-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #68 from Peefy/add-more-cncf-project-validation-mo…
…dules feat: add more cncf project validation modules
- Loading branch information
Showing
44 changed files
with
373 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
## Introduction | ||
|
||
`add-castai-removal-disabled` is a KCL mutation package. | ||
|
||
## How to Use | ||
|
||
Add the source to your `KCLRun`` resource and use the [kubectl kcl plugin](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kubectl-kcl-plugin) or the [kcl operator](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kcl-operator) to integrate this model. | ||
|
||
```yaml | ||
apiVersion: krm.kcl.dev/v1alpha1 | ||
kind: KCLRun | ||
metadata: | ||
name: add-castai-removal-disabled | ||
spec: | ||
source: oci://ghcr.io/kcl-lang/add-castai-removal-disabled | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
[package] | ||
name = "add-castai-removal-disabled" | ||
edition = "*" | ||
version = "0.1.0" | ||
description = "`add-castai-removal-disabled` is a kcl mutation package." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
labels = option("labels") or { | ||
"autoscaling.cast.ai/removal-disabled" = "true" | ||
} | ||
items = [item | { | ||
if item.kind == "Job": | ||
spec.template.metadata.labels: labels | ||
elif item.kind == "CronJob": | ||
jobTemplate.template.metadata.labels: labels | ||
} for item in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`add-network-policy-dns` is a KCL mutation module | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/add-network-policy-dns) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
[package] | ||
name = "add-network-policy-dns" | ||
edition = "*" | ||
version = "0.1.0" | ||
description = "`add-network-policy-dns` is a KCL mutation module" | ||
|
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
ns_list = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"] | ||
items = (option("items") or []) + [{ | ||
apiVersion: "networking.k8s.io/v1" | ||
kind: "NetworkPolicy" | ||
name: "allow-dns" | ||
namespace: "${ns.metadata.name}" | ||
synchronize: False | ||
data.spec: { | ||
# select all pods in the namespace | ||
podSelector.matchLabels: {} | ||
# deny all traffic | ||
policyTypes: ["Egress"] | ||
egress: [{ | ||
to: [{namespaceSelector.matchLabels.name = "kube-system"}] | ||
ports: [{ | ||
protocol: "UDP" | ||
port = 53 | ||
}] | ||
}] | ||
} | ||
} for ns in ns_list] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`add-network-policy` is a KCL mutation module | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/add-network-policy) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
[package] | ||
name = "add-network-policy" | ||
edition = "*" | ||
version = "0.1.0" | ||
description = "`add-network-policy` is a KCL mutation module" | ||
|
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
ns_list = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"] | ||
items = (option("items") or []) + [{ | ||
apiVersion: "networking.k8s.io/v1" | ||
kind: "NetworkPolicy" | ||
name: "default-deny" | ||
namespace: "${ns.metadata.name}" | ||
synchronize: True | ||
data.spec: { | ||
# select all pods in the namespace | ||
podSelector: {} | ||
# deny all traffic | ||
policyTypes: ["Ingress", "Egress"] | ||
} | ||
} for ns in ns_list] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`add-safe-to-evict` is a KCL mutation module | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/add-safe-to-evict) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
[package] | ||
name = "add-safe-to-evict" | ||
edition = "*" | ||
version = "0.1.0" | ||
description = "`add-safe-to-evict` is a KCL mutation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
items = [item | { | ||
if item.kind == "Pod": | ||
metadata.annotations: { | ||
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true" | ||
} | ||
} for item in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`cert-manager-limit-dns-names` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/cert-manager-limit-dns-names) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "cert-manager-limit-dns-names" | ||
version = "0.1.0" | ||
description = "`cert-manager-limit-dns-names` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Define the validation function | ||
validate = lambda item { | ||
if item.kind == "Certificate": | ||
assert len(item?.spec?.dnsNames or []) <= 1, "Only one dnsNames entry allowed per certificate request." | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`cert-manager-limit-duration` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/cert-manager-limit-duration) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "cert-manager-limit-duration" | ||
version = "0.1.0" | ||
description = "`cert-manager-limit-duration` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
import regex | ||
# Define the validation function | ||
validate = lambda item { | ||
if item.kind == "Certificate": | ||
if "letsencrypt" in item.spec.issuerRef.name and item.spec?.duration: | ||
duration = int(regex.replace(item.spec?.duration, "h.*", "")) | ||
assert 0 <= duration <= 2400, "certificate duration must be < than 2400h (100 days)" | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`cert-manager-restrict-issuer` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/cert-manager-restrict-issuer) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "cert-manager-restrict-issuer" | ||
version = "0.1.0" | ||
description = "`cert-manager-restrict-issuer` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Define the validation function | ||
validate = lambda item { | ||
if item.kind == "Certificate": | ||
if any n in item.spec.dnsNames { | ||
n.endswith(".corp.com") | ||
}: | ||
issuerRef = item.spec.issuerRef | ||
condition = issuerRef.name == "our-corp-issuer" and issuerRef.kind == "ClusterIssuer" and issuerRef.group == "cert-manager.io" | ||
assert condition, "When requesting a cert for this domain, you must use our corporate issuer." | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`consul-enforce-min-tls-version` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/consul-enforce-min-tls-version) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "consul-enforce-min-tls-version" | ||
version = "0.1.0" | ||
