diff --git a/pkg/builtinchecks/a_builtinchecks-packr.go b/pkg/builtinchecks/a_builtinchecks-packr.go new file mode 100644 index 000000000..3572371ca --- /dev/null +++ b/pkg/builtinchecks/a_builtinchecks-packr.go @@ -0,0 +1,30 @@ +// Code generated by github.com/gobuffalo/packr. DO NOT EDIT. + +package builtinchecks + +import "github.com/gobuffalo/packr" + +// You can use the "packr clean" command to clean up this, +// and any other packr generated files. +func init() { + packr.PackJSONBytes("./yamls", "dangling-service.yaml", "\"bmFtZTogImRhbmdsaW5nLXNlcnZpY2UiCmRlc2NyaXB0aW9uOiAiQWxlcnQgb24gc2VydmljZXMgdGhhdCBkb24ndCBoYXZlIGFueSBtYXRjaGluZyBkZXBsb3ltZW50cyIKcmVtZWRpYXRpb246ICJNYWtlIHN1cmUgeW91ciBzZXJ2aWNlJ3Mgc2VsZWN0b3IgY29ycmVjdGx5IG1hdGNoZXMgdGhlIGxhYmVscyBvbiBvbmUgb2YgeW91ciBkZXBsb3ltZW50cy4iCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBTZXJ2aWNlCnRlbXBsYXRlOiAiZGFuZ2xpbmctc2VydmljZSIK\"") + packr.PackJSONBytes("./yamls", "default-service-account.yaml", "\"bmFtZTogImRlZmF1bHQtc2VydmljZS1hY2NvdW50IgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIHBvZHMgdGhhdCB1c2UgdGhlIGRlZmF1bHQgc2VydmljZSBhY2NvdW50IgpyZW1lZGlhdGlvbjogPi0KICBDcmVhdGUgYSBkZWRpY2F0ZWQgc2VydmljZSBhY2NvdW50IGZvciB5b3VyIHBvZC4KICBTZWUgaHR0cHM6Ly9rdWJlcm5ldGVzLmlvL2RvY3MvdGFza3MvY29uZmlndXJlLXBvZC1jb250YWluZXIvY29uZmlndXJlLXNlcnZpY2UtYWNjb3VudC8gZm9yIG1vcmUgZGV0YWlscy4Kc2NvcGU6CiAgb2JqZWN0S2luZHM6CiAgICAtIERlcGxveW1lbnRMaWtlCnRlbXBsYXRlOiAic2VydmljZS1hY2NvdW50IgpwYXJhbXM6CiAgc2VydmljZUFjY291bnQ6ICJeKHxkZWZhdWx0KSQiCg==\"") + packr.PackJSONBytes("./yamls", "deprecated-service-account.yaml", "\"bmFtZTogImRlcHJlY2F0ZWQtc2VydmljZS1hY2NvdW50LWZpZWxkIgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIGRlcGxveW1lbnRzIHRoYXQgdXNlIHRoZSBkZXByZWNhdGVkIHNlcnZpY2VBY2NvdW50IGZpZWxkIgpyZW1lZGlhdGlvbjogIlVzZSB0aGUgc2VydmljZUFjY291bnROYW1lIGZpZWxkIGluc3RlYWQgb2YgdGhlIHNlcnZpY2VBY2NvdW50IGZpZWxkLiIKc2NvcGU6CiAgb2JqZWN0S2luZHM6CiAgICAtIERlcGxveW1lbnRMaWtlCnRlbXBsYXRlOiAiZGVwcmVjYXRlZC1zZXJ2aWNlLWFjY291bnQtZmllbGQiCg==\"") + packr.PackJSONBytes("./yamls", "drop-net-raw-capability.yaml", "\"bmFtZTogImRyb3AtbmV0LXJhdy1jYXBhYmlsaXR5IgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIGNvbnRhaW5lcnMgbm90IGRyb3BwaW5nIE5FVF9SQVcgY2FwYWJpbGl0eSIKcmVtZWRpYXRpb246ID4tCiAgTkVUX1JBVyBncmFudHMgYW4gYXBwbGljYXRpb24gd2l0aGluIHRoZSBjb250YWluZXIgdGhlIGFiaWxpdHkgdG8gY3JhZnQgcmF3IHBhY2tldHMsIHVzZSByYXcgc29ja2V0cywgYW5kIGl0IGFsc28KICBhbGxvd3MgYW4gYXBwbGljYXRpb24gdG8gYmluZCB0byBhbnkgYWRkcmVzcy4gUGxlYXNlIHNwZWNpZnkgdG8gZHJvcCB0aGlzIGNhcGFiaWxpdHkgaW4gdGhlIGNvbnRhaW5lcnMgdW5kZXIKICBjb250YWluZXJzIHNlY3VyaXR5IGNvbnRleHRzLgpzY29wZToKICBvYmplY3RLaW5kczoKICAgIC0gRGVwbG95bWVudExpa2UKdGVtcGxhdGU6ICJ2ZXJpZnktY29udGFpbmVyLWNhcGFiaWxpdGllcyIKcGFyYW1zOgogIGZvcmJpZGRlbkNhcGFiaWxpdGllczogWyJORVRfUkFXIl0K\"") + packr.PackJSONBytes("./yamls", "env-var-secret.yaml", "\"bmFtZTogImVudi12YXItc2VjcmV0IgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIG9iamVjdHMgdXNpbmcgYSBzZWNyZXQgaW4gYW4gZW52aXJvbm1lbnQgdmFyaWFibGUiCnJlbWVkaWF0aW9uOiA+LQogIERvbid0IHVzZSByYXcgc2VjcmV0cyBpbiBhbiBlbnZpcm9ubWVudCB2YXJpYWJsZS4gSW5zdGVhZCwgZWl0aGVyIG1vdW50IHRoZSBzZWNyZXQgYXMgYSBmaWxlIG9yIHVzZSBhIHNlY3JldEtleVJlZi4KICBTZWUgaHR0cHM6Ly9rdWJlcm5ldGVzLmlvL2RvY3MvY29uY2VwdHMvY29uZmlndXJhdGlvbi9zZWNyZXQvI3VzaW5nLXNlY3JldHMgZm9yIG1vcmUgZGV0YWlscy4Kc2NvcGU6CiAgb2JqZWN0S2luZHM6CiAgICAtIERlcGxveW1lbnRMaWtlCnRlbXBsYXRlOiAiZW52LXZhciIKcGFyYW1zOgogIG5hbWU6ICIoP2kpLipzZWNyZXQuKiIKICB2YWx1ZTogIi4rIgo=\"") + packr.PackJSONBytes("./yamls", "mismatching-selector.yaml", "\"bmFtZTogIm1pc21hdGNoaW5nLXNlbGVjdG9yIgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIGRlcGxveW1lbnRzIHdoZXJlIHRoZSBzZWxlY3RvciBkb2Vzbid0IG1hdGNoIHRoZSBwb2QgdGVtcGxhdGUgbGFiZWxzIgpyZW1lZGlhdGlvbjogIk1ha2Ugc3VyZSB5b3VyIGRlcGxveW1lbnQncyBzZWxlY3RvciBjb3JyZWN0bHkgbWF0Y2hlcyB0aGUgbGFiZWxzIGluIGl0cyBwb2QgdGVtcGxhdGUuIgpzY29wZToKICBvYmplY3RLaW5kczoKICAgIC0gRGVwbG95bWVudExpa2UKdGVtcGxhdGU6ICJtaXNtYXRjaGluZy1zZWxlY3RvciIK\"") + packr.PackJSONBytes("./yamls", "no-anti-affinity.yaml", "\"bmFtZTogIm5vLWFudGktYWZmaW5pdHkiCmRlc2NyaXB0aW9uOiAiQWxlcnQgb24gZGVwbG95bWVudHMgd2l0aCBtdWx0aXBsZSByZXBsaWNhcyB0aGF0IGRvbid0IHNwZWNpZnkgaW50ZXIgcG9kIGFudGktYWZmaW5pdHkgdG8gZW5zdXJlIHRoYXQgdGhlIG9yY2hlc3RyYXRvciBhdHRlbXB0cyB0byBzY2hlZHVsZSByZXBsaWNhcyBvbiBkaWZmZXJlbnQgbm9kZXMiCnJlbWVkaWF0aW9uOiA+LQogIFNwZWNpZnkgYW50aS1hZmZpbml0eSBpbiB5b3VyIHBvZCBzcGVjIHRvIGVuc3VyZSB0aGF0IHRoZSBvcmNoZXN0cmF0b3IgYXR0ZW1wdHMgdG8gc2NoZWR1bGUgcmVwbGljYXMgb24gZGlmZmVyZW50IG5vZGVzLgogIFlvdSBjYW4gZG8gdGhpcyBieSB1c2luZyBwb2RBbnRpQWZmaW5pdHksIHNwZWNpZnlpbmcgYSBsYWJlbFNlbGVjdG9yIHRoYXQgbWF0Y2hlcyBwb2RzIG9mIHRoaXMgZGVwbG95bWVudCwKICBhbmQgc2V0dGluZyB0aGUgdG9wb2xvZ3lLZXkgdG8ga3ViZXJuZXRlcy5pby9ob3N0bmFtZS4KICBTZWUgaHR0cHM6Ly9rdWJlcm5ldGVzLmlvL2RvY3MvY29uY2VwdHMvc2NoZWR1bGluZy1ldmljdGlvbi9hc3NpZ24tcG9kLW5vZGUvI2ludGVyLXBvZC1hZmZpbml0eS1hbmQtYW50aS1hZmZpbml0eSBmb3IgbW9yZSBkZXRhaWxzLgpzY29wZToKICBvYmplY3RLaW5kczoKICAgIC0gRGVwbG95bWVudExpa2UKdGVtcGxhdGU6ICJhbnRpLWFmZmluaXR5IgpwYXJhbXM6CiAgbWluUmVwbGljYXM6IDIK\"") + packr.PackJSONBytes("./yamls", "no-extensions-v1beta.yaml", "\"bmFtZTogIm5vLWV4dGVuc2lvbnMtdjFiZXRhIgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIG9iamVjdHMgdXNpbmcgZGVwcmVjYXRlZCBBUEkgdmVyc2lvbnMgdW5kZXIgZXh0ZW5zaW9ucyB2MWJldGEiCnJlbWVkaWF0aW9uOiA+LQogIE1pZ3JhdGUgdG8gdXNpbmcgdGhlIGFwcHMvdjEgQVBJIHZlcnNpb25zIGZvciB0aGVzZSBvYmplY3RzLgogIFNlZSBodHRwczovL2t1YmVybmV0ZXMuaW8vYmxvZy8yMDE5LzA3LzE4L2FwaS1kZXByZWNhdGlvbnMtaW4tMS0xNi8gZm9yIG1vcmUgZGV0YWlscy4Kc2NvcGU6CiAgb2JqZWN0S2luZHM6CiAgICAtIEFueQp0ZW1wbGF0ZTogImRpc2FsbG93ZWQtYXBpLW9iaiIKcGFyYW1zOgogIGdyb3VwOiAiZXh0ZW5zaW9ucyIKICB2ZXJzaW9uOiAidjFiZXRhLisiCg==\"") + packr.PackJSONBytes("./yamls", "no-liveness-probe.yaml", "\"bmFtZTogIm5vLWxpdmVuZXNzLXByb2JlIgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIGNvbnRhaW5lcnMgd2hpY2ggZG9uJ3Qgc3BlY2lmeSBhIGxpdmVuZXNzIHByb2JlIgpyZW1lZGlhdGlvbjogPi0KICBTcGVjaWZ5IGEgbGl2ZW5lc3MgcHJvYmUgaW4geW91ciBjb250YWluZXIuCiAgU2VlIGh0dHBzOi8va3ViZXJuZXRlcy5pby9kb2NzL3Rhc2tzL2NvbmZpZ3VyZS1wb2QtY29udGFpbmVyL2NvbmZpZ3VyZS1saXZlbmVzcy1yZWFkaW5lc3Mtc3RhcnR1cC1wcm9iZXMvIGZvciBtb3JlIGRldGFpbHMuCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBEZXBsb3ltZW50TGlrZQp0ZW1wbGF0ZTogImxpdmVuZXNzLXByb2JlIgo=\"") + packr.PackJSONBytes("./yamls", "no-readiness-probe.yaml", "\"bmFtZTogIm5vLXJlYWRpbmVzcy1wcm9iZSIKZGVzY3JpcHRpb246ICJBbGVydCBvbiBjb250YWluZXJzIHdoaWNoIGRvbid0IHNwZWNpZnkgYSByZWFkaW5lc3MgcHJvYmUiCnJlbWVkaWF0aW9uOiA+LQogIFNwZWNpZnkgYSByZWFkaW5lc3MgcHJvYmUgaW4