From fb8becc682186a29567ee2a0e80561c79f5fed0c Mon Sep 17 00:00:00 2001
From: Arnaud Meukam <ameukam@gmail.com>
Date: Thu, 4 Mar 2021 23:28:34 +0100
Subject: [PATCH] Add tests for data validation

Add policices written in [rego](https://www.openpolicyagent.org/docs/latest/policy-language/)
that validate kubernetes resources configuration of the community
infrastructure. Only the ingresses resources are covered.
THis is heavily inspired from https://github.com/deliveryhero/helm-charts/tree/master/ci/helm-conftest-policies.
[conftest](https://github.com/open-policy-agent/conftest) will be
against those policies.

Ref: https://github.com/kubernetes/k8s.io/issues/1734

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
---
 policies/base.rego         | 10 ++++++++++
 policies/deprecations.rego | 21 +++++++++++++++++++++
 policies/kubernetes.rego   | 14 ++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 policies/base.rego
 create mode 100644 policies/deprecations.rego
 create mode 100644 policies/kubernetes.rego

diff --git a/policies/base.rego b/policies/base.rego
new file mode 100644
index 000000000000..3c7116bbeb57
--- /dev/null
+++ b/policies/base.rego
@@ -0,0 +1,10 @@
+package main 
+
+import data.kubernetes
+
+apiversion = input.apiversion
+
+warn[msg] {
+    kubernetes.is_ingress
+    msg = sprintf("Found ingress %s", [apiversion])
+}
\ No newline at end of file
diff --git a/policies/deprecations.rego b/policies/deprecations.rego
new file mode 100644
index 000000000000..40bc318cdb3c
--- /dev/null
+++ b/policies/deprecations.rego
@@ -0,0 +1,21 @@
+package main
+
+warn[msg] {
+  input.apiVersion == "v1"
+  input.kind == "List"
+  obj := input.items[_]
+  msg := _warn with input as obj
+}
+
+warn[msg] {
+  input.apiVersion != "v1"
+  input.kind != "List"
+  msg := _warn
+}
+
+# Ingress resources extensions/v1beta1 will no longer be served from in v1.20. Migrate use to the networking.k8s.io/v1beta1 API, available since v1.14.
+_warn = msg {
+  input.apiVersion == "extensions/v1beta1"
+  input.kind == "Ingress"
+  msg := sprintf("%s/%s: API extensions/v1beta1 for Ingress is deprecated from Kubernetes 1.14, use networking.k8s.io/v1beta1 instead.", [input.kind, input.metadata.name])
+}
\ No newline at end of file
diff --git a/policies/kubernetes.rego b/policies/kubernetes.rego
new file mode 100644
index 000000000000..ef1c77e3d487
--- /dev/null
+++ b/policies/kubernetes.rego
@@ -0,0 +1,14 @@
+
+package kubernetes
+
+is_service {
+    input.kind = "Service"
+}
+
+is_deployment {
+    input.kind = "Deployment"
+}
+
+is_ingress {
+    input.kind = "Ingress"
+}
\ No newline at end of file