-
Notifications
You must be signed in to change notification settings - Fork 1
/
chart-powerlint.sh
executable file
·120 lines (97 loc) · 3.33 KB
/
chart-powerlint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/bash
set -euox pipefail
CHARTS_DIR=${CHARTS_DIR:-"charts"}
SHOULD_UPDATE_DEPENDENCIES=${SHOULD_UPDATE_DEPENDENCIES:-""}
KUBERNETES_VERSIONS=${KUBERNETES_VERSIONS:-"1.28.0 1.29.0 1.30.0"}
POLARIS_SCORE_THRESHOLD=${POLARIS_SCORE_THRESHOLD:-90}
SKIP_KUBE_SCORE=${SKIP_KUBE_SCORE:-"1"}
KUBE_SCORE_ARGS=${KUBE_SCORE_ARGS:-""}
SKIP_KUBE_LINTER=${SKIP_KUBE_LINTER:-"1"}
SKIP_KUBE_SCAPE=${SKIP_KUBE_SCAPE:-"1"}
for CHART_PATH in "${CHARTS_DIR}"/*; do
if test ! -f "${CHART_PATH}/Chart.yaml"; then
echo "Skipping over ${CHART_PATH}"
continue
fi
echo "Power-linting ${CHART_PATH}:"
if [ "$SHOULD_UPDATE_DEPENDENCIES" = "1" ]; then
echo "Updating helm dependencies"
helm dependency update "${CHART_PATH}"
fi
echo "Helm lint..."
helm lint "${CHART_PATH}"
for KUBERNETES_VERSION in ${KUBERNETES_VERSIONS}; do
echo "Validating against Kubernetes version $KUBERNETES_VERSION:"
HELM_TEMPLATE_ARGS="--kube-version=v$KUBERNETES_VERSION"
TEST_VALUES_FILE="$CHART_PATH/values-test.yaml"
if [ -f "$TEST_VALUES_FILE" ]; then
HELM_TEMPLATE_ARGS="$HELM_TEMPLATE_ARGS -f ${CHART_PATH}/values-test.yaml"
fi
echo "Kubeconform check..."
if ! helm template ${HELM_TEMPLATE_ARGS} ${CHART_PATH} |
kubeconform \
-ignore-missing-schemas \
-cache /tmp \
-strict \
-kubernetes-version "$KUBERNETES_VERSION" \
-verbose \
-exit-on-error \
-summary -; then
echo "kubeconform validation failed"
exit 1
fi
echo "Pluto check..."
if ! helm template ${HELM_TEMPLATE_ARGS} ${CHART_PATH} |
pluto detect --target-versions k8s=v$KUBERNETES_VERSION -; then
echo "Pluto failed"
exit 1
fi
done
echo "Polaris check..."
POLARIS_AUDIT_ARGS=""
POLARIS_CONFIG_FILE=".polaris.yaml"
if [ -f "$POLARIS_CONFIG_FILE" ]; then
POLARIS_AUDIT_ARGS="--config ${POLARIS_CONFIG_FILE}"
fi
if ! helm template ${HELM_TEMPLATE_ARGS} ${CHART_PATH} |
polaris audit \
--audit-path - \
--format pretty \
$POLARIS_AUDIT_ARGS \
--set-exit-code-on-danger \
--set-exit-code-below-score $POLARIS_SCORE_THRESHOLD; then
echo "Polaris failed"
exit 1
fi
if [ "$SKIP_KUBE_LINTER" -ne "1" ]; then
echo "Kube-Linter check..."
KUBE_LINTER_ARGS=""
KUBE_LINTER_CONFIG_FILE=".kube-linter.yaml"
if [ -f "$KUBE_LINTER_CONFIG_FILE" ]; then
KUBE_LINTER_ARGS=" --config=${KUBE_LINTER_CONFIG_FILE}"
fi
if ! helm template ${HELM_TEMPLATE_ARGS} ${CHART_PATH} | kube-linter lint ${KUBE_LINTER_ARGS} -; then
echo "Kube-Linter failed"
exit 1
fi
fi
if [ "$SKIP_KUBE_SCORE" -ne "1" ]; then
echo "Kube-Score check..."
if ! helm template ${HELM_TEMPLATE_ARGS} ${CHART_PATH} | kube-score score -; then
echo "Kube-Score failed"
exit 1
fi
fi
if [ "$SKIP_KUBE_SCAPE" -ne "1" ]; then
echo "kubescape nsa check..."
if ! helm template ${HELM_TEMPLATE_ARGS} ${CHART_PATH} | kubescape scan framework nsa --use-from=/root/.kubescape/nsa.json -; then
echo "kubescape for NSA framework failed"
exit 1
fi
echo "kubescape mitre check..."
if ! helm template ${HELM_TEMPLATE_ARGS} ${CHART_PATH} | kubescape scan framework mitre --use-from=/root/.kubescape/mitre.json -; then
echo "kubescape for NSA framework failed"
exit 1
fi
fi
done