Merge pull request #87 from Peefy/publish-more-validation-modules

feat: publish more validation modules

Author: Peefy

disallow-anonymous/kcl.mod

@@ -2,3 +2,4 @@
 name = "disallow-anonymous"
 version = "0.1.0"
 description = "`disallow-anonymous` is a kcl validation package"
+

disallow-anonymous/kcl.mod.lock

@@ -3,3 +3,4 @@ name = "k8s"
 edition = "*"
 version = "1.18"
 description = "`k8s` is a KCL module contains all the built-in Kubernetes resource models (the CRDs are not included here)."
+

k8s/1.18/kcl.mod

@@ -2,3 +2,4 @@
 name = "psp-app-armor"
 version = "0.1.0"
 description = "`psp-app-armor` is a kcl validation package"
+

psp-app-armor/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-automount-sa-token"
+version = "0.1.1"
+description = "`restrict-automount-sa-token` is a KCL validation module"
+

psp-app-armor/kcl.mod.lock

@@ -0,0 +1,13 @@
+KINDS = [
+    "Pod"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        annotations: {str:str} = item.metadata.annotations
+        assert item?.spec?.automountServiceAccountToken not in ["true"], "Auto-mounting of Service Account tokens is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-automount-sa-token/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-binding-clusteradmin"
+version = "0.1.1"
+description = "`restrict-binding-clusteradmin` is a KCL validation module"
+

restrict-automount-sa-token/kcl.mod

@@ -0,0 +1,13 @@
+KINDS = [
+    "RoleBinding"
+    "ClusterRoleBinding"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert item?.roleRef != "cluster-admin", "Binding to cluster-admin is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-automount-sa-token/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-binding-system-group-restrict-anonymous"
+version = "0.1.1"
+description = "`restrict-binding-system-group-restrict-anonymous` is a KCL validation module"
+

restrict-automount-sa-token/main.k

@@ -0,0 +1,15 @@
+KINDS = [
+    "RoleBinding"
+    "ClusterRoleBinding"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS and item?.subjects:
+        assert all s in item.subjects {
+            s.name != "system:anonymous"
+        }, "Binding to system:anonymous is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-clusteradmin/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-binding-system-group-restrict-masters"
+version = "0.1.1"
+description = "`restrict-binding-system-group-restrict-masters` is a KCL validation module"
+

restrict-binding-clusteradmin/kcl.mod

@@ -0,0 +1,15 @@
+KINDS = [
+    "RoleBinding"
+    "ClusterRoleBinding"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS and item?.subjects:
+        assert all s in item.subjects {
+            s.name != "system:masters"
+        }, "Binding to system:masters is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-clusteradmin/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-binding-system-group-restrict-subject-name"
+version = "0.1.1"
+description = "`restrict-binding-system-group-restrict-subject-name` is a KCL validation module"
+

restrict-binding-clusteradmin/main.k

@@ -0,0 +1,16 @@
+KINDS = [
+    "RoleBinding"
+    "ClusterRoleBinding"
+]
+names: [str] = option("params")?.names or []
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS and item?.subjects:
+        assert all s in item.subjects {
+            s.name not in names
+        }, "Binding to ${names} is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-system-group-restrict-anonymous/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-binding-system-group-restrict-unauthenticated"
+version = "0.1.1"
+description = "`restrict-binding-system-group-restrict-unauthenticated` is a KCL validation module"
+

restrict-binding-system-group-restrict-anonymous/kcl.mod

@@ -0,0 +1,15 @@
+KINDS = [
+    "RoleBinding"
+    "ClusterRoleBinding"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS and item?.subjects:
+        assert all s in item.subjects {
+            s.name != "system:unauthenticated"
+        }, "Binding to system:unauthenticated is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-system-group-restrict-anonymous/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-clusterrole-nodesproxy"
+version = "0.1.1"
+description = "`restrict-clusterrole-nodesproxy` is a KCL validation module"
+

restrict-binding-system-group-restrict-anonymous/main.k

@@ -0,0 +1,15 @@
+KINDS = [
+    "ClusterRole"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        resources = [res for r in item.rules for res in r.resources]
+        assert all res in resources {
+            res not in ["nodes/proxy"]
+        }, "A ClusterRole containing the nodes/proxy resource is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-system-group-restrict-masters/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-control-plane-scheduling-control-plane"
+version = "0.1.1"
+description = "`restrict-control-plane-scheduling-control-plane` is a KCL validation module"
+

restrict-binding-system-group-restrict-masters/kcl.mod

@@ -0,0 +1,15 @@
+KINDS = [
+    "Pod"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        keys = [key for t in item.spec.tolerations for key in t.key]
+        assert all key in keys {
+            key not in ["node-role.kubernetes.io/control-plane"]
+        }, "Pods may not use tolerations which schedule on control plane nodes."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-system-group-restrict-masters/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-control-plane-scheduling-master"
+version = "0.1.1"
+description = "`restrict-control-plane-scheduling-master` is a KCL validation module"
+

restrict-binding-system-group-restrict-masters/main.k

@@ -0,0 +1,15 @@
+KINDS = [
+    "Pod"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        keys = [key for t in item.spec.tolerations for key in t.key]
+        assert all key in keys {
+            key not in ["node-role.kubernetes.io/master"]
+        }, "Pods may not use tolerations which schedule on masters nodes."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-system-group-restrict-subject-name/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-control-plane-scheduling-nodes"
+version = "0.1.1"
+description = "`restrict-control-plane-scheduling-nodes` is a KCL validation module"
+

restrict-binding-system-group-restrict-subject-name/kcl.mod

@@ -0,0 +1,16 @@
+KINDS = [
+    "Pod"
+]
+nodes: [str] = option("params")?.nodes or []
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        keys = [key for t in item.spec.tolerations for key in t.key]
+        assert all key in keys {
+            key not in nodes
+        }, "Pods may not use tolerations which schedule on nodes ${nodes}."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-system-group-restrict-subject-name/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-deprecated-k8s-gcr-io-registry"
+version = "0.1.1"
+description = "`restrict-deprecated-k8s-gcr-io-registry` is a KCL validation module"
+

restrict-binding-system-group-restrict-subject-name/main.k

@@ -0,0 +1,20 @@
+get_containers = lambda item: {str:} {
+    containers = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    containers = [c for c in containers]
+}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers = get_containers(item)
+    if containers:
+        assert all c in containers {
+            not c.image.startswith("k8s.gcr.io/")
+        }, "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-binding-system-group-restrict-unauthenticated/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-deprecated-registries"
+version = "0.1.1"
+description = "`restrict-deprecated-registries` is a KCL validation module"
+

restrict-binding-system-group-restrict-unauthenticated/kcl.mod

@@ -0,0 +1,24 @@
+registries: [str] = option("registries")?.nodes or []
+
+get_containers = lambda item: {str:} {
+    containers = []
+    if item.kind == "Pod":
+        containers = (item.spec.containers or []) + (item.spec.initContainers or []) + (item.spec.ephemeralContainers or [])
+    elif item.kind == "Deployment":
+        containers = (item.spec.template.spec.containers or []) + (item.spec.template.spec.initContainers or []) + (item.spec.template.spec.ephemeralContainers or [])
+    containers = [c for c in containers]
+}
+
+# Define the validation function
+validate = lambda item: {str:} {
+    containers = get_containers(item)
+    if containers and registries:
+        assert all c in containers {
+            all r in registries {
+                not c.image.startswith(r)
+            }
+        }, "The image registries ${registries} are deprecated."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]