Merge pull request #2328 from spiffxp/verify-conftest

hack: enforce conftest and yamllint failures

apps/kubernetes-external-secrets/kubernetes-external-secrets.yaml

@@ -54,4 +54,3 @@ spec:
           # Params for env vars populated from k8s secrets
       securityContext:
         runAsNonRoot: true
-

apps/node-perf-dash/deployment.yaml

@@ -20,13 +20,13 @@ spec:
       - image: k8s.gcr.io/node-perf-dash:v0.3
         command:
           - /node-perf-dash
-          -   --www=true
-          -   --dir=/www
-          -   --address=0.0.0.0:8080
-          -   --builds=30
-          -   --datasource=google-gcs
-          -   --tracing=true
-          -   --jenkins-job=ci-kubernetes-node-kubelet-benchmark,ci-cri-containerd-node-e2e-benchmark
+          - --www=true
+          - --dir=/www
+          - --address=0.0.0.0:8080
+          - --builds=30
+          - --datasource=google-gcs
+          - --tracing=true
+          - --jenkins-job=ci-kubernetes-node-kubelet-benchmark,ci-cri-containerd-node-e2e-benchmark
         imagePullPolicy: Always
         name: node-perf-dash
         ports:

apps/sippy/service.yaml

@@ -14,4 +14,3 @@ spec:
     app: sippy
   sessionAffinity: None
   type: NodePort
-

apps/triageparty-release/secret.yaml

@@ -11,4 +11,4 @@ spec:
   data:
   - key: triage-party-github-token
     name: triage-party-github-token
-    version: latest
+    version: latest

cert-manager/cert-manager.yaml

@@ -6274,7 +6274,7 @@ spec:
                 fieldPath: metadata.namespace
           resources:
             {}
-            
+
 ---
 # Source: cert-manager/templates/deployment.yaml
 apiVersion: apps/v1
@@ -6335,7 +6335,7 @@ spec:
             requests:
               cpu: 10m
               memory: 32Mi
-            
+
 
 ---
 # Source: cert-manager/templates/webhook-deployment.yaml
@@ -6395,7 +6395,7 @@ spec:
                 fieldPath: metadata.namespace
           resources:
             {}
-            
+
           volumeMounts:
           - name: certs
             mountPath: /certs
@@ -6466,7 +6466,7 @@ webhooks:
 
 ---
 # Source: cert-manager/templates/webhook-psp-clusterrole.yaml
- 
+
 
 ---
 # Source: cert-manager/templates/webhook-psp-clusterrolebinding.yaml

dns/zone-configs/k8s.io._2_aws.yaml

@@ -6,4 +6,3 @@ test-cncf-aws:
   - ns-1825.awsdns-36.co.uk.
   - ns-265.awsdns-33.com.
   - ns-687.awsdns-21.net.
-

groups/sig-release/groups.yaml

@@ -364,7 +364,7 @@ groups:
       - [email protected] # 1.22 Release Notes Shadow
       - [email protected] # 1.22 Bug Triage Shadow
       - [email protected] # 1.22 Enhancements Lead
-      - [email protected] # 1.22 Comms Lead 
+      - [email protected] # 1.22 Comms Lead
       - [email protected] # 1.22 Bug Triage Shadow
       - [email protected] # 1.22 Enhancements Shadow
       - [email protected] # 1.22 Comms Shadow
@@ -386,7 +386,7 @@ groups:
       - [email protected] # 1.22 Bug Triage Shadow
       - [email protected] # 1.22 Docs Lead
       - [email protected] # 1.22 Bug Triage Shadow
-      - [email protected] # 1.22 Enhancements Shadow 
+      - [email protected] # 1.22 Enhancements Shadow
 
   - email-id: [email protected]
     name: release-team-shadows
@@ -412,7 +412,7 @@ groups:
       - [email protected] # 1.22 Release Notes Shadow
       - [email protected] # 1.22 Release Notes Shadow
       - [email protected] # 1.22 Release Notes Shadow
-      - [email protected] # 1.22 CI Signal Shadow 
+      - [email protected] # 1.22 CI Signal Shadow
       - [email protected] # 1.22 CI Signal Shadow
       - [email protected] # 1.22 CI Signal Shadow
       - [email protected] # 1.22 CI Signal Shadow
@@ -428,4 +428,3 @@ groups:
       - [email protected] # 1.22 Enhancements Shadow
       - [email protected] # 1.22 Enhancements Shadow
       - [email protected] # 1.22 Enhancements Shadow
-

groups/sig-testing/groups.yaml

@@ -116,7 +116,7 @@ groups:
   #
   # Membership should correspond roughly to subproject owners for the set of
   # subproject artifacts being stored in the GCS bucket
-  #     
+  #
   - email-id: [email protected]
     name: k8s-infra-push-kind
     description: |-
@@ -169,15 +169,15 @@ groups:
     - [email protected] # 1.22 CI Signal Shadow
     - [email protected] # 1.22 CI Signal Shadow
     - [email protected] # 1.22 CI Signal Shadow
-  
+
   #
   # sig-testing k8s-infra owners
   #
   # Each group here represents highly privileged access to kubernetes project
   # infrastructure owned or managed by sig-testing. A high level of trust is
   # required for membership in these groups.
   #
-  
+
   - email-id: [email protected]
     name: k8s-infra-ci-robot
     description: |-

