From aa10f82f62efe2b30c6f0c23e1f14ce7c0baaca3 Mon Sep 17 00:00:00 2001 From: Mohsin Kaleem Date: Sun, 31 Mar 2024 18:35:28 +0100 Subject: [PATCH] checkers: Add kube-linter checker --- .../flymake-collection-kube-linter.el | 70 +++++++++++++++++++ src/flymake-collection-hook.el | 3 +- tests/checkers/installers/kube-linter.bash | 8 +++ tests/checkers/test-cases/kube-linter.yml | 49 +++++++++++++ 4 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 src/checkers/flymake-collection-kube-linter.el create mode 100755 tests/checkers/installers/kube-linter.bash create mode 100644 tests/checkers/test-cases/kube-linter.yml diff --git a/src/checkers/flymake-collection-kube-linter.el b/src/checkers/flymake-collection-kube-linter.el new file mode 100644 index 0000000..c9c6d88 --- /dev/null +++ b/src/checkers/flymake-collection-kube-linter.el @@ -0,0 +1,70 @@ +;;; flymake-collection-kube-linter.el --- Linter for k8s configs -*- lexical-binding: t -*- + +;; Copyright (c) 2024 Mohsin Kaleem + +;; Permission is hereby granted, free of charge, to any person obtaining a copy +;; of this software and associated documentation files (the "Software"), to deal +;; in the Software without restriction, including without limitation the rights +;; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +;; copies of the Software, and to permit persons to whom the Software is +;; furnished to do so, subject to the following conditions: + +;; The above copyright notice and this permission notice shall be included in all +;; copies or substantial portions of the Software. + +;; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +;; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +;; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +;; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +;; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +;; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +;; SOFTWARE. + +;;; Commentary: + +;; `flymake' syntax checker for kubernetes configuration files. + +;;; Code: + +(require 'flymake) +(require 'flymake-collection) +(eval-when-compile (require 'subr-x)) + +(eval-when-compile + (require 'flymake-collection-define)) + +;;;###autoload (autoload 'flymake-collection-kube-linter "flymake-collection-kube-linter") +(flymake-collection-define-enumerate flymake-collection-kube-linter + "KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm +charts to ensure the applications represented in them adhere to best practices. + +https://docs.kubelinter.io/#/" + :title "kube-linter" + :pre-let ((kube-linter-exec (executable-find "kube-linter"))) + :pre-check (unless kube-linter-exec + (error "Cannot find kube-linter executable")) + :write-type 'pipe + :command `(,kube-linter-exec + "lint" + "--fail-if-no-objects-found" + "--fail-on-invalid-resource" + "--format=json" + "-") + :generator + (thread-last + (flymake-collection-parse-json + (buffer-substring-no-properties + (point-min) (point-max))) + (car) + (alist-get 'Reports)) + :enumerate-parser + (let-alist it + `(,flymake-collection-source + ,@(with-current-buffer flymake-collection-source + (list (point-min) (point-max))) + :error + ,(concat (propertize (concat "[" .Check "]") 'face 'flymake-collection-diag-id) " " + .Diagnostic.Message)))) + +(provide 'flymake-collection-kube-linter) +;;; flymake-collection-kube-linter.el ends here diff --git a/src/flymake-collection-hook.el b/src/flymake-collection-hook.el index deffe82..7441b50 100644 --- a/src/flymake-collection-hook.el +++ b/src/flymake-collection-hook.el @@ -82,7 +82,8 @@ (flymake-collection-shellcheck (sh-shellcheck-flymake :disabled t))) ((yaml-mode yaml-ts-mode) . - flymake-collection-yamllint) + (flymake-collection-yamllint + (flymake-collection-kube-linter :disabled t))) ((web-mode html-ts-mode) . (flymake-collection-html-tidy)) (org-mode diff --git a/tests/checkers/installers/kube-linter.bash b/tests/checkers/installers/kube-linter.bash new file mode 100755 index 0000000..d4505a6 --- /dev/null +++ b/tests/checkers/installers/kube-linter.bash @@ -0,0 +1,8 @@ +cd "$(mktemp -d)" || exit 1 + +curl -L https://github.com/stackrox/kube-linter/releases/download/v0.6.8/kube-linter-linux.tar.gz | + tar -xzv +mv kube-linter /usr/bin/ + +rm -rf "$(pwd)" +cd - || exit 1 diff --git a/tests/checkers/test-cases/kube-linter.yml b/tests/checkers/test-cases/kube-linter.yml new file mode 100644 index 0000000..e96342b --- /dev/null +++ b/tests/checkers/test-cases/kube-linter.yml @@ -0,0 +1,49 @@ +checker: flymake-collection-kube-linter +tests: + - name: no-lints + file: "" + lints: [] + - name: example-file + file: |- + apiVersion: v1 + kind: Pod + metadata: + name: security-context-demo + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: {} + containers: + - name: sec-ctx-demo + image: busybox + resources: + requests: + memory: "64Mi" + cpu: "250m" + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false + lints: + - point: [1, 0] + level: error + message: |- + [latest-tag] The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by the `BlockList` criteria : [".*:(latest)$" "^[^:]*$" "(.*/[^:]+)$"] (kube-linter) + - point: [1, 0] + level: error + message: |- + [no-read-only-root-fs] container "sec-ctx-demo" does not have a read-only root file system (kube-linter) + - point: [1, 0] + level: error + message: |- + [unset-cpu-requirements] container "sec-ctx-demo" has cpu limit 0 (kube-linter) + - point: [1, 0] + level: error + message: |- + [unset-memory-requirements] container "sec-ctx-demo" has memory limit 0 (kube-linter)