Skip to content

Commit

Permalink
Merge pull request #68 from Peefy/add-more-cncf-project-validation-mo…
Browse files Browse the repository at this point in the history
…dules

feat: add more cncf project validation modules
  • Loading branch information
Peefy authored Nov 12, 2023
2 parents 0f38211 + efb7509 commit fc6317f
Show file tree
Hide file tree
Showing 44 changed files with 373 additions and 0 deletions.
16 changes: 16 additions & 0 deletions add-castai-removal-disabled/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
## Introduction

`add-castai-removal-disabled` is a KCL mutation package.

## How to Use

Add the source to your `KCLRun`` resource and use the [kubectl kcl plugin](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kubectl-kcl-plugin) or the [kcl operator](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kcl-operator) to integrate this model.

```yaml
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-castai-removal-disabled
spec:
source: oci://ghcr.io/kcl-lang/add-castai-removal-disabled
```
5 changes: 5 additions & 0 deletions add-castai-removal-disabled/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "add-castai-removal-disabled"
edition = "*"
version = "0.1.0"
description = "`add-castai-removal-disabled` is a kcl mutation package."
9 changes: 9 additions & 0 deletions add-castai-removal-disabled/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
labels = option("labels") or {
"autoscaling.cast.ai/removal-disabled" = "true"
}
items = [item | {
if item.kind == "Job":
spec.template.metadata.labels: labels
elif item.kind == "CronJob":
jobTemplate.template.metadata.labels: labels
} for item in option("items") or []]
7 changes: 7 additions & 0 deletions add-network-policy-dns/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`add-network-policy-dns` is a KCL mutation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/add-network-policy-dns)
6 changes: 6 additions & 0 deletions add-network-policy-dns/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[package]
name = "add-network-policy-dns"
edition = "*"
version = "0.1.0"
description = "`add-network-policy-dns` is a KCL mutation module"

Empty file.
21 changes: 21 additions & 0 deletions add-network-policy-dns/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
ns_list = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"]
items = (option("items") or []) + [{
apiVersion: "networking.k8s.io/v1"
kind: "NetworkPolicy"
name: "allow-dns"
namespace: "${ns.metadata.name}"
synchronize: False
data.spec: {
# select all pods in the namespace
podSelector.matchLabels: {}
# deny all traffic
policyTypes: ["Egress"]
egress: [{
to: [{namespaceSelector.matchLabels.name = "kube-system"}]
ports: [{
protocol: "UDP"
port = 53
}]
}]
}
} for ns in ns_list]
7 changes: 7 additions & 0 deletions add-network-policy/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`add-network-policy` is a KCL mutation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/add-network-policy)
6 changes: 6 additions & 0 deletions add-network-policy/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[package]
name = "add-network-policy"
edition = "*"
version = "0.1.0"
description = "`add-network-policy` is a KCL mutation module"

Empty file added add-network-policy/kcl.mod.lock
Empty file.
14 changes: 14 additions & 0 deletions add-network-policy/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
ns_list = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"]
items = (option("items") or []) + [{
apiVersion: "networking.k8s.io/v1"
kind: "NetworkPolicy"
name: "default-deny"
namespace: "${ns.metadata.name}"
synchronize: True
data.spec: {
# select all pods in the namespace
podSelector: {}
# deny all traffic
policyTypes: ["Ingress", "Egress"]
}
} for ns in ns_list]
7 changes: 7 additions & 0 deletions add-safe-to-evict/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`add-safe-to-evict` is a KCL mutation module

