Merge pull request #31 from kcl-lang/psp-volumes-module

feat: add psp volume module
kcl-lang · Oct 31, 2023 · d24910a · d24910a
2 parents c7e95c2 + 7bd3842
commit d24910a
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 0 deletions.
diff --git a/psp-volumes/README.md b/psp-volumes/README.md
@@ -0,0 +1,9 @@
+## Introduction
+
+`psp-volumes` is a kcl PSP validation package. 
+
+Restricts mountable volume types to those specified by the user. Corresponds to the `volumes` field in a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/psp-volumes)
diff --git a/psp-volumes/kcl.mod b/psp-volumes/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "psp-volumes"
+version = "0.1.1"
+description = "`psp-volumes` is a kcl validation package"
+
diff --git a/psp-volumes/kcl.mod.lock b/psp-volumes/kcl.mod.lock
diff --git a/psp-volumes/main.k b/psp-volumes/main.k
@@ -0,0 +1,25 @@
+"""Restricts mountable volume types to those specified by the user.
+Corresponds to the `volumes` field in a PodSecurityPolicy. For more
+information, see
+https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
+"""
+
+schema Params:
+    volumes: [str]
+
+params: Params = option("params")
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item.kind == "Pod":
+        volume_fields = [k for v in item.spec.volumes for k in v if k != "name"]
+        if not any v in params.volumes {
+            v == "*"
+        }:
+            invalid_fields = [v for v in volume_fields if v not in params.volumes]
+            assert len(invalid_fields) == 0, "The volume types ${invalid_fields} is not allowed, pod: ${item.metadata.name}. Allowed volume types: ${params.volumes}"
+    # Return the resource
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items")]