From 1b880cb667f1a3b6772e98250bc0810acc81aabd Mon Sep 17 00:00:00 2001 From: peefy Date: Sat, 7 Oct 2023 16:31:39 +0800 Subject: [PATCH] feat: add more models Signed-off-by: peefy --- examples/mutation/readonly-root-fs/kcl.mod | 3 ++ .../mutation/readonly-root-fs/kcl.mod.lock | 0 examples/mutation/readonly-root-fs/main.k | 9 ++++ .../mutation/readonly-root-fs/suite/good.yaml | 22 ++++++++ .../validation/allowed-image-repos/kcl.mod | 3 ++ .../allowed-image-repos/kcl.mod.lock | 0 .../validation/allowed-image-repos/main.k | 25 +++++++++ .../allowed-image-repos/suite/bad.yaml | 38 +++++++++++++ .../allowed-image-repos/suite/good.yaml | 38 +++++++++++++ examples/validation/deny-all/kcl.mod | 3 ++ examples/validation/deny-all/kcl.mod.lock | 0 examples/validation/deny-all/main.k | 1 + examples/validation/deny-all/suite/bad.yaml | 26 +++++++++ examples/validation/deny-all/suite/good.yaml | 11 ++++ examples/validation/disallow-svc-lb/kcl.mod | 3 ++ .../validation/disallow-svc-lb/kcl.mod.lock | 0 examples/validation/disallow-svc-lb/main.k | 12 +++++ .../validation/disallow-svc-lb/suite/bad.yaml | 24 +++++++++ .../disallow-svc-lb/suite/good.yaml | 23 ++++++++ .../unique-service-selector/kcl.mod | 3 ++ .../unique-service-selector/kcl.mod.lock | 0 .../validation/unique-service-selector/main.k | 19 +++++++ .../unique-service-selector/suite/bad.yaml | 29 ++++++++++ .../unique-service-selector/suite/good.yaml | 28 ++++++++++ .../kcl.mod | 3 ++ .../kcl.mod.lock | 0 .../main.k | 29 ++++++++++ .../suite/bad.yaml | 38 +++++++++++++ .../suite/good.yaml | 46 ++++++++++++++++ .../validate-deprecated-api/kcl.mod | 3 ++ .../validate-deprecated-api/kcl.mod.lock | 0 .../validation/validate-deprecated-api/main.k | 29 ++++++++++ .../validate-deprecated-api/suite/bad.yaml | 54 +++++++++++++++++++ .../validate-deprecated-api/suite/good.yaml | 54 +++++++++++++++++++ 34 files changed, 576 insertions(+) create mode 100644 examples/mutation/readonly-root-fs/kcl.mod create mode 100644 examples/mutation/readonly-root-fs/kcl.mod.lock create mode 100644 examples/mutation/readonly-root-fs/main.k create mode 100644 examples/mutation/readonly-root-fs/suite/good.yaml create mode 100644 examples/validation/allowed-image-repos/kcl.mod create mode 100644 examples/validation/allowed-image-repos/kcl.mod.lock create mode 100644 examples/validation/allowed-image-repos/main.k create mode 100644 examples/validation/allowed-image-repos/suite/bad.yaml create mode 100644 examples/validation/allowed-image-repos/suite/good.yaml create mode 100644 examples/validation/deny-all/kcl.mod create mode 100644 examples/validation/deny-all/kcl.mod.lock create mode 100644 examples/validation/deny-all/main.k create mode 100644 examples/validation/deny-all/suite/bad.yaml create mode 100644 examples/validation/deny-all/suite/good.yaml create mode 100644 examples/validation/disallow-svc-lb/kcl.mod create mode 100644 examples/validation/disallow-svc-lb/kcl.mod.lock create mode 100644 examples/validation/disallow-svc-lb/main.k create mode 100644 examples/validation/disallow-svc-lb/suite/bad.yaml create mode 100644 examples/validation/disallow-svc-lb/suite/good.yaml create mode 100644 examples/validation/unique-service-selector/kcl.mod create mode 100644 examples/validation/unique-service-selector/kcl.mod.lock create mode 100644 examples/validation/unique-service-selector/main.k create mode 100644 examples/validation/unique-service-selector/suite/bad.yaml create mode 100644 examples/validation/unique-service-selector/suite/good.yaml create mode 100644 examples/validation/validate-auto-mount-service-account-token/kcl.mod create mode 100644 examples/validation/validate-auto-mount-service-account-token/kcl.mod.lock create mode 100644 examples/validation/validate-auto-mount-service-account-token/main.k create mode 100644 examples/validation/validate-auto-mount-service-account-token/suite/bad.yaml create mode 100644 examples/validation/validate-auto-mount-service-account-token/suite/good.yaml create mode 100644 examples/validation/validate-deprecated-api/kcl.mod create mode 100644 examples/validation/validate-deprecated-api/kcl.mod.lock create mode 100644 examples/validation/validate-deprecated-api/main.k create mode 100644 examples/validation/validate-deprecated-api/suite/bad.yaml