geW91ciBjb250YWluZXIuCiAgU2VlIGh0dHBzOi8va3ViZXJuZXRlcy5pby9kb2NzL3Rhc2tzL2NvbmZpZ3VyZS1wb2QtY29udGFpbmVyL2NvbmZpZ3VyZS1saXZlbmVzcy1yZWFkaW5lc3Mtc3RhcnR1cC1wcm9iZXMvIGZvciBtb3JlIGRldGFpbHMuCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBEZXBsb3ltZW50TGlrZQp0ZW1wbGF0ZTogInJlYWRpbmVzcy1wcm9iZSIK\"") + packr.PackJSONBytes("./yamls", "non-existent-service-account.yaml", "\"bmFtZTogIm5vbi1leGlzdGVudC1zZXJ2aWNlLWFjY291bnQiCmRlc2NyaXB0aW9uOiAiQWxlcnQgb24gcG9kcyByZWZlcmVuY2luZyBhIHNlcnZpY2UgYWNjb3VudCB0aGF0IGlzbid0IGZvdW5kIgpyZW1lZGlhdGlvbjogIk1ha2Ugc3VyZSB0byBjcmVhdGUgdGhlIHNlcnZpY2UgYWNjb3VudCwgb3IgdG8gcmVmZXIgdG8gYW4gZXhpc3Rpbmcgc2VydmljZSBhY2NvdW50LiIKc2NvcGU6CiAgb2JqZWN0S2luZHM6CiAgICAtIERlcGxveW1lbnRMaWtlCnRlbXBsYXRlOiAibm9uLWV4aXN0ZW50LXNlcnZpY2UtYWNjb3VudCIK\"") + packr.PackJSONBytes("./yamls", "privileged.yaml", "\"bmFtZTogInByaXZpbGVnZWQtY29udGFpbmVyIgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIGRlcGxveW1lbnRzIHdpdGggY29udGFpbmVycyBydW5uaW5nIGluIHByaXZpbGVnZWQgbW9kZSIKcmVtZWRpYXRpb246ICJEb24ndCBydW4geW91ciBjb250YWluZXIgYXMgcHJpdmlsZWdlZCB1bmxlc3MgcmVxdWlyZWQuIgpzY29wZToKICBvYmplY3RLaW5kczoKICAgIC0gRGVwbG95bWVudExpa2UKdGVtcGxhdGU6ICJwcml2aWxlZ2VkIgo=\"") + packr.PackJSONBytes("./yamls", "read-only-root-fs.yaml", "\"bmFtZTogIm5vLXJlYWQtb25seS1yb290LWZzIgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIGNvbnRhaW5lcnMgbm90IHJ1bm5pbmcgd2l0aCBhIHJlYWQtb25seSByb290IGZpbGVzeXN0ZW0iCnJlbWVkaWF0aW9uOiAiU2V0IHJlYWRPbmx5Um9vdEZpbGVzeXN0ZW0gdG8gdHJ1ZSBpbiB5b3VyIGNvbnRhaW5lcidzIHNlY3VyaXR5Q29udGV4dC4iCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBEZXBsb3ltZW50TGlrZQp0ZW1wbGF0ZTogInJlYWQtb25seS1yb290LWZzIgo=\"") + packr.PackJSONBytes("./yamls", "required-annotation-email.yaml", "\"bmFtZTogInJlcXVpcmVkLWFubm90YXRpb24tZW1haWwiCmRlc2NyaXB0aW9uOiAiQWxlcnQgb24gb2JqZWN0cyB3aXRob3V0IGFuICdlbWFpbCcgYW5ub3RhdGlvbiB3aXRoIGEgdmFsaWQgZW1haWwiCnJlbWVkaWF0aW9uOiAiQWRkIGFuIGVtYWlsIGFubm90YXRpb24gdG8geW91ciBvYmplY3Qgd2l0aCB0aGUgY29udGFjdCBpbmZvcm1hdGlvbiBvZiB0aGUgb2JqZWN0J3Mgb3duZXIuIgpzY29wZToKICBvYmplY3RLaW5kczoKICAgIC0gRGVwbG95bWVudExpa2UKdGVtcGxhdGU6ICJyZXF1aXJlZC1hbm5vdGF0aW9uIgpwYXJhbXM6CiAga2V5OiAiZW1haWwiCiAgdmFsdWU6ICdbYS16QS1aMC05Xy4rLV0rQFthLXpBLVowLTktXStcLlthLXpBLVowLTktLl0rJwo=\"") + packr.PackJSONBytes("./yamls", "required-label-owner.yaml", "\"bmFtZTogInJlcXVpcmVkLWxhYmVsLW93bmVyIgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIG9iamVjdHMgd2l0aG91dCB0aGUgJ293bmVyJyBsYWJlbCIKcmVtZWRpYXRpb246ICJBZGQgYW4gZW1haWwgYW5ub3RhdGlvbiB0byB5b3VyIG9iamVjdCB3aXRoIGluZm9ybWF0aW9uIGFib3V0IHRoZSBvYmplY3QncyBvd25lci4iCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBEZXBsb3ltZW50TGlrZQp0ZW1wbGF0ZTogInJlcXVpcmVkLWxhYmVsIgpwYXJhbXM6CiAga2V5OiAib3duZXIiCg==\"") + packr.PackJSONBytes("./yamls", "run-as-non-root.yaml", "\"bmFtZTogInJ1bi1hcy1ub24tcm9vdCIKZGVzY3JpcHRpb246ICJBbGVydCBvbiBjb250YWluZXJzIG5vdCBzZXQgdG8gcnVuQXNOb25Sb290IgpyZW1lZGlhdGlvbjogPi0KICBTZXQgcnVuQXNVc2VyIHRvIGEgbm9uLXplcm8gbnVtYmVyLCBhbmQgcnVuQXNOb25Sb290IHRvIHRydWUsIGluIHlvdXIgcG9kIG9yIGNvbnRhaW5lciBzZWN1cml0eUNvbnRleHQuCiAgU2VlIGh0dHBzOi8va3ViZXJuZXRlcy5pby9kb2NzL3Rhc2tzL2NvbmZpZ3VyZS1wb2QtY29udGFpbmVyL3NlY3VyaXR5LWNvbnRleHQvIGZvciBtb3JlIGRldGFpbHMuCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBEZXBsb3ltZW50TGlrZQp0ZW1wbGF0ZTogInJ1bi1hcy1ub24tcm9vdCIK\"") + packr.PackJSONBytes("./yamls", "ssh-port.yaml", "\"bmFtZTogInNzaC1wb3J0IgpkZXNjcmlwdGlvbjogIkFsZXJ0IG9uIGRlcGxveW1lbnRzIGV4cG9zaW5nIHBvcnQgMjIsIGNvbW1vbmx5IHJlc2VydmVkIGZvciBTU0ggYWNjZXNzIgpyZW1lZGlhdGlvbjogIkVuc3VyZSB0aGF0IG5vbi1TU0ggc2VydmljZXMgYXJlIG5vdCB1c2luZyBwb3J0IDIyLiBFbnN1cmUgdGhhdCBhbnkgYWN0dWFsIFNTSCBzZXJ2ZXJzIGhhdmUgYmVlbiB2ZXR0ZWQuIgpzY29wZToKICBvYmplY3RLaW5kczoKICAgIC0gRGVwbG95bWVudExpa2UKdGVtcGxhdGU6ICJwb3J0cyIKcGFyYW1zOgogIHBvcnQ6IDIyCiAgcHJvdG9jb2w6ICJUQ1AiCg==\"") + packr.PackJSONBytes("./yamls", "unset-cpu-requirements.yaml", "\"bmFtZTogInVuc2V0LWNwdS1yZXF1aXJlbWVudHMiCmRlc2NyaXB0aW9uOiAiQWxlcnQgb24gY29udGFpbmVycyB3aXRob3V0IENQVSByZXF1ZXN0cyBhbmQgbGltaXRzIHNldCIKc2NvcGU6CiAgb2JqZWN0S2luZHM6CiAgICAtIERlcGxveW1lbnRMaWtlCnJlbWVkaWF0aW9uOiA+LQogIFNldCB5b3VyIGNvbnRhaW5lcidzIENQVSByZXF1ZXN0cyBhbmQgbGltaXRzIGRlcGVuZGluZyBvbiBpdHMgcmVxdWlyZW1lbnRzLgogIFNlZSBodHRwczovL2t1YmVybmV0ZXMuaW8vZG9jcy9jb25jZXB0cy9jb25maWd1cmF0aW9uL21hbmFnZS1yZXNvdXJjZXMtY29udGFpbmVycy8jcmVxdWVzdHMtYW5kLWxpbWl0cyBmb3IgbW9yZSBkZXRhaWxzLgp0ZW1wbGF0ZTogImNwdS1yZXF1aXJlbWVudHMiCnBhcmFtczoKICByZXF1aXJlbWVudHNUeXBlOiAiYW55IgogIGxvd2VyQm91bmRNaWxsaXM6IDAKICB1cHBlckJvdW5kTWlsbGlzOiAwCg==\"") + packr.PackJSONBytes("./yamls", "unset-memory-requirements.yaml", "\"bmFtZTogInVuc2V0LW1lbW9yeS1yZXF1aXJlbWVudHMiCmRlc2NyaXB0aW9uOiAiQWxlcnQgb24gY29udGFpbmVycyB3aXRob3V0IG1lbW9yeSByZXF1ZXN0cyBhbmQgbGltaXRzIHNldCIKcmVtZWRpYXRpb246ID4tCiAgU2V0IHlvdXIgY29udGFpbmVyJ3MgbWVtb3J5IHJlcXVlc3RzIGFuZCBsaW1pdHMgZGVwZW5kaW5nIG9uIGl0cyByZXF1aXJlbWVudHMuCiAgU2VlIGh0dHBzOi8va3ViZXJuZXRlcy5pby9kb2NzL2NvbmNlcHRzL2NvbmZpZ3VyYXRpb24vbWFuYWdlLXJlc291cmNlcy1jb250YWluZXJzLyNyZXF1ZXN0cy1hbmQtbGltaXRzIGZvciBtb3JlIGRldGFpbHMuCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBEZXBsb3ltZW50TGlrZQp0ZW1wbGF0ZTogIm1lbW9yeS1yZXF1aXJlbWVudHMiCnBhcmFtczoKICByZXF1aXJlbWVudHNUeXBlOiAiYW55IgogIGxvd2VyQm91bmRNQjogMAogIHVwcGVyQm91bmRNQjogMAo=\"") + packr.PackJSONBytes("./yamls", "writable-host-mount.yaml", "\"bmFtZTogIndyaXRhYmxlLWhvc3QtbW91bnQiCmRlc2NyaXB0aW9uOiAiQWxlcnQgb24gY29udGFpbmVycyB0aGF0IG1vdW50IGEgaG9zdCBwYXRoIGFzIHdyaXRhYmxlIgpyZW1lZGlhdGlvbjogIklmIHlvdSBuZWVkIHRvIGFjY2VzcyBmaWxlcyBvbiB0aGUgaG9zdCwgbW91bnQgdGhlbSBhcyByZWFkT25seS4iCnNjb3BlOgogIG9iamVjdEtpbmRzOgogICAgLSBEZXBsb3ltZW50TGlrZQp0ZW1wbGF0ZTogIndyaXRhYmxlLWhvc3QtbW91bnQiCg==\"") +} diff --git a/pkg/lintcontext/context.go b/pkg/lintcontext/context.go index ad47fb6a1..08bc56e63 100644 --- a/pkg/lintcontext/context.go +++ b/pkg/lintcontext/context.go @@ -5,6 +5,7 @@ import ( "golang.stackrox.io/kube-linter/internal/stringutils" "golang.stackrox.io/kube-linter/pkg/k8sutil" + "helm.sh/helm/v3/pkg/cli/values" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" ) @@ -77,7 +78,8 @@ type lintContextImpl struct { objects []Object invalidObjects []InvalidObject - customDecoder runtime.Decoder + customDecoder runtime.Decoder + helmValuesOptions values.Options } // Objects returns the (valid) objects loaded from this LintContext. @@ -106,3 +108,10 @@ func newCtx(options Options) *lintContextImpl { customDecoder: options.CustomDecoder, } } + +func newHelmCtx(options Options, helmValueOptions values.Options) *lintContextImpl { + return &lintContextImpl{ + customDecoder: options.CustomDecoder, + helmValuesOptions: helmValueOptions, + } +} diff --git a/pkg/lintcontext/create_contexts.go b/pkg/lintcontext/create_contexts.go index 5aa5b58fb..8fd58362e 100644 --- a/pkg/lintcontext/create_contexts.go +++ b/pkg/lintcontext/create_contexts.go @@ -10,6 +10,7 @@ import ( "github.com/pkg/errors" "golang.stackrox.io/kube-linter/internal/set" "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/cli/values" "k8s.io/apimachinery/pkg/runtime" ) @@ -36,6 +37,7 @@ func CreateContexts(filesOrDirs ...string) ([]LintContext, error) { // CreateContextsWithOptions creates a context with additional Options func CreateContextsWithOptions(options Options, filesOrDirs ...string) ([]LintContext, error) { contextsByDir := make(map[string]*lintContextImpl) + contextsByChartDir := make(map[string][]LintContext) for _, fileOrDir := range filesOrDirs { // Stdin if fileOrDir == "-" { @@ -59,14 +61,17 @@ func CreateContextsWithOptions(options Options, filesOrDirs ...string) ([]LintCo return nil } + if _, exists := contextsByChartDir[currentPath]; exists { + return nil + } + if !info.IsDir() { if strings.HasSuffix(strings.ToLower(currentPath), ".tgz") { - ctx := newCtx(options) - if err := ctx.loadObjectsFromTgzHelmChart(currentPath); err != nil { + lintCtxs, err := CreateHelmContextsWithOptions(HelmOptions{Options: options, FromArchive: true}, currentPath) + if err != nil { return err } - - contextsByDir[currentPath] = ctx + contextsByChartDir[currentPath] = lintCtxs return nil } @@ -85,15 +90,11 @@ func CreateContextsWithOptions(options Options, filesOrDirs ...string) ([]LintCo return nil } if isHelm, _ := chartutil.IsChartDir(currentPath); isHelm { - // Path has already been loaded, possibly through another argument. Skip. - if _, alreadyExists := contextsByDir[currentPath]; alreadyExists { - return nil - } - ctx := newCtx(options) - contextsByDir[currentPath] = ctx - if err := ctx.loadObjectsFromHelmChart(currentPath); err != nil { + lintCtxs, err := CreateHelmContextsWithOptions(HelmOptions{Options: options, FromDir: true}, currentPath) + if err != nil { return err } + contextsByChartDir[currentPath] = lintCtxs return filepath.SkipDir } return nil @@ -102,24 +103,56 @@ func CreateContextsWithOptions(options Options, filesOrDirs ...string) ([]LintCo return nil, errors.Wrapf(err, "loading from path %q", fileOrDir) } } - dirs := make([]string, 0, len(contextsByDir)) + dirs := make([]string, 0, len(contextsByDir)+len(contextsByChartDir)) for dir := range contextsByDir { dirs = append(dirs, dir) } + for dir := range contextsByChartDir { + dirs = append(dirs, dir) + } sort.Strings(dirs) var contexts []LintContext for _, dir := range dirs { + if helmCtxs, ok := contextsByChartDir[dir]; ok { + contexts = append(contexts, helmCtxs...) + continue + } contexts = append(contexts, contextsByDir[dir]) } return contexts, nil } -// CreateContextsFromHelmArchive creates a context from TGZ reader of Helm Chart. +// CreateContextsFromHelmArchive creates a context from a tgz file based on a provided tgzReader func CreateContextsFromHelmArchive(fileName string, tgzReader io.Reader) ([]LintContext, error) { - ctx := newCtx(Options{}) - if err := ctx.readObjectsFromTgzHelmChart(fileName, tgzReader); err != nil { - return nil, err - } + return CreateHelmContextsWithOptions(HelmOptions{FromReader: tgzReader}, fileName) +} + +type HelmOptions struct { + Options - return []LintContext{ctx}, nil + // HelmValuesOptions provide options for additional values.yamls that can be provided to Helm on loading a chart + // These will be ignored for contexts that are not Helm-based + HelmValuesOptions []values.Options + + // Whether to treat this as a Helm chart directory + FromDir bool + // Whether to treat this as a Helm chart archive (tgz). + FromArchive bool + // FromReader is used if isDir and isArchive are both false + FromReader io.Reader +} + +func CreateHelmContextsWithOptions(options HelmOptions, chartDir string) ([]LintContext, error) { + if isHelm, _ := chartutil.IsChartDir(chartDir); !isHelm { + return nil, errors.New("cannot generate helm context from non-helm dir " + chartDir) + } + contextsByHelmValues := []LintContext{} + for _, helmValueOptions := range options.HelmValuesOptions { + ctx := newHelmCtx(options.Options, helmValueOptions) + if err := ctx.loadObjectsFromHelmChart(chartDir, options); err != nil { + return nil, err + } + contextsByHelmValues = append(contextsByHelmValues, ctx) + } + return contextsByHelmValues, nil } diff --git a/pkg/lintcontext/parse_helm.go b/pkg/lintcontext/parse_helm.go new file mode 100644 index 000000000..4f528df3e --- /dev/null +++ b/pkg/lintcontext/parse_helm.go @@ -0,0 +1,79 @@ +package lintcontext + +import ( + "log" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/engine" +) + +func (l *lintContextImpl) loadObjectsFromHelmChart(path string, options HelmOptions) error { + metadata := ObjectMetadata{FilePath: path} + renderedFiles, err := l.renderHelmChart(path, options) + if err != nil { + l.addInvalidObjects(InvalidObject{Metadata: metadata, LoadErr: err}) + return nil + } + for path, contents := range renderedFiles { + // The first element of path will be the same as the last element of dir, because + // Helm duplicates it. + pathToTemplate := filepath.Join(filepath.Dir(path), path) + if err := l.loadObjectsFromReader(pathToTemplate, strings.NewReader(contents)); err != nil { + return errors.Wrapf(err, "loading objects from rendered helm chart %s/%s", path, pathToTemplate) + } + } + return nil +} + +func (l *lintContextImpl) renderHelmChart(path string, options HelmOptions) (map[string]string, error) { + // Helm doesn't have great logging behaviour, and can spam stderr, so silence their logging. + // TODO: capture these logs. + log.SetOutput(nopWriter{}) + defer log.SetOutput(os.Stderr) + + var chrt *chart.Chart + var err error + if options.FromDir && options.FromArchive { + err = errors.New("cannot specify that helm chart is both a directory and an archive") + } else if options.FromArchive { + chrt, err = loader.LoadFile(path) + } else if options.FromDir { + chrt, err = loader.Load(path) + } else { + chrt, err = loader.LoadArchive(options.FromReader) + } + if err != nil { + return nil, err + } + + if err := chrt.Validate(); err != nil { + return nil, err + } + values, err := l.helmValuesOptions.MergeValues(nil) + if err != nil { + return nil, errors.Wrap(err, "loading provided Helm