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/add-safe-to-evict)
5 changes: 5 additions & 0 deletions add-safe-to-evict/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "add-safe-to-evict"
edition = "*"
version = "0.1.0"
description = "`add-safe-to-evict` is a KCL mutation module"
6 changes: 6 additions & 0 deletions add-safe-to-evict/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
items = [item | {
if item.kind == "Pod":
metadata.annotations: {
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
}
} for item in option("items") or []]
7 changes: 7 additions & 0 deletions cert-manager-limit-dns-names/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`cert-manager-limit-dns-names` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/cert-manager-limit-dns-names)
4 changes: 4 additions & 0 deletions cert-manager-limit-dns-names/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "cert-manager-limit-dns-names"
version = "0.1.0"
description = "`cert-manager-limit-dns-names` is a KCL validation module"
8 changes: 8 additions & 0 deletions cert-manager-limit-dns-names/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Define the validation function
validate = lambda item {
if item.kind == "Certificate":
assert len(item?.spec?.dnsNames or []) <= 1, "Only one dnsNames entry allowed per certificate request."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions cert-manager-limit-duration/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`cert-manager-limit-duration` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/cert-manager-limit-duration)
4 changes: 4 additions & 0 deletions cert-manager-limit-duration/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "cert-manager-limit-duration"
version = "0.1.0"
description = "`cert-manager-limit-duration` is a KCL validation module"
11 changes: 11 additions & 0 deletions cert-manager-limit-duration/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
import regex
# Define the validation function
validate = lambda item {
if item.kind == "Certificate":
if "letsencrypt" in item.spec.issuerRef.name and item.spec?.duration:
duration = int(regex.replace(item.spec?.duration, "h.*", ""))
assert 0 <= duration <= 2400, "certificate duration must be < than 2400h (100 days)"
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions cert-manager-restrict-issuer/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`cert-manager-restrict-issuer` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/cert-manager-restrict-issuer)
4 changes: 4 additions & 0 deletions cert-manager-restrict-issuer/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "cert-manager-restrict-issuer"
version = "0.1.0"
description = "`cert-manager-restrict-issuer` is a KCL validation module"
13 changes: 13 additions & 0 deletions cert-manager-restrict-issuer/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Define the validation function
validate = lambda item {
if item.kind == "Certificate":
if any n in item.spec.dnsNames {
n.endswith(".corp.com")
}:
issuerRef = item.spec.issuerRef
condition = issuerRef.name == "our-corp-issuer" and issuerRef.kind == "ClusterIssuer" and issuerRef.group == "cert-manager.io"
assert condition, "When requesting a cert for this domain, you must use our corporate issuer."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions consul-enforce-min-tls-version/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`consul-enforce-min-tls-version` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/consul-enforce-min-tls-version)
4 changes: 4 additions & 0 deletions consul-enforce-min-tls-version/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "consul-enforce-min-tls-version"
version = "0.1.0"
description = "`consul-enforce-min-tls-version` is a KCL validation module"
8 changes: 8 additions & 0 deletions consul-enforce-min-tls-version/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Define the validation function
validate = lambda item {
if item.kind == "Mesh":
assert item.spec.tls.incoming.tlsMinVersion == "TLSv1_2", "The minimum version of TLS is TLS v1_2"
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions disallow-cri-sock-mount/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`disallow-cri-sock-mount` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-cri-sock-mount)
4 changes: 4 additions & 0 deletions disallow-cri-sock-mount/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "disallow-cri-sock-mount"
version = "0.1.0"
description = "`disallow-cri-sock-mount` is a KCL validation module"
22 changes: 22 additions & 0 deletions disallow-cri-sock-mount/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
"""Container daemon socket bind mounts allows access to the container engine on the
node. This access can be used for privilege escalation and to manage containers
outside of Kubernetes, and hence should not be allowed. This policy validates that
the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
"""

# Define the validation function
validate = lambda item {
if item.kind == "Pod":
paths = [p.path for v in item?.spec?.volumes or [] for p in v.hostPath]
assert all p in paths {
p not in [
"/var/run/docker.sock"
"/var/run/containerd.sock"
"/var/run/crio.sock"
"/var/run/cri-dockerd.sock"
]
} if paths, "Use of the Docker Unix socket, Containerd Unix socket, CRI-O Unix socket and Docker CRI socket are not allowed."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions disallow-default-namespace/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`disallow-default-namespace` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-default-namespace)
4 changes: 4 additions & 0 deletions disallow-default-namespace/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "disallow-default-namespace"
version = "0.1.0"
description = "`disallow-default-namespace` is a KCL validation module"
17 changes: 17 additions & 0 deletions disallow-default-namespace/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
kinds: [str] = option("params")?.kinds or option("kinds") or [
"Pod"
"DaemonSet"
"Deployment"
"Job"
"StatefulSet"
]