create mode 100644 examples/validation/validate-deprecated-api/suite/good.yaml diff --git a/examples/mutation/readonly-root-fs/kcl.mod b/examples/mutation/readonly-root-fs/kcl.mod new file mode 100644 index 0000000..f241e73 --- /dev/null +++ b/examples/mutation/readonly-root-fs/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "readonly-root-fs" +version = "0.0.1" diff --git a/examples/mutation/readonly-root-fs/kcl.mod.lock b/examples/mutation/readonly-root-fs/kcl.mod.lock new file mode 100644 index 0000000..e69de29 diff --git a/examples/mutation/readonly-root-fs/main.k b/examples/mutation/readonly-root-fs/main.k new file mode 100644 index 0000000..6574dc5 --- /dev/null +++ b/examples/mutation/readonly-root-fs/main.k @@ -0,0 +1,9 @@ +schema Params: + +params: Params = option("params") +items = [item | { + if item.kind == "Pod": + spec.containers: [{ + securityContext.readOnlyRootFilesystem = True + } for container in item.spec.containers] +} for item in option("items") or []] diff --git a/examples/mutation/readonly-root-fs/suite/good.yaml b/examples/mutation/readonly-root-fs/suite/good.yaml new file mode 100644 index 0000000..a96ae10 --- /dev/null +++ b/examples/mutation/readonly-root-fs/suite/good.yaml @@ -0,0 +1,22 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: readonly-root-fs + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + Set read only root file system for containers +spec: + source: ./examples/mutation/readonly-root-fs/main.k +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/examples/validation/allowed-image-repos/kcl.mod b/examples/validation/allowed-image-repos/kcl.mod new file mode 100644 index 0000000..1ab4801 --- /dev/null +++ b/examples/validation/allowed-image-repos/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "allowed-image-repos" +version = "0.0.1" diff --git a/examples/validation/allowed-image-repos/kcl.mod.lock b/examples/validation/allowed-image-repos/kcl.mod.lock new file mode 100644 index 0000000..e69de29 diff --git a/examples/validation/allowed-image-repos/main.k b/examples/validation/allowed-image-repos/main.k new file mode 100644 index 0000000..dcbfcaf --- /dev/null +++ b/examples/validation/allowed-image-repos/main.k @@ -0,0 +1,25 @@ +"""Requires container images to begin with a string from the specified list. + +Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl +""" + +# The list of prefixes a container image is allowed to have. +repos: [str] = option("params").repos or [] + +# Define the validation function +validate = lambda item { + containers = [] + if item.kind == "Pod" and repos: + containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or []) + elif item.kind == "Deployment": + containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.phemeralContainers or []) + (item.spec.template.spec.initContainers or []) + images: [str] = [c.image for c in containers] + assert all image in images { + all repo in repos { + image.startswith(repo) + } + } if images and repos, """Use of image is disallowed for ${item.kind}: ${item.metadata.name}, valid repos ${repos}""" + item +} +# Validate All resource +items = [validate(i) for i in option("items")] diff --git a/examples/validation/allowed-image-repos/suite/bad.yaml b/examples/validation/allowed-image-repos/suite/bad.yaml new file mode 100644 index 0000000..71bdc3d --- /dev/null +++ b/examples/validation/allowed-image-repos/suite/bad.yaml @@ -0,0 +1,38 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: allowed-image-repos + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Requires container images to begin with a string from the specified list. + + Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl +spec: + params: + repos: + - nginx + source: ./examples/validation/allowed-image-repos/main.k +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-deploy + labels: + app: kcl +spec: + replicas: 3 + selector: + matchLabels: + app: kcl + template: + metadata: + labels: + app: kcl + spec: + containers: + - name: kcl + image: kcllang/kcl + ports: + - containerPort: 80 diff --git a/examples/validation/allowed-image-repos/suite/good.yaml b/examples/validation/allowed-image-repos/suite/good.yaml new file mode 100644 index 0000000..fbce9a1 --- /dev/null +++ b/examples/validation/allowed-image-repos/suite/good.yaml @@ -0,0 +1,38 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: allowed-image-repos + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Requires container images to begin with a string from the specified list. + + Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl +spec: + params: + repos: + - nginx + source: ./examples/validation/allowed-image-repos/main.k +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-deploy + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/examples/validation/deny-all/kcl.mod b/examples/validation/deny-all/kcl.mod new file mode 100644 index 0000000..857e6ee --- /dev/null +++ b/examples/validation/deny-all/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "deny-all" +version = "0.0.1" diff --git a/examples/validation/deny-all/kcl.mod.lock b/examples/validation/deny-all/kcl.mod.lock new file mode 100644 index 0000000..e69de29 diff --git a/examples/validation/deny-all/main.k b/examples/validation/deny-all/main.k new file mode 100644 index 0000000..c9b0426 --- /dev/null +++ b/examples/validation/deny-all/main.k @@ -0,0 +1 @@ +assert False if option("items"), "Deny all objects and the input object list is ${option('items')}" diff --git a/examples/validation/deny-all/suite/bad.yaml b/examples/validation/deny-all/suite/bad.yaml new file mode 100644 index 0000000..3a1ce0f --- /dev/null +++ b/examples/validation/deny-all/suite/bad.yaml @@ -0,0 +1,26 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: deny-all + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Deny all objects if there are input objects. +spec: + source: ./examples/validation/deny-all/main.k +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + livenessProbe: + exec: + command: + - ps diff --git a/examples/validation/deny-all/suite/good.yaml b/examples/validation/deny-all/suite/good.yaml new file mode 100644 index 0000000..f2c7be4 --- /dev/null +++ b/examples/validation/deny-all/suite/good.yaml @@ -0,0 +1,11 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: deny-all + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Deny all objects if there are input objects. +spec: + source: ./examples/validation/deny-all/main.k diff --git a/examples/validation/disallow-svc-lb/kcl.mod b/examples/validation/disallow-svc-lb/kcl.mod new file mode 100644 index 0000000..3fbca88 --- /dev/null +++ b/examples/validation/disallow-svc-lb/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "disallow-svc-lb" +version = "0.0.1" diff --git a/examples/validation/disallow-svc-lb/kcl.mod.lock b/examples/validation/disallow-svc-lb/kcl.mod.lock new file mode 100644 index 0000000..e69de29 diff --git a/examples/validation/disallow-svc-lb/main.k b/examples/validation/disallow-svc-lb/main.k new file mode 100644 index 0000000..bc5fab7 --- /dev/null +++ b/examples/validation/disallow-svc-lb/main.k @@ -0,0 +1,12 @@ +"""A validation that prevents the creation of Service resources of type `LoadBalancer` +""" + +# Define the validation function +validate = lambda item { + if item.kind == "Service": + svc_ty = item.type or "" + assert svc_ty != "LoadBalancer", """A validation that prevents the creation of Service resources of type `LoadBalancer`, for ${item.kind}: ${item.metadata.name}""" + item +} +# Validate All resource +items = [validate(i) for i in option("items")] diff --git a/examples/validation/disallow-svc-lb/suite/bad.yaml b/examples/validation/disallow-svc-lb/suite/bad.yaml new file mode 100644 index 0000000..e897b9d --- /dev/null +++ b/examples/validation/disallow-svc-lb/suite/bad.yaml @@ -0,0 +1,24 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: disallow-svc-lb + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + A validation that prevents the creation of Service resources of type `LoadBalancer` +spec: + source: ./examples/validation/disallow-svc-lb/main.k +--- +apiVersion: v1 +kind: Service +metadata: + name: my-service +spec: + selector: + app.kubernetes.io/name: MyApp + ports: + - name: http + protocol: TCP + port: 80 + type: LoadBalancer diff --git a/examples/validation/disallow-svc-lb/suite/good.yaml b/examples/validation/disallow-svc-lb/suite/good.yaml new file mode 100644 index 0000000..d21d2f3 --- /dev/null +++ b/examples/validation/disallow-svc-lb/suite/good.yaml @@ -0,0 +1,23 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: disallow-svc-lb + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + A validation that prevents the creation of Service resources of type `LoadBalancer` +spec: + source: ./examples/validation/disallow-svc-lb/main.k +--- +apiVersion: v1 +kind: Service +metadata: + name: my-service +spec: + selector: + app.kubernetes.io/name: MyApp + ports: + - name: http + protocol: TCP + port: 80 diff --git a/examples/validation/unique-service-selector/kcl.mod b/examples/validation/unique-service-selector/kcl.mod new file mode 100644 index 0000000..0699d01 --- /dev/null +++ b/examples/validation/unique-service-selector/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "unique-service-selector" +version = "0.0.1" diff --git a/examples/validation/unique-service-selector/kcl.mod.lock b/examples/validation/unique-service-selector/kcl.mod.lock new file mode 100644 index 0000000..e69de29 diff --git a/examples/validation/unique-service-selector/main.k b/examples/validation/unique-service-selector/main.k new file mode 100644 index 0000000..ef22554 --- /dev/null +++ b/examples/validation/unique-service-selector/main.k @@ -0,0 +1,19 @@ +"""Requires Services to have unique selectors within a namespace. +Selectors are considered the same if they have identical keys and values. +Selectors may share a key/value pair so long as there is at least one +distinct key/value pair between them. + +https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service +""" + +selector: {str:str} = option("params").selector + +# Define the validation function +validate = lambda item { + if item.kind == "Service": + svc_ty = item.type or "" + assert svc_ty != "LoadBalancer", """A validation that prevents the creation of Service resources of type `LoadBalancer`, for ${item.kind}: ${item.metadata.name}""" + item +} +# Validate All resource +items = [validate(i) for i in option("items")] diff --git a/examples/validation/unique-service-selector/suite/bad.yaml b/examples/validation/unique-service-selector/suite/bad.yaml new file mode 100644 index 0000000..2370bf3 --- /dev/null +++ b/examples/validation/unique-service-selector/suite/bad.yaml @@ -0,0 +1,29 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: unique-service-selector + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Requires Services to have unique selectors within a namespace. + Selectors are considered the same if they have identical keys and values. + Selectors may share a key/value pair so long as there is at least one + distinct key/value pair between them. + + https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service +spec: + source: ./examples/validation/unique-service-selector/main.k +--- +apiVersion: v1 +kind: Service +metadata: + name: my-service +spec: + selector: + app.kubernetes.io/name: MyApp + ports: + - name: http + protocol: TCP + port: 80 + type: LoadBalancer diff --git a/examples/validation/unique-service-selector/suite/good.yaml b/examples/validation/unique-service-selector/suite/good.yaml new file mode 100644 index 0000000..1bffc84 --- /dev/null +++ b/examples/validation/unique-service-selector/suite/good.yaml @@ -0,0 +1,28 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: unique-service-selector + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Requires Services to have unique selectors within a namespace. + Selectors are considered the same if they have identical keys and values. + Selectors may share a key/value pair so long as there is at least one + distinct key/value pair between them. + + https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service +spec: + source: ./examples/validation/unique-service-selector/main.k +--- +apiVersion: v1 +kind: Service +metadata: + name: my-service +spec: + selector: + app.kubernetes.io/name: MyApp + ports: + - name: http + protocol: TCP + port: 80 diff --git a/examples/validation/validate-auto-mount-service-account-token/kcl.mod b/examples/validation/validate-auto-mount-service-account-token/kcl.mod new file mode 100644 index 0000000..da72c10 --- /dev/null +++ b/examples/validation/validate-auto-mount-service-account-token/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "validate-auto-mount-service-account-token" +version = "0.0.1" diff --git a/examples/validation/validate-auto-mount-service-account-token/kcl.mod.lock b/examples/validation/validate-auto-mount-service-account-token/kcl.mod.lock new file mode 100644 index 0000000..e69de29 diff --git a/examples/validation/validate-auto-mount-service-account-token/main.k b/examples/validation/validate-auto-mount-service-account-token/main.k new file mode 100644 index 0000000..92d77db --- /dev/null +++ b/examples/validation/validate-auto-mount-service-account-token/main.k @@ -0,0 +1,29 @@ +"""Requires container images to begin with a string from the specified list. + +Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/allowedrepos/constraint.tmpl +""" + +# The list of prefixes a container image is allowed to have. +repos: [str] = option("params").repos or [] + +# Define the validation function +validate = lambda item { + containers = [] + automountServiceAccountToken = False + if item.kind == "Pod" and repos: + containers = (item.spec.containers or []) + (item.spec.initContainers or []) + automountServiceAccountToken = item.spec.automountServiceAccountToken + elif item.kind == "Deployment": + containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + automountServiceAccountToken = item.spec.template.spec.automountServiceAccountToken + if automountServiceAccountToken == True: + assert all c in containers { + all m in c.volumeMounts { + m.mountPath == "/var/run/secrets/kubernetes.io/serviceaccount" + } + }, """Automounting service account token is disallowed for ${item.kind}: ${item.metadata.name}""" + # Return the resource + item +} +# Validate All resource +items = [validate(i) for i in option("items")] diff --git a/examples/validation/validate-auto-mount-service-account-token/suite/bad.yaml b/examples/validation/validate-auto-mount-service-account-token/suite/bad.yaml new file mode 100644 index 0000000..1351d4f --- /dev/null +++ b/examples/validation/validate-auto-mount-service-account-token/suite/bad.yaml @@ -0,0 +1,38 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: validate-auto-mount-service-account-token + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Requires container images to begin with a string from the specified list. + + Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/automount-serviceaccount-token/constraint.tmpl +spec: + source: ./examples/validation/validate-auto-mount-service-account-token/main.k +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-deploy + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/error_serviceaccount diff --git a/examples/validation/validate-auto-mount-service-account-token/suite/good.yaml b/examples/validation/validate-auto-mount-service-account-token/suite/good.yaml new file mode 100644 index 0000000..4d2552e --- /dev/null +++ b/examples/validation/validate-auto-mount-service-account-token/suite/good.yaml @@ -0,0 +1,46 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: validate-auto-mount-service-account-token + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Controls the ability of any Pod to enable automountServiceAccountToken. + + Ref: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/automount-serviceaccount-token/constraint.tmpl +spec: + source: ./examples/validation/validate-auto-mount-service-account-token/main.k +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-deploy + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + automountServiceAccountToken: true + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + +version=1.28 +spec_path=swagger.json +script_path=main.py +wget https://raw.githubusercontent.com/kubernetes/kubernetes/release-${version}/api/openapi-spec/swagger.json -O swagger.json +wget https://raw.githubusercontent.com/kcl-lang/kcl-openapi/main/scripts/preprocess/main.py -O main.py +python3 ${script_path} ${spec_path} --omit-status --rename=io.k8s=k8s +kcl-openapi generate model -f processed-${spec_path} diff --git a/examples/validation/validate-deprecated-api/kcl.mod b/examples/validation/validate-deprecated-api/kcl.mod new file mode 100644 index 0000000..6b9783f --- /dev/null +++ b/examples/validation/validate-deprecated-api/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "validate-deprecated-api" +version = "0.0.1" diff --git