groups/wg-k8s-infra/groups.yaml

@@ -108,7 +108,7 @@ groups:
       - [email protected]
       - [email protected]
       - [email protected]
-      - [email protected]      
+      - [email protected]
       - [email protected]
       - [email protected]
       - [email protected]
@@ -172,4 +172,3 @@ groups:
       WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW" # required
     members:
       - [email protected]
-

hack/.yamllint.conf

@@ -15,9 +15,4 @@ rules:
   indentation: disable
   document-start: disable
   comments: disable
-  line-length: disable
-  # these probably are worth enforcing, so start them at warning; fix in followup PR
-  new-line-at-end-of-file:
-    level: warning
-  trailing-spaces:
-    level: warning
+  line-length: disable

hack/verify-conftest.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd )"
+
+function usage() {
+    echo >&2 "Usage: $0"
+    exit 1
+}
+
+function ensure_dependencies() {
+    if ! command -v conftest >/dev/null 2>&1; then
+        echo "Please install conftest: https://www.conftest.dev/install/"
+        exit 1
+    fi
+}
+
+function main() {
+    ensure_dependencies
+
+    pushd "${REPO_ROOT}" >/dev/null
+    local k8s_yaml_paths=(
+        apps/
+        infra/gcp/clusters/projects/*/*/resources/*.yaml
+    )
+    conftest test --policy policies/ "${k8s_yaml_paths[@]}"
+
+}
+
+if [ $# -gt 0 ]; then
+    usage
+fi
+
+main

hack/verify-shellcheck.sh

@@ -52,7 +52,7 @@ for file in "${files[@]}"; do
     else
         passed_files+=("${file}")
     fi
-done 
+done
 
 result="passed"
 code=0
@@ -65,8 +65,8 @@ echo "result: ${result}"
 echo "shellcheck_cmd: ${shellcheck_cmd[*]} {file}"
 echo "shellcheck_output: >"
 <"${SHELLCHECK_OUTPUT}" sed -e 's/^/  /'
-echo "passing_files:"
-printf "%s\n" "${passed_files[@]/#${REPO_ROOT}\//- }"
+# echo "passing_files:"
+# printf "%s\n" "${passed_files[@]/#${REPO_ROOT}\//- }"
 echo "failing_files:"
 printf "%s\n" "${failed_files[@]/#${REPO_ROOT}\//- }"
 exit "${code}"

infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/kube-dns-autoscaler-configmap.yaml

@@ -1,7 +1,7 @@
 # This is to address a known issue with node local dns cache
 # https://cloud.google.com/kubernetes-engine/docs/how-to/nodelocal-dns-cache#known_issues
 # TODO: remove when cluster version is >= 1.19.7-gke.1500
-# NOTE: string containing structured data, was retrieved from v1.17.15-gke.800, may fail 
+# NOTE: string containing structured data, was retrieved from v1.17.15-gke.800, may fail
 #       silently in the future if the expected schema changes
 apiVersion: v1
 data:

infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/kubernetes-external-secrets.yaml

@@ -56,4 +56,3 @@ spec:
           # Params for env vars populated from k8s secrets
       securityContext:
         runAsNonRoot: true
-

infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/kube-dns-autoscaler-configmap.yaml

@@ -1,7 +1,7 @@
 # This is to address a known issue with node local dns cache
 # https://cloud.google.com/kubernetes-engine/docs/how-to/nodelocal-dns-cache#known_issues
 # TODO: remove when cluster version is >= 1.19.7-gke.1500
-# NOTE: string containing structured data, was retrieved from v1.17.15-gke.800, may fail 
+# NOTE: string containing structured data, was retrieved from v1.17.15-gke.800, may fail
 #       silently in the future if the expected schema changes
 apiVersion: v1
 data:

infra/gcp/clusters/projects/k8s-infra-prow-build/prow-build/resources/namespaces.yaml