# Define the validation function
validate = lambda item {
if item.kind in kinds:
ns = item?.matadata?.namespace or "default"
assert ns != "Using 'default' namespace is not allowed for ${item.kind}: ${item.metadata.name}"
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions disallow-empty-ingress-host/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`disallow-empty-ingress-host` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-empty-ingress-host)
4 changes: 4 additions & 0 deletions disallow-empty-ingress-host/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "disallow-empty-ingress-host"
version = "0.1.0"
description = "`disallow-empty-ingress-host` is a KCL validation module"
14 changes: 14 additions & 0 deletions disallow-empty-ingress-host/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
"""An ingress resource needs to define an actual host name
in order to be valid. This policy ensures that there is a
hostname for each rule defined.
"""

# Define the validation function
validate = lambda item {
if item.kind == "Ingress":
host_list = [r.host for r in item?.spec?.rules if not r.host]
assert len(host_list) == 0, "The Ingress host name must be defined, not empty."
item
}
# Validate All resource
items = [validate(i) for i in option("items") or []]
7 changes: 7 additions & 0 deletions disallow-helm-tiller/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`disallow-helm-tiller` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-helm-tiller)
4 changes: 4 additions & 0 deletions disallow-helm-tiller/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "disallow-helm-tiller"
version = "0.1.0"
description = "`disallow-helm-tiller` is a KCL validation module"
22 changes: 22 additions & 0 deletions disallow-helm-tiller/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
"""Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
resource accessible to any authenticated user. Tiller can lead to privilege escalation as
restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
Tiller for these reasons. This policy validates that there is not an image
containing the name `tiller`.
"""

# Define the validation function
validate = lambda item: {str:} {
containers: [{str:}] = []
if item.kind == "Pod":
containers = (item?.spec?.containers or []) + (item?.spec?.phemeralContainers or []) + (item?.spec?.initContainers or [])
elif item.kind == "Deployment":
containers = (item?.spec?.template?.spec?.containers or []) + (item?.spec?.template?.spec?.phemeralContainers or []) + (item?.spec?.template?.spec?.initContainers or [])
images: [str] = [c.image for c in containers]
assert all image in images {
"tiller" not in image
} if images, """Helm Tiller is not allowed for ${item.kind}: ${item.metadata.name}"""
item
}
# Validate All resource
items = [validate(i) for i in option("items")]
5 changes: 5 additions & 0 deletions disallow-image-repos/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## Introduction

## Resource

Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-image-repos)
4 changes: 4 additions & 0 deletions disallow-image-repos/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "disallow-image-repos"
version = "0.1.0"
description = "`disallow-image-repos` is a kcl validation package"
23 changes: 23 additions & 0 deletions disallow-image-repos/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
"""Disallowed container image repositories that begin with a string from the specified list.
"""

# The list of prefixes a container image is allowed to have.
repos: [str] = option("params").repos or []

# Define the validation function
validate = lambda item {
containers = []
if item.kind == "Pod" and repos:
containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or [])
elif item.kind == "Deployment":
containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.phemeralContainers or []) + (item.spec.template.spec.initContainers or [])
images: [str] = [c.image for c in containers]
assert all image in images {
all repo in repos {
not image.startswith(repo)
}
} if images and repos, """Use of image is disallowed for ${item.kind}: ${item.metadata.name}, valid repos ${repos}"""
item
}
# Validate All resource
items = [validate(i) for i in option("items")]
7 changes: 7 additions & 0 deletions disallow-latest-tag/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`disallow-latest-tag` is a KCL validation module"

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-latest-tag)
4 changes: 4 additions & 0 deletions disallow-latest-tag/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "disallow-latest-tag"
version = "0.1.0"
description = "`disallow-latest-tag` is a KCL validation module"
Loading

0 comments on commit fc6317f

Please sign in to comment.