Skip to content

Commit

Permalink
feat: publish more validation modules about kubernetes resources
Browse files Browse the repository at this point in the history
Signed-off-by: peefy <[email protected]>
  • Loading branch information
Peefy committed Nov 27, 2023
1 parent 1aea91f commit 75b3a55
Show file tree
Hide file tree
Showing 84 changed files with 599 additions and 0 deletions.
7 changes: 7 additions & 0 deletions restrict-ingress-wildcard/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-ingress-wildcard` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-ingress-wildcard)
5 changes: 5 additions & 0 deletions restrict-ingress-wildcard/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-ingress-wildcard"
version = "0.1.0"
description = "`restrict-ingress-wildcard` is a KCL validation module"

Empty file.
15 changes: 15 additions & 0 deletions restrict-ingress-wildcard/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
KINDS = [
"Ingress"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
hosts: [str] = [h for r in item.spec.rules for h in r.host]
assert all host in hosts {
"*" not in host
}, "Wildcards are not permitted as hosts ${hosts}"
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-jobs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-jobs` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-jobs)
5 changes: 5 additions & 0 deletions restrict-jobs/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-jobs"
version = "0.1.0"
description = "`restrict-jobs` is a KCL validation module"

Empty file added restrict-jobs/kcl.mod.lock
Empty file.
15 changes: 15 additions & 0 deletions restrict-jobs/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
KINDS = [
"Job"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
kinds: [str] = [o.kind for o in item.metadata?.ownerReferences]
assert all kind in kinds {
kind == "CronJob"
}, "Jobs are only allowed if spawned from CronJobs, got kinds ${kinds}"
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-load-balancer/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-load-balancer` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-load-balancer)
5 changes: 5 additions & 0 deletions restrict-load-balancer/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-load-balancer"
version = "0.1.0"
description = "`restrict-load-balancer` is a KCL validation module"

Empty file.
12 changes: 12 additions & 0 deletions restrict-load-balancer/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
KINDS = [
"Service"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
assert item?.spec?.type != "LoadBalance", "Service of type LoadBalancer is not allowed."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-networkpolicy-empty-podselector/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-networkpolicy-empty-podselector` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-networkpolicy-empty-podselector)
5 changes: 5 additions & 0 deletions restrict-networkpolicy-empty-podselector/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-networkpolicy-empty-podselector"
version = "0.1.0"
description = "`restrict-networkpolicy-empty-podselector` is a KCL validation module"

Empty file.
12 changes: 12 additions & 0 deletions restrict-networkpolicy-empty-podselector/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
KINDS = [
"NetworkPolicy"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS and item.metadata.name not in ["default-deny"]:
assert len(item?.spec.podSelector or {}) > 0, "NetworkPolicies must not use an empty podSelector."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-node-affinity/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-node-affinity` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-node-affinity)
5 changes: 5 additions & 0 deletions restrict-node-affinity/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-node-affinity"
version = "0.1.0"
description = "`restrict-node-affinity` is a KCL validation module"

Empty file.
12 changes: 12 additions & 0 deletions restrict-node-affinity/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
KINDS = [
"Pod"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
assert not item?.spec?.affinity?.nodeAffinity, "Node affinity cannot be used."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-node-annotation-creation/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-node-annotation-creation` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-node-annotation-creation)
5 changes: 5 additions & 0 deletions restrict-node-annotation-creation/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-node-annotation-creation"
version = "0.1.0"
description = "`restrict-node-annotation-creation` is a KCL validation module"

Empty file.
16 changes: 16 additions & 0 deletions restrict-node-annotation-creation/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
KINDS = [
"Node"
]
annotations: [str] = option("params")?.annotations or []

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS and annotations:
set_annotations: {str:str} = item?.metadata?.annotations
assert all l in set_annotations {
l not in annotations
}, "Setting the annotations ${annotations} on a Node is not allowed."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-node-label-creation/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-node-label-creation` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-node-label-creation)
5 changes: 5 additions & 0 deletions restrict-node-label-creation/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-node-label-creation"
version = "0.1.0"
description = "`restrict-node-label-creation` is a KCL validation module"

