cost
instance_idle: Monitor the idle instances based on the instance metrics.
CPU Percent < 2%
Network < 5KiB
unattached_volume: Identify and remove the available disks.
ip_unattached: Identify the unattached public IPv4 addresses.
unused_nat_gateway: Identify the unused NatGateway by monitoring the active connection count.
tag_baremetal: Tag IBM baremetal machines
tag_vm: Tga IBM Virtual Machines machines
** You can write your own policy using Cloud-Custodian and run it (see ‘custom cloud custodian policy’ in Policy workflows).
Reference:
The cloud-governance package is placed in PyPi
The cloud-governance container image is placed in Quay.io
- Installation
- Configuration
- Run AWS Policy Using Podman
- Run IBM Policy Using Podman
- How to auto tag your account?
- Run Policy Using Pod
- Pytest
- Post Installation