ingress: make sure that all ingresses targets a pod

zegl · Oct 31, 2018 · c2bca46 · c2bca46
1 parent fdd7556
commit c2bca46
Show file tree

Hide file tree

Showing 4 changed files with 131 additions and 1 deletion.
diff --git a/score/ingress/ingress.go b/score/ingress/ingress.go
@@ -0,0 +1,52 @@
+package ingress
+
+import (
+	"fmt"
+	"github.com/zegl/kube-score/scorecard"
+	corev1 "k8s.io/api/core/v1"
+	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
+)
+
+func ScoreIngressTargetsService(allServices []corev1.Service) func(extensionsv1beta1.Ingress) scorecard.TestScore {
+	return func(ingress extensionsv1beta1.Ingress) (score scorecard.TestScore) {
+		score.Name = "Ingress targets Service"
+		score.ID = "ingress-targets-service"
+
+		allRulesHaveMatches := true
+
+		for _, rule := range ingress.Spec.Rules {
+			for _, path := range rule.IngressRuleValue.HTTP.Paths {
+
+				pathHasMatch := false
+
+				for _, service := range allServices {
+					if service.Namespace != ingress.Namespace {
+						continue
+					}
+
+					if service.Name == path.Backend.ServiceName {
+						for _, servicePort := range service.Spec.Ports {
+							if servicePort.Port == path.Backend.ServicePort.IntVal {
+								pathHasMatch = true
+							}
+						}
+					}
+				}
+
+				if !pathHasMatch {
+					allRulesHaveMatches = false
+					score.AddComment(path.Path, "No service match was found", fmt.Sprintf("No service with name %s and port %d was found", path.Backend.ServiceName, path.Backend.ServicePort.IntVal))
+				}
+			}
+
+		}
+
+		if allRulesHaveMatches {
+			score.Grade = scorecard.GradeAllOK
+		} else {
+			score.Grade = scorecard.GradeCritical
+		}
+
+		return
+	}
+}
diff --git a/score/score.go b/score/score.go
@@ -5,6 +5,7 @@ import (
 	ks "github.com/zegl/kube-score"
 	"github.com/zegl/kube-score/score/container"
 	"github.com/zegl/kube-score/score/disruptionbudget"
+	"github.com/zegl/kube-score/score/ingress"
 	"github.com/zegl/kube-score/score/internal"
 	"github.com/zegl/kube-score/score/networkpolicy"
 	"github.com/zegl/kube-score/score/probes"
@@ -72,6 +73,7 @@ type score struct {
 	podDisruptionBudgets []policyv1beta1.PodDisruptionBudget
 	deployments          []appsv1.Deployment
 	statefulsets         []appsv1.StatefulSet
+	ingresses            []extensionsv1beta1.Ingress
 }
 
 type detectKind struct {
@@ -208,6 +210,12 @@ func Score(config Configuration) (*scorecard.Scorecard, error) {
 				s.podDisruptionBudgets = append(s.podDisruptionBudgets, disruptBudget)
 				s.typeMetas = append(s.typeMetas, bothMeta{disruptBudget.TypeMeta, disruptBudget.ObjectMeta})
 
+			case extensionsv1beta1.SchemeGroupVersion.WithKind("Ingress"):
+				var ingress extensionsv1beta1.Ingress
+				decode(fileContents, &ingress)
+				s.ingresses = append(s.ingresses, ingress)
+				s.typeMetas = append(s.typeMetas, bothMeta{ingress.TypeMeta, ingress.ObjectMeta})
+
 			default:
 				if config.VerboseOutput {
 					log.Printf("Unknown datatype: %s", detect.Kind)
@@ -245,10 +253,14 @@ func (s *score) runTests() (*scorecard.Scorecard, error) {
 		disruptionbudget.ScoreDeploymentHas(s.podDisruptionBudgets),
 	}
 
-	netpolTests := []func(policy networkingv1.NetworkPolicy) scorecard.TestScore{
+	netpolTests := []func(networkingv1.NetworkPolicy) scorecard.TestScore{
 		networkpolicy.ScoreNetworkPolicyTargetsPod(s.pods, s.podspecers),
 	}
 
+	ingressTests := []func(extensionsv1beta1.Ingress) scorecard.TestScore{
+		ingress.ScoreIngressTargetsService(s.services),
+	}
+
 	scoreCard := scorecard.New()
 
 	for _, meta := range s.typeMetas {
@@ -310,5 +322,13 @@ func (s *score) runTests() (*scorecard.Scorecard, error) {
 		}
 	}
 
+	for _, ingress := range s.ingresses {
+		for _, ingressTest := range ingressTests {
+			score := ingressTest(ingress)
+			score.AddMeta(ingress.TypeMeta, ingress.ObjectMeta)
+			scoreCard.Add(score)
+		}
+	}
+
 	return scoreCard, nil
 }
diff --git a/score/testdata/ingress-targets-service-no-match.yaml b/score/testdata/ingress-targets-service-no-match.yaml
@@ -0,0 +1,32 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: app-ingress
+  namespace: testspace
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /app
+        backend:
+          serviceName: app-service
+          servicePort: 5601
+
+      - path: /no-match
+        backend:
+          serviceName: app-service-123123
+          servicePort: 5601
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: app-service
+  namespace: testspace
+spec:
+  selector:
+    app: kibana
+  ports:
+  - name: http
+    protocol: TCP
+    port: 5601
diff --git a/score/testdata/ingress-targets-service.yaml b/score/testdata/ingress-targets-service.yaml
@@ -0,0 +1,26 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: app-ingress
+  namespace: testspace
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /app
+        backend:
+          serviceName: app-service
+          servicePort: 5601
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: app-service
+  namespace: testspace
+spec:
+  selector:
+    app: kibana
+  ports:
+  - name: http
+    protocol: TCP
+    port: 5601