feat: add more models

Signed-off-by: peefy <[email protected]>

examples/mutation/readonly-root-fs/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "readonly-root-fs"
+version = "0.0.1"

examples/mutation/readonly-root-fs/main.k

@@ -0,0 +1,9 @@
+schema Params:
+
+params: Params = option("params")
+items = [item | {
+    if item.kind == "Pod":
+        spec.containers: [{
+            securityContext.readOnlyRootFilesystem = True
+        } for container in item.spec.containers]
+} for item in option("items") or []]

examples/mutation/readonly-root-fs/suite/good.yaml

@@ -0,0 +1,22 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: readonly-root-fs
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      Set read only root file system for containers
+spec:
+  source: ./examples/mutation/readonly-root-fs/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

examples/validation/allowed-image-repos/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "allowed-image-repos"
+version = "0.0.1"

examples/validation/allowed-image-repos/main.k

@@ -0,0 +1,25 @@
+"""Requires container images to begin with a string from the specified list.
+
+Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl
+"""
+
+# The list of prefixes a container image is allowed to have.
+repos: [str] = option("params").repos or []
+
+# Define the validation function
+validate = lambda item {
+    containers = []
+    if item.kind == "Pod" and repos:
+        containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.phemeralContainers or []) + (item.spec.template.spec.initContainers or [])
+    images: [str] = [c.image for c in containers]
+    assert all image in images {
+        all repo in repos {
+            image.startswith(repo)
+        }
+    } if images and repos, """Use of image is disallowed for ${item.kind}: ${item.metadata.name}, valid repos ${repos}"""
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]

examples/validation/allowed-image-repos/suite/bad.yaml

@@ -0,0 +1,38 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: allowed-image-repos
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      Requires container images to begin with a string from the specified list.
+
+      Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl
+spec:
+  params:
+    repos:
+    - nginx
+  source: ./examples/validation/allowed-image-repos/main.k
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-deploy
+  labels:
+    app: kcl
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: kcl
+  template:
+    metadata:
+      labels:
+        app: kcl
+    spec:
+      containers:
+      - name: kcl
+        image: kcllang/kcl
+        ports:
+        - containerPort: 80

examples/validation/allowed-image-repos/suite/good.yaml

@@ -0,0 +1,38 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: allowed-image-repos
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      Requires container images to begin with a string from the specified list.
+
+      Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl
+spec:
+  params:
+    repos:
+    - nginx
+  source: ./examples/validation/allowed-image-repos/main.k
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-deploy
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80

examples/validation/deny-all/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "deny-all"
+version = "0.0.1"

examples/validation/deny-all/main.k

@@ -0,0 +1 @@
+assert False if option("items"), "Deny all objects and the input object list is ${option('items')}"

examples/validation/deny-all/suite/bad.yaml

@@ -0,0 +1,26 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: deny-all
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      Deny all objects if there are input objects.
+spec:
+  source: ./examples/validation/deny-all/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+    livenessProbe:
+      exec:
+        command:
+        - ps

examples/validation/deny-all/suite/good.yaml

@@ -0,0 +1,11 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: deny-all
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      Deny all objects if there are input objects.
+spec:
+  source: ./examples/validation/deny-all/main.k

examples/validation/disallow-svc-lb/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "disallow-svc-lb"
+version = "0.0.1"

examples/validation/disallow-svc-lb/main.k

@@ -0,0 +1,12 @@
+"""A validation that prevents the creation of Service resources of type `LoadBalancer`
+"""
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Service":
+        svc_ty = item.type or ""
+        assert svc_ty != "LoadBalancer", """A validation that prevents the creation of Service resources of type `LoadBalancer`, for ${item.kind}: ${item.metadata.name}"""
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]

examples/validation/disallow-svc-lb/suite/bad.yaml

@@ -0,0 +1,24 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: disallow-svc-lb
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      A validation that prevents the creation of Service resources of type `LoadBalancer`
+spec:
+  source: ./examples/validation/disallow-svc-lb/main.k
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+spec:
+  selector:
+    app.kubernetes.io/name: MyApp
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+  type: LoadBalancer

examples/validation/disallow-svc-lb/suite/good.yaml

@@ -0,0 +1,23 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: disallow-svc-lb
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      A validation that prevents the creation of Service resources of type `LoadBalancer`
+spec:
+  source: ./examples/validation/disallow-svc-lb/main.k
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+spec:
+  selector:
+    app.kubernetes.io/name: MyApp
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80

examples/validation/unique-service-selector/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "unique-service-selector"
+version = "0.0.1"

examples/validation/unique-service-selector/main.k

@@ -0,0 +1,19 @@
+"""Requires Services to have unique selectors within a namespace.
+Selectors are considered the same if they have identical keys and values.
+Selectors may share a key/value pair so long as there is at least one
+distinct key/value pair between them.
+
+https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+"""
+
+selector: {str:str} = option("params").selector
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Service":
+        svc_ty = item.type or ""
+        assert svc_ty != "LoadBalancer", """A validation that prevents the creation of Service resources of type `LoadBalancer`, for ${item.kind}: ${item.metadata.name}"""
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]

examples/validation/unique-service-selector/suite/bad.yaml

@@ -0,0 +1,29 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: unique-service-selector
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      Requires Services to have unique selectors within a namespace.
+      Selectors are considered the same if they have identical keys and values.
+      Selectors may share a key/value pair so long as there is at least one
+      distinct key/value pair between them.
+
+      https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+spec:
+  source: ./examples/validation/unique-service-selector/main.k
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+spec:
+  selector:
+    app.kubernetes.io/name: MyApp
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+  type: LoadBalancer

examples/validation/unique-service-selector/suite/good.yaml

@@ -0,0 +1,28 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: unique-service-selector
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: validation
+    documentation: >-
+      Requires Services to have unique selectors within a namespace.
+      Selectors are considered the same if they have identical keys and values.
+      Selectors may share a key/value pair so long as there is at least one
+      distinct key/value pair between them.
+
+      https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+spec:
+  source: ./examples/validation/unique-service-selector/main.k
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+spec:
+  selector:
+    app.kubernetes.io/name: MyApp
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80

examples/validation/validate-auto-mount-service-account-token/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "validate-auto-mount-service-account-token"
+version = "0.0.1"

examples/validation/validate-auto-mount-service-account-token/main.k

@@ -0,0 +1,29 @@
+"""Requires container images to begin with a string from the specified list.
+
+Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl
+"""
+
+# The list of prefixes a container image is allowed to have.
+repos: [str] = option("params").repos or []
+
+# Define the validation function
+validate = lambda item {
+    containers = []
+    automountServiceAccountToken = False
+    if item.kind == "Pod" and repos:
+        containers = (item.spec.containers or []) + (item.spec.initContainers or [])
+        automountServiceAccountToken = item.spec.automountServiceAccountToken
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or [])
+        automountServiceAccountToken = item.spec.template.spec.automountServiceAccountToken
+    if automountServiceAccountToken == True:
+        assert all c in containers {
+            all m in c.volumeMounts {
+                m.mountPath == "/var/run/secrets/kubernetes.io/serviceaccount"
+            }
+        }, """Automounting service account token is disallowed for ${item.kind}: ${item.metadata.name}"""
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]