a/examples/validation/validate-deprecated-api/kcl.mod.lock b/examples/validation/validate-deprecated-api/kcl.mod.lock new file mode 100644 index 0000000..e69de29 diff --git a/examples/validation/validate-deprecated-api/main.k b/examples/validation/validate-deprecated-api/main.k new file mode 100644 index 0000000..04e0f61 --- /dev/null +++ b/examples/validation/validate-deprecated-api/main.k @@ -0,0 +1,29 @@ +"""Verifies deprecated Kubernetes APIs to ensure all the API versions are up to date. +This template does not apply to audit as audit looks at the resources which are already +present in the cluster with non-deprecated API versions. +Ref: https://open-policy-agent.github.io/gatekeeper-library/website/validation/verifydeprecatedapi +""" + +schema Params: + kvs: [KV] + k8sVersion: int | float | str + +schema KV: + deprecatedAPI: str + kinds: [str] + targetAPI: str + +params: Params = option("params") + +# Define the validation function +validate = lambda item { + if params.kvs: + [lambda item, kv: KV { + if item.kind in kv.kinds: + assert item.apiVersion != kv.deprecatedAPI, "API {} for {} is deprecated in Kubernetes version {}, please use {} instead".format(item.kind, item.apiVersion, params.k8sVersion, kv.targetAPI) + kv + }(item, kv) for kv in params.kvs] + item +} +# Validate All resource +items = [validate(i) for i in option("items")] diff --git a/examples/validation/validate-deprecated-api/suite/bad.yaml b/examples/validation/validate-deprecated-api/suite/bad.yaml new file mode 100644 index 0000000..84ea4f1 --- /dev/null +++ b/examples/validation/validate-deprecated-api/suite/bad.yaml @@ -0,0 +1,54 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: validate-deprecated-api + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Verifies deprecated Kubernetes APIs to ensure all the API versions are up to date. + This template does not apply to audit as audit looks at the resources which are already + present in the cluster with non-deprecated API versions. + Ref: https://open-policy-agent.github.io/gatekeeper-library/website/validation/verifydeprecatedapi +spec: + params: + kvs: + - deprecatedAPI: "apps/v1beta1" + kinds: ["Deployment", "ReplicaSet", "StatefulSet"] + targetAPI: "apps/v1" + - deprecatedAPI: "extensions/v1beta1" + kinds: ["ReplicaSet", "Deployment", "DaemonSet"] + targetAPI: "apps/v1" + - deprecatedAPI: "extensions/v1beta1" + kinds: ["PodSecurityPolicy"] + targetAPI: "policy/v1beta1" + - deprecatedAPI: "apps/v1beta2" + kinds: ["ReplicaSet", "StatefulSet", "Deployment", "DaemonSet"] + targetAPI: "apps/v1" + - deprecatedAPI: "extensions/v1beta1" + kinds: ["NetworkPolicy"] + targetAPI: "networking.k8s.io/v1" + k8sVersion: 1.16 + source: ./examples/validation/validate-deprecated-api/main.k +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/examples/validation/validate-deprecated-api/suite/good.yaml b/examples/validation/validate-deprecated-api/suite/good.yaml new file mode 100644 index 0000000..7aea699 --- /dev/null +++ b/examples/validation/validate-deprecated-api/suite/good.yaml @@ -0,0 +1,54 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: validate-deprecated-api + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: validation + documentation: >- + Verifies deprecated Kubernetes APIs to ensure all the API versions are up to date. + This template does not apply to audit as audit looks at the resources which are already + present in the cluster with non-deprecated API versions. + Ref: https://open-policy-agent.github.io/gatekeeper-library/website/validation/verifydeprecatedapi +spec: + params: + kvs: + - deprecatedAPI: "apps/v1beta1" + kinds: ["Deployment", "ReplicaSet", "StatefulSet"] + targetAPI: "apps/v1" + - deprecatedAPI: "extensions/v1beta1" + kinds: ["ReplicaSet", "Deployment", "DaemonSet"] + targetAPI: "apps/v1" + - deprecatedAPI: "extensions/v1beta1" + kinds: ["PodSecurityPolicy"] + targetAPI: "policy/v1beta1" + - deprecatedAPI: "apps/v1beta2" + kinds: ["ReplicaSet", "StatefulSet", "Deployment", "DaemonSet"] + targetAPI: "apps/v1" + - deprecatedAPI: "extensions/v1beta1" + kinds: ["NetworkPolicy"] + targetAPI: "networking.k8s.io/v1" + k8sVersion: 1.16 + source: ./examples/validation/validate-deprecated-api/main.k +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80