@@ -7,4 +7,4 @@ metadata:
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: test-pods
+  name: test-pods

infra/gcp/namespaces/namespace-user-role.yml

@@ -21,7 +21,7 @@ rules:
     resources: ["leases"]
     verbs: ["*"]
   - apiGroups: ["networking.k8s.io"]
-    resources: ["networkpolicies","ingresses"]
+    resources: ["networkpolicies", "ingresses"]
     verbs: ["*"]
   - apiGroups: ["metrics.k8s.io"]
     resources: ["pods"]

infra/gcp/roles/audit.viewer.yaml

@@ -39,7 +39,7 @@
 #   # - roles/run.viewer
 #   # read access to secrets metadata (not their contents)
 #   - roles/secretmanager.viewer
-# 
+#
 #   # meta roles (regardless of roles/viewer)
 #   #
 #   # read access for the project hierarchy (org, folders, projects)
@@ -50,12 +50,12 @@
 #   #       effectively allows an auditor to use any project they wish
 #   #       for billing or quota purposes. This seems... not right.
 #   - roles/serviceusage.serviceUsageConsumer
-# 
+#
 #   # specific permissions that don't come from a well-scoped pre-defined role
 #   permissions:
 #   # for gsutil _ get: cors, iam, label, logging, lifecycle, retention, ubla
 #   - storage.buckets.get
-# 
+#
 #   # use regexes to filter permissions pulled in from the above
 #   permissionRegexes:
 #   # only include (get|list).* (e.g. get, getIamPolicy, etc.)

infra/gcp/roles/iam.serviceAccountLister.yaml

@@ -8,7 +8,7 @@
 # include:
 #   permissions:
 #   - iam.serviceAccounts.list
-# 
+#
 #
 description: Can list ServiceAccounts
 includedPermissions:

infra/gcp/roles/organization.admin.yaml

@@ -16,15 +16,15 @@
 #   - roles/billing.creator
 #   # maybe for budgets.*, this also offers accounts.updateUsageExportSpec
 #   - roles/billing.costsManager
-# 
+#
 #   # resourcemanager.* permissions missing from roles/owner
 #   # for resourcemanager.folders.*
 #   - roles/resourcemanager.folderAdmin
 #   # for resourcemanager.organizations.*
 #   - roles/resourcemanager.organizationAdmin
 #   # for resourcemanager.projects.create
 #   - roles/resourcemanager.projectCreator
-# 
+#
 #   # for storage.buckets.(get|update|(get|set)IamPolicy)
 #   - roles/storage.admin
 #   permissionRegexes:

infra/gcp/roles/prow.viewer.yaml

@@ -25,15 +25,15 @@
 #   - roles/pubsub.viewer
 #   # read access to secrets metadata (not their contents)
 #   - roles/secretmanager.viewer
-# 
+#
 #   # meta roles
-#   # 
+#   #
 #   # read access for the project hierarchy (org, folders, projects)
 #   - roles/browser
-# 
+#
 #   # specific permissions that don't come from a well-scoped pre-defined role
 #   permissions:
-#   # read access to buckets and their objects 
+#   # read access to buckets and their objects
 #   - storage.buckets.get
 #   - storage.buckets.getIamPolicy
 #   - storage.buckets.list

infra/gcp/roles/specs/container.deployer.yaml

@@ -17,4 +17,4 @@ exclude:
   # GKE cluster permissions
   - ^container\.clusters\.(create|delete|getCredentials|update)$
   - ^container\.operations\.
-  - ^container\.hostServiceAgent\.
+  - ^container\.hostServiceAgent\.

infra/gcp/roles/specs/iam.serviceAccountLister.yaml

@@ -6,4 +6,3 @@ name: iam.serviceAccountLister
 include:
   permissions:
   - iam.serviceAccounts.list
-

infra/gcp/roles/specs/prow.viewer.yaml

@@ -25,13 +25,13 @@ include:
   - roles/secretmanager.viewer
 
   # meta roles
-  # 
+  #
   # read access for the project hierarchy (org, folders, projects)
   - roles/browser
 
   # specific permissions that don't come from a well-scoped pre-defined role
   permissions:
-  # read access to buckets and their objects 
+  # read access to buckets and their objects
   - storage.buckets.get
   - storage.buckets.getIamPolicy
   - storage.buckets.list

k8s.gcr.io/images/k8s-image-staging-kind/images.yaml

@@ -1 +1 @@
-# No images yet
+# No images yet

k8s.gcr.io/images/k8s-staging-apisnoop/images.yaml

@@ -1,8 +1,8 @@
-- name: snoopdb 
+- name: snoopdb
   dmap:
     "sha256:c4151a15c8439265d98f66d25ef17964e9e975d894822a54ed7e72db78dba6c6": ["v0.1.0"]
     "sha256:a41a91e366e973da0bfd6fce44ba131d561ab435119ff7e1050d1e226a06dbda": ["v0.2.0"]
 - name: auditlogger
-  dmap: 
+  dmap:
     "sha256:c4151a15c8439265d98f66d25ef17964e9e975d894822a54ed7e72db78dba6c6": ["v0.1.0"]
     "sha256:2c9c8df42ac7525e556bbff81aa9a62960888c69d5faad4aad408893bc95cbc9": ["v0.2.0"]

k8s.gcr.io/images/k8s-staging-bootkube/promoter-manifest.yaml

@@ -1,4 +1,4 @@
- # google group for gcr.io/k8s-staging-bootkube is [email protected] 
+ # google group for gcr.io/k8s-staging-bootkube is [email protected]
 registries:
 - name: gcr.io/k8s-staging-bootkube
   src: true