description = "`consul-enforce-min-tls-version` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Define the validation function | ||
validate = lambda item { | ||
if item.kind == "Mesh": | ||
assert item.spec.tls.incoming.tlsMinVersion == "TLSv1_2", "The minimum version of TLS is TLS v1_2" | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`disallow-cri-sock-mount` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-cri-sock-mount) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "disallow-cri-sock-mount" | ||
version = "0.1.0" | ||
description = "`disallow-cri-sock-mount` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
"""Container daemon socket bind mounts allows access to the container engine on the | ||
node. This access can be used for privilege escalation and to manage containers | ||
outside of Kubernetes, and hence should not be allowed. This policy validates that | ||
the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. | ||
""" | ||
|
||
# Define the validation function | ||
validate = lambda item { | ||
if item.kind == "Pod": | ||
paths = [p.path for v in item?.spec?.volumes or [] for p in v.hostPath] | ||
assert all p in paths { | ||
p not in [ | ||
"/var/run/docker.sock" | ||
"/var/run/containerd.sock" | ||
"/var/run/crio.sock" | ||
"/var/run/cri-dockerd.sock" | ||
] | ||
} if paths, "Use of the Docker Unix socket, Containerd Unix socket, CRI-O Unix socket and Docker CRI socket are not allowed." | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`disallow-default-namespace` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-default-namespace) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "disallow-default-namespace" | ||
version = "0.1.0" | ||
description = "`disallow-default-namespace` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kinds: [str] = option("params")?.kinds or option("kinds") or [ | ||
"Pod" | ||
"DaemonSet" | ||
"Deployment" | ||
"Job" | ||
"StatefulSet" | ||
] | ||
|
||
# Define the validation function | ||
validate = lambda item { | ||
if item.kind in kinds: | ||
ns = item?.matadata?.namespace or "default" | ||
assert ns != "Using 'default' namespace is not allowed for ${item.kind}: ${item.metadata.name}" | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`disallow-empty-ingress-host` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-empty-ingress-host) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "disallow-empty-ingress-host" | ||
version = "0.1.0" | ||
description = "`disallow-empty-ingress-host` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
"""An ingress resource needs to define an actual host name | ||
in order to be valid. This policy ensures that there is a | ||
hostname for each rule defined. | ||
""" | ||
|
||
# Define the validation function | ||
validate = lambda item { | ||
if item.kind == "Ingress": | ||
host_list = [r.host for r in item?.spec?.rules if not r.host] | ||
assert len(host_list) == 0, "The Ingress host name must be defined, not empty." | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items") or []] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`disallow-helm-tiller` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-helm-tiller) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "disallow-helm-tiller" | ||
version = "0.1.0" | ||
description = "`disallow-helm-tiller` is a KCL validation module" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
"""Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared | ||
resource accessible to any authenticated user. Tiller can lead to privilege escalation as | ||
restricted users can impact other users. It is recommend to use Helm v3+ which does not contain | ||
Tiller for these reasons. This policy validates that there is not an image | ||
containing the name `tiller`. | ||
""" | ||
|
||
# Define the validation function | ||
validate = lambda item: {str:} { | ||
containers: [{str:}] = [] | ||
if item.kind == "Pod": | ||
containers = (item?.spec?.containers or []) + (item?.spec?.phemeralContainers or []) + (item?.spec?.initContainers or []) | ||
elif item.kind == "Deployment": | ||
containers = (item?.spec?.template?.spec?.containers or []) + (item?.spec?.template?.spec?.phemeralContainers or []) + (item?.spec?.template?.spec?.initContainers or []) | ||
images: [str] = [c.image for c in containers] | ||
assert all image in images { | ||
"tiller" not in image | ||
} if images, """Helm Tiller is not allowed for ${item.kind}: ${item.metadata.name}""" | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items")] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
## Introduction | ||
|
||
## Resource | ||
|
||
Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-image-repos) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "disallow-image-repos" | ||
version = "0.1.0" | ||
description = "`disallow-image-repos` is a kcl validation package" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
"""Disallowed container image repositories that begin with a string from the specified list. | ||
""" | ||
|
||
# The list of prefixes a container image is allowed to have. | ||
repos: [str] = option("params").repos or [] | ||
|
||
# Define the validation function | ||
validate = lambda item { | ||
containers = [] | ||
if item.kind == "Pod" and repos: | ||
containers = (item.spec.containers or []) + (item.spec.phemeralContainers or []) + (item.spec.initContainers or []) | ||
elif item.kind == "Deployment": | ||
containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.phemeralContainers or []) + (item.spec.template.spec.initContainers or []) | ||
images: [str] = [c.image for c in containers] | ||
assert all image in images { | ||
all repo in repos { | ||
not image.startswith(repo) | ||
} | ||
} if images and repos, """Use of image is disallowed for ${item.kind}: ${item.metadata.name}, valid repos ${repos}""" | ||
item | ||
} | ||
# Validate All resource | ||
items = [validate(i) for i in option("items")] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
## Introduction | ||
|
||
`disallow-latest-tag` is a KCL validation module" | ||
|
||
## Resource | ||
|
||
The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/disallow-latest-tag) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[package] | ||
name = "disallow-latest-tag" | ||
version = "0.1.0" | ||
description = "`disallow-latest-tag` is a KCL validation module" |
Oops, something went wrong.