Empty file.
16 changes: 16 additions & 0 deletions restrict-node-label-creation/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
KINDS = [
"Node"
]
labels: [str] = option("params")?.labels or []

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS and labels:
set_labels: {str:str} = item?.metadata?.labels
assert all l in set_labels {
l not in labels
}, "Setting the labels ${labels} on a Node is not allowed."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-node-name/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-node-name` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-node-name)
5 changes: 5 additions & 0 deletions restrict-node-name/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-node-name"
version = "0.1.0"
description = "`restrict-node-name` is a KCL validation module"

Empty file added restrict-node-name/kcl.mod.lock
Empty file.
12 changes: 12 additions & 0 deletions restrict-node-name/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
KINDS = [
"Pod"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
assert not item?.spec?.nodeName, "Setting the nodeName field is prohibited."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-node-selector/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-node-selector` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-node-selector)
5 changes: 5 additions & 0 deletions restrict-node-selector/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-node-selector"
version = "0.1.0"
description = "`restrict-node-selector` is a KCL validation module"

Empty file.
12 changes: 12 additions & 0 deletions restrict-node-selector/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
KINDS = [
"Pod"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
assert not item?.spec?.nodeSelector, "Setting the nodeSelector field is prohibited."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-role-wildcard-resources/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-role-wildcard-resources` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-role-wildcard-resources)
5 changes: 5 additions & 0 deletions restrict-role-wildcard-resources/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-role-wildcard-resources"
version = "0.1.0"
description = "`restrict-role-wildcard-resources` is a KCL validation module"

Empty file.
15 changes: 15 additions & 0 deletions restrict-role-wildcard-resources/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
KINDS = [
"Role"
"ClusterRole"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
assert all r in item.rules {
"*" not in r.resources
}, "Use of a wildcard ('*') in any resources is forbidden."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-role-wildcard-verbs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-role-wildcard-verbs` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-role-wildcard-verbs)
5 changes: 5 additions & 0 deletions restrict-role-wildcard-verbs/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-role-wildcard-verbs"
version = "0.1.0"
description = "`restrict-role-wildcard-verbs` is a KCL validation module"

Empty file.
15 changes: 15 additions & 0 deletions restrict-role-wildcard-verbs/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
KINDS = [
"Role"
"ClusterRole"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
assert all r in item.rules {
"*" not in r.verbs
}, "Use of a wildcard ('*') in any verbs is forbidden."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-scale/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-scale` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-scale)
5 changes: 5 additions & 0 deletions restrict-scale/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-scale"
version = "0.1.0"
description = "`restrict-scale` is a KCL validation module"

Empty file added restrict-scale/kcl.mod.lock
Empty file.
14 changes: 14 additions & 0 deletions restrict-scale/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
KINDS = [
"Deployment"
]

replicas: int = option("params")?.replicas or 5

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
assert (item.spec?.replicas or 0) <= replicas, "The replica count for this Deployment may not exceed ${replicas}."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-secret-role-verbs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-secret-role-verbs` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-secret-role-verbs)
5 changes: 5 additions & 0 deletions restrict-secret-role-verbs/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-secret-role-verbs"
version = "0.1.0"
description = "`restrict-secret-role-verbs` is a KCL validation module"

Empty file.
16 changes: 16 additions & 0 deletions restrict-secret-role-verbs/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
KINDS = [
"Role"
"ClusterRole"
]

# Define the validation function
validate = lambda item: {str:} {
if item?.kind in KINDS:
verbs = [v for r in item.rules for v in r.verbs or [] if "secrets" in r.resources]
assert all verb in verbs {
verb not in ["get", "list", "watch"]
}, "Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions restrict-secrets-from-env-from/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`restrict-secrets-from-env-from` is a KCL validation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/restrict-secrets-from-env-from)
5 changes: 5 additions & 0 deletions restrict-secrets-from-env-from/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "restrict-secrets-from-env-from"
version = "0.1.0"
description = "`restrict-secrets-from-env-from` is a KCL validation module"

Empty file.
Loading

0 comments on commit 75b3a55

Please sign in to comment.