value options") + } + + return l.renderValues(chrt, values) +} + +func (l *lintContextImpl) renderValues(chrt *chart.Chart, values map[string]interface{}) (map[string]string, error) { + valuesToRender, err := chartutil.ToRenderValues(chrt, values, chartutil.ReleaseOptions{Name: "test-release", Namespace: "default"}, nil) + if err != nil { + return nil, err + } + + e := engine.Engine{LintMode: true} + rendered, err := e.Render(chrt, valuesToRender) + if err != nil { + return nil, errors.Wrap(err, "failed to render") + } + + return rendered, nil +} diff --git a/pkg/lintcontext/parse_yaml.go b/pkg/lintcontext/parse_yaml.go index ae05228f9..2cbb6ab05 100644 --- a/pkg/lintcontext/parse_yaml.go +++ b/pkg/lintcontext/parse_yaml.go @@ -5,20 +5,11 @@ import ( "bytes" "fmt" "io" - "log" "os" - "path/filepath" - "strings" - y "github.com/ghodss/yaml" ocsAppsV1 "github.com/openshift/api/apps/v1" "github.com/pkg/errors" "golang.stackrox.io/kube-linter/pkg/k8sutil" - "helm.sh/helm/v3/pkg/chart" - "helm.sh/helm/v3/pkg/chart/loader" - "helm.sh/helm/v3/pkg/chartutil" - "helm.sh/helm/v3/pkg/cli/values" - "helm.sh/helm/v3/pkg/engine" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" @@ -84,102 +75,6 @@ func (w nopWriter) Write(p []byte) (n int, err error) { return len(p), nil } -func (l *lintContextImpl) renderHelmChart(dir string) (map[string]string, error) { - // Helm doesn't have great logging behaviour, and can spam stderr, so silence their logging. - // TODO: capture these logs. - log.SetOutput(nopWriter{}) - defer log.SetOutput(os.Stderr) - chrt, err := loader.Load(dir) - if err != nil { - return nil, err - } - if err := chrt.Validate(); err != nil { - return nil, err - } - valOpts := &values.Options{ValueFiles: []string{filepath.Join(dir, "values.yaml")}} - values, err := valOpts.MergeValues(nil) - if err != nil { - return nil, errors.Wrap(err, "loading values.yaml file") - } - return l.renderValues(chrt, values) -} - -func (l *lintContextImpl) renderValues(chrt *chart.Chart, values map[string]interface{}) (map[string]string, error) { - valuesToRender, err := chartutil.ToRenderValues(chrt, values, chartutil.ReleaseOptions{Name: "test-release", Namespace: "default"}, nil) - if err != nil { - return nil, err - } - - e := engine.Engine{LintMode: true} - rendered, err := e.Render(chrt, valuesToRender) - if err != nil { - return nil, errors.Wrap(err, "failed to render") - } - - return rendered, nil -} - -func (l *lintContextImpl) loadObjectsFromHelmChart(dir string) error { - metadata := ObjectMetadata{FilePath: dir} - renderedFiles, err := l.renderHelmChart(dir) - if err != nil { - l.addInvalidObjects(InvalidObject{Metadata: metadata, LoadErr: err}) - return nil - } - for path, contents := range renderedFiles { - // The first element of path will be the same as the last element of dir, because - // Helm duplicates it. - pathToTemplate := filepath.Join(filepath.Dir(dir), path) - if err := l.loadObjectsFromReader(pathToTemplate, strings.NewReader(contents)); err != nil { - return errors.Wrapf(err, "loading objects from rendered helm chart %s/%s", dir, pathToTemplate) - } - } - return nil -} - -func (l *lintContextImpl) loadObjectsFromTgzHelmChart(tgzFile string) error { - metadata := ObjectMetadata{FilePath: tgzFile} - renderedFiles, err := l.renderTgzHelmChart(tgzFile) - if err != nil { - l.invalidObjects = append(l.invalidObjects, InvalidObject{Metadata: metadata, LoadErr: err}) - return nil - } - for path, contents := range renderedFiles { - // The first element of path will be the same as the last element of tgzFile, because - // Helm duplicates it. - pathToTemplate := filepath.Join(filepath.Dir(tgzFile), path) - if err := l.loadObjectsFromReader(pathToTemplate, strings.NewReader(contents)); err != nil { - return errors.Wrapf(err, "loading objects from rendered helm chart %s/%s", tgzFile, pathToTemplate) - } - } - return nil -} - -func (l *lintContextImpl) renderTgzHelmChart(tgzFile string) (map[string]string, error) { - log.SetOutput(nopWriter{}) - defer log.SetOutput(os.Stderr) - chrt, err := loader.LoadFile(tgzFile) - - if err != nil { - return nil, err - } - if err := chrt.Validate(); err != nil { - return nil, err - } - - return l.renderChart(tgzFile, chrt) -} - -func (l *lintContextImpl) parseValues(filePath string, bytes []byte) (map[string]interface{}, error) { - currentMap := map[string]interface{}{} - - if err := y.Unmarshal(bytes, ¤tMap); err != nil { - return nil, errors.Wrapf(err, "failed to parse %s", filePath) - } - - return currentMap, nil -} - func (l *lintContextImpl) loadObjectFromYAMLReader(filePath string, r *yaml.YAMLReader) error { doc, err := r.Read() if err != nil { @@ -238,58 +133,3 @@ func (l *lintContextImpl) loadObjectsFromReader(filePath string, reader io.Reade } } } - -func (l *lintContextImpl) renderChart(fileName string, chart *chart.Chart) (map[string]string, error) { - if err := chart.Validate(); err != nil { - return nil, err - } - - valuesIndex := -1 - for i, f := range chart.Raw { - if f.Name == "values.yaml" { - valuesIndex = i - break - } - } - - indexName := filepath.Join(fileName, "values.yaml") - if valuesIndex == -1 { - return nil, errors.Errorf("%s not found", indexName) - } - - values, err := l.parseValues(indexName, chart.Raw[valuesIndex].Data) - if err != nil { - return nil, errors.Wrap(err, "loading values.yaml file") - } - - return l.renderValues(chart, values) -} - -func (l *lintContextImpl) renderTgzHelmChartReader(fileName string, tgzReader io.Reader) (map[string]string, error) { - // Helm doesn't have great logging behaviour, and can spam stderr, so silence their logging. - log.SetOutput(nopWriter{}) - defer log.SetOutput(os.Stderr) - chrt, err := loader.LoadArchive(tgzReader) - - if err != nil { - return nil, err - } - - return l.renderChart(fileName, chrt) -} - -func (l *lintContextImpl) readObjectsFromTgzHelmChart(fileName string, tgzReader io.Reader) error { - metadata := ObjectMetadata{FilePath: fileName} - renderedFiles, err := l.renderTgzHelmChartReader(fileName, tgzReader) - if err != nil { - l.invalidObjects = append(l.invalidObjects, InvalidObject{Metadata: metadata, LoadErr: err}) - return nil - } - for path, contents := range renderedFiles { - pathToTemplate := filepath.Join(fileName, path) - if err := l.loadObjectsFromReader(pathToTemplate, strings.NewReader(contents)); err != nil { - return errors.Wrapf(err, "loading objects from rendered helm chart %s", pathToTemplate) - } - } - return nil -}