checkers: Add kube-linter checker

src/checkers/flymake-collection-kube-linter.el

@@ -0,0 +1,70 @@
+;;; flymake-collection-kube-linter.el --- Linter for k8s configs -*- lexical-binding: t -*-
+
+;; Copyright (c) 2024 Mohsin Kaleem
+
+;; Permission is hereby granted, free of charge, to any person obtaining a copy
+;; of this software and associated documentation files (the "Software"), to deal
+;; in the Software without restriction, including without limitation the rights
+;; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+;; copies of the Software, and to permit persons to whom the Software is
+;; furnished to do so, subject to the following conditions:
+
+;; The above copyright notice and this permission notice shall be included in all
+;; copies or substantial portions of the Software.
+
+;; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+;; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+;; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+;; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+;; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+;; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+;; SOFTWARE.
+
+;;; Commentary:
+
+;; `flymake' syntax checker for kubernetes configuration files.
+
+;;; Code:
+
+(require 'flymake)
+(require 'flymake-collection)
+(eval-when-compile (require 'subr-x))
+
+(eval-when-compile
+  (require 'flymake-collection-define))
+
+;;;###autoload (autoload 'flymake-collection-kube-linter "flymake-collection-kube-linter")
+(flymake-collection-define-enumerate flymake-collection-kube-linter
+  "KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm
+charts to ensure the applications represented in them adhere to best practices.
+
+https://docs.kubelinter.io/#/"
+  :title "kube-linter"
+  :pre-let ((kube-linter-exec (executable-find "kube-linter")))
+  :pre-check (unless kube-linter-exec
+               (error "Cannot find kube-linter executable"))
+  :write-type 'pipe
+  :command `(,kube-linter-exec
+             "lint"
+             "--fail-if-no-objects-found"
+             "--fail-on-invalid-resource"
+             "--format=json"
+             "-")
+  :generator
+  (thread-last
+    (flymake-collection-parse-json
+     (buffer-substring-no-properties
+      (point-min) (point-max)))
+    (car)
+    (alist-get 'Reports))
+  :enumerate-parser
+  (let-alist it
+    `(,flymake-collection-source
+      ,@(with-current-buffer flymake-collection-source
+          (list (point-min) (point-max)))
+      :error
+      ,(concat (propertize (concat "[" .Check "]") 'face 'flymake-collection-diag-id) " "
+               .Diagnostic.Message))))
+
+(provide 'flymake-collection-kube-linter)
+;;; flymake-collection-kube-linter.el ends here

src/flymake-collection-hook.el

@@ -82,7 +82,8 @@
      (flymake-collection-shellcheck
       (sh-shellcheck-flymake :disabled t)))
     ((yaml-mode yaml-ts-mode) .
-     flymake-collection-yamllint)
+     (flymake-collection-yamllint
+      (flymake-collection-kube-linter :disabled t)))
     ((web-mode html-ts-mode) .
      (flymake-collection-html-tidy))
     (org-mode

tests/checkers/installers/kube-linter.bash

@@ -0,0 +1,8 @@
+cd "$(mktemp -d)" || exit 1
+
+curl -L https://github.com/stackrox/kube-linter/releases/download/v0.6.8/kube-linter-linux.tar.gz |
+  tar -xzv
+mv kube-linter /usr/bin/
+
+rm -rf "$(pwd)"
+cd - || exit 1

tests/checkers/test-cases/kube-linter.yml

@@ -0,0 +1,49 @@
+checker: flymake-collection-kube-linter
+tests:
+  - name: no-lints
+    file: ""
+    lints: []
+  - name: example-file
+    file: |-
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: security-context-demo
+      spec:
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 3000
+          fsGroup: 2000
+        volumes:
+        - name: sec-ctx-vol
+          emptyDir: {}
+        containers:
+        - name: sec-ctx-demo
+          image: busybox
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "250m"
+          command: [ "sh", "-c", "sleep 1h" ]
+          volumeMounts:
+          - name: sec-ctx-vol
+            mountPath: /data/demo
+          securityContext:
+            allowPrivilegeEscalation: false
+    lints:
+      - point: [1, 0]
+        level: error
+        message: |-
+          [latest-tag] The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by the `BlockList` criteria : [".*:(latest)$" "^[^:]*$" "(.*/[^:]+)$"] (kube-linter)
+      - point: [1, 0]
+        level: error
+        message: |-
+          [no-read-only-root-fs] container "sec-ctx-demo" does not have a read-only root file system (kube-linter)
+      - point: [1, 0]
+        level: error
+        message: |-
+          [unset-cpu-requirements] container "sec-ctx-demo" has cpu limit 0 (kube-linter)
+      - point: [1, 0]
+        level: error
+        message: |-
+          [unset-memory-requirements] container "sec-ctx-demo" has memory limit 0 (kube-linter)