feat: add more check modules

Signed-off-by: peefy <[email protected]>
kcl-lang · Nov 12, 2023 · b0913d9 · b0913d9
1 parent 34871da
commit b0913d9
Show file tree

Hide file tree

Showing 15 changed files with 204 additions and 0 deletions.
diff --git a/check-auto-mount-service-account-token/README.md b/check-auto-mount-service-account-token/README.md
@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/check-auto-mount-service-account-token)
diff --git a/check-auto-mount-service-account-token/kcl.mod b/check-auto-mount-service-account-token/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "check-auto-mount-service-account-token"
+version = "0.1.0"
+description = "`check-auto-mount-service-account-token` is a kcl validation package"
diff --git a/check-auto-mount-service-account-token/main.k b/check-auto-mount-service-account-token/main.k
@@ -0,0 +1,29 @@
+"""Requires container images to begin with a string from the specified list.
+
+Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl
+"""
+
+# The list of prefixes a container image is allowed to have.
+repos: [str] = option("params").repos or []
+
+# Define the validation function
+validate = lambda item {
+    containers = []
+    automountServiceAccountToken = False
+    if item.kind == "Pod" and repos:
+        containers = (item.spec.containers or []) + (item.spec.initContainers or [])
+        automountServiceAccountToken = item.spec.automountServiceAccountToken
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or [])
+        automountServiceAccountToken = item.spec.template.spec.automountServiceAccountToken
+    if automountServiceAccountToken == True:
+        assert all c in containers {
+            all m in c.volumeMounts {
+                m.mountPath == "/var/run/secrets/kubernetes.io/serviceaccount"
+            }
+        }, """Automounting service account token is disallowed for ${item.kind}: ${item.metadata.name}"""
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/check-container-limits/README.md b/check-container-limits/README.md
@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/check-container-limits)
diff --git a/check-container-limits/kcl.mod b/check-container-limits/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "check-container-limits"
+version = "0.1.0"
+description = "`check-container-limits` is a kcl validation package"
diff --git a/check-container-limits/main.k b/check-container-limits/main.k
@@ -0,0 +1,44 @@
+"""Requires containers to have memory and CPU limits set and constrains
+limits to be within the specified maximum values.
+
+https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+"""
+
+schema Params:
+    cpu?: str
+    memory?: str
+
+params: Params = option("params")
+
+canonify_cpu = lambda cpu: str -> float {
+    result = 0
+    if cpu:
+        if cpu[-1] == "m":
+            result = int(cpu[:-1])
+        else:
+            result = int(cpu) * 1000
+    result
+}
+
+# Define the validation function
+validate = lambda item {
+    cpu = ""
+    memory = ""
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or [])
+    if containers:
+        cpu_list: [str] = [c.resources.limits.cpu for c in containers if c?.resources?.limits?.cpu]
+        memory_list: [str] = [c.resources.limits.memory for c in containers if c?.resources?.limits?.memory]
+        if params.cpu:
+            disallowed_cpu_list = [cpu for cpu in cpu_list if canonify_cpu(cpu) > canonify_cpu(params.cpu)]
+            assert not disallowed_cpu_list, "container cpu limit list '${disallowed_cpu_list}' is higher than the maximum allowed of ${params.cpu}"
+        if params.memory:
+            disallowed_memory_list = [memory for memory in memory_list if int(memory) > int(params.memory)]
+            assert not disallowed_memory_list, "container memory limit list '${disallowed_memory_list}' is higher than the maximum allowed of ${params.memory}"
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/check-container-requests/README.md b/check-container-requests/README.md
@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/check-container-requests)
diff --git a/check-container-requests/kcl.mod b/check-container-requests/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "check-container-requests"
+version = "0.1.0"
+description = "`check-container-requests` is a kcl validation package"
diff --git a/check-container-requests/main.k b/check-container-requests/main.k
@@ -0,0 +1,44 @@
+"""Requires containers to have memory and CPU requests set and constrains
+requests to be within the specified maximum values.
+
+https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+"""
+
+schema Params:
+    cpu?: str
+    memory?: str
+
+params: Params = option("params")
+
+canonify_cpu = lambda cpu: str -> float {
+    result = 0
+    if cpu:
+        if cpu[-1] == "m":
+            result = int(cpu[:-1])
+        else:
+            result = int(cpu) * 1000
+    result
+}
+
+# Define the validation function
+validate = lambda item {
+    cpu = ""
+    memory = ""
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or [])
+    if containers:
+        cpu_list: [str] = [c.resources.requests.cpu for c in containers if c?.resources?.requests?.cpu]
+        memory_list: [str] = [c.resources.requests.memory for c in containers if c?.resources?.requests?.memory]
+        if params.cpu:
+            disallowed_cpu_list = [cpu for cpu in cpu_list if canonify_cpu(cpu) > canonify_cpu(params.cpu)]
+            assert not disallowed_cpu_list, "container cpu limit list '${disallowed_cpu_list}' is higher than the maximum allowed of ${params.cpu}"
+        if params.memory:
+            disallowed_memory_list = [memory for memory in memory_list if int(memory) > int(params.memory)]
+            assert not disallowed_memory_list, "container memory limit list '${disallowed_memory_list}' is higher than the maximum allowed of ${params.memory}"
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/check-deprecated-api/README.md b/check-deprecated-api/README.md
@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/check-deprecated-api)
diff --git a/check-deprecated-api/kcl.mod b/check-deprecated-api/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "check-deprecated-api"
+version = "0.1.0"
+description = "`check-deprecated-api` is a kcl validation package"
diff --git a/check-deprecated-api/main.k b/check-deprecated-api/main.k
@@ -0,0 +1,29 @@
+"""Verifies deprecated Kubernetes APIs to ensure all the API versions are up to date. 
+This template does not apply to audit as audit looks at the resources which are already
+present in the cluster with non-deprecated API versions.
+Ref: https://open-policy-agent.github.io/gatekeeper-library/website/validation/verifydeprecatedapi
+"""
+
+schema Params:
+    kvs: [KV]
+    k8sVersion: int | float | str
+
+schema KV:
+    deprecatedAPI: str
+    kinds: [str]
+    targetAPI: str
+
+params: Params = option("params")
+
+# Define the validation function
+validate = lambda item {
+    if params.kvs:
+        [lambda item, kv: KV {
+            if item.kind in kv.kinds:
+                assert item.apiVersion != kv.deprecatedAPI, "API {} for {} is deprecated in Kubernetes version {}, please use {} instead".format(item.kind, item.apiVersion, params.k8sVersion, kv.targetAPI)
+            kv
+        }(item, kv) for kv in params.kvs]
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/check-probes/README.md b/check-probes/README.md
@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/check-probes)
diff --git a/check-probes/kcl.mod b/check-probes/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "check-probes"
+edition = "*"
+version = "0.1.0"
+description = "`check-probes` is a kcl validation package"
diff --git a/check-probes/main.k b/check-probes/main.k
@@ -0,0 +1,12 @@
+# Define the validation function
+kinds = ["Deployment", "DaemonSet", "StatefulSet"]
+validate = lambda item {
+    if item.kind in kinds:
+        containers = item.spec.template.spec.containers or []
+        assert all c in containers {
+            (c?.readinessProbe or {}) != (c?.livenessProbe or {})
+        } if containers, "Liveness and readiness probes cannot be the same for ${item.kind}: ${item.metadata.name}"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]