feat: publish more validation modules about kubernetes resources

Signed-off-by: peefy <[email protected]>

Author: Peefy

restrict-ingress-wildcard/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-ingress-wildcard"
+version = "0.1.0"
+description = "`restrict-ingress-wildcard` is a KCL validation module"
+

restrict-ingress-wildcard/kcl.mod

@@ -0,0 +1,15 @@
+KINDS = [
+    "Ingress"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        hosts: [str] = [h for r in item.spec.rules for h in r.host]
+        assert all host in hosts {
+            "*" not in host
+        }, "Wildcards are not permitted as hosts ${hosts}"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-ingress-wildcard/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-jobs"
+version = "0.1.0"
+description = "`restrict-jobs` is a KCL validation module"
+

restrict-ingress-wildcard/main.k

@@ -0,0 +1,15 @@
+KINDS = [
+    "Job"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        kinds: [str] = [o.kind for o in item.metadata?.ownerReferences]
+        assert all kind in kinds {
+            kind == "CronJob"
+        }, "Jobs are only allowed if spawned from CronJobs, got kinds ${kinds}"
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-jobs/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-load-balancer"
+version = "0.1.0"
+description = "`restrict-load-balancer` is a KCL validation module"
+

restrict-jobs/kcl.mod

@@ -0,0 +1,12 @@
+KINDS = [
+    "Service"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert item?.spec?.type != "LoadBalance", "Service of type LoadBalancer is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-jobs/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-networkpolicy-empty-podselector"
+version = "0.1.0"
+description = "`restrict-networkpolicy-empty-podselector` is a KCL validation module"
+

restrict-jobs/main.k

@@ -0,0 +1,12 @@
+KINDS = [
+    "NetworkPolicy"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS and item.metadata.name not in ["default-deny"]:
+        assert len(item?.spec.podSelector or {}) > 0, "NetworkPolicies must not use an empty podSelector."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-load-balancer/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-node-affinity"
+version = "0.1.0"
+description = "`restrict-node-affinity` is a KCL validation module"
+

restrict-load-balancer/kcl.mod

@@ -0,0 +1,12 @@
+KINDS = [
+    "Pod"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert not item?.spec?.affinity?.nodeAffinity, "Node affinity cannot be used."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-load-balancer/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-node-annotation-creation"
+version = "0.1.0"
+description = "`restrict-node-annotation-creation` is a KCL validation module"
+

restrict-load-balancer/main.k

@@ -0,0 +1,16 @@
+KINDS = [
+    "Node"
+]
+annotations: [str] = option("params")?.annotations or []
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS and annotations:
+        set_annotations: {str:str} = item?.metadata?.annotations
+        assert all l in set_annotations {
+            l not in annotations
+        }, "Setting the annotations ${annotations} on a Node is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-networkpolicy-empty-podselector/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-node-label-creation"
+version = "0.1.0"
+description = "`restrict-node-label-creation` is a KCL validation module"
+

restrict-networkpolicy-empty-podselector/kcl.mod

@@ -0,0 +1,16 @@
+KINDS = [
+    "Node"
+]
+labels: [str] = option("params")?.labels or []
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS and labels:
+        set_labels: {str:str} = item?.metadata?.labels
+        assert all l in set_labels {
+            l not in labels
+        }, "Setting the labels ${labels} on a Node is not allowed."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-networkpolicy-empty-podselector/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-node-name"
+version = "0.1.0"
+description = "`restrict-node-name` is a KCL validation module"
+

restrict-networkpolicy-empty-podselector/main.k

@@ -0,0 +1,12 @@
+KINDS = [
+    "Pod"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert not item?.spec?.nodeName, "Setting the nodeName field is prohibited."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-node-affinity/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-node-selector"
+version = "0.1.0"
+description = "`restrict-node-selector` is a KCL validation module"
+

restrict-node-affinity/kcl.mod

@@ -0,0 +1,12 @@
+KINDS = [
+    "Pod"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert not item?.spec?.nodeSelector, "Setting the nodeSelector field is prohibited."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-node-affinity/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-role-wildcard-resources"
+version = "0.1.0"
+description = "`restrict-role-wildcard-resources` is a KCL validation module"
+

restrict-node-affinity/main.k

@@ -0,0 +1,15 @@
+KINDS = [
+    "Role"
+    "ClusterRole"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert all r in item.rules {
+            "*" not in r.resources
+        }, "Use of a wildcard ('*') in any resources is forbidden."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-node-annotation-creation/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-role-wildcard-verbs"
+version = "0.1.0"
+description = "`restrict-role-wildcard-verbs` is a KCL validation module"
+

restrict-node-annotation-creation/kcl.mod

@@ -0,0 +1,15 @@
+KINDS = [
+    "Role"
+    "ClusterRole"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert all r in item.rules {
+            "*" not in r.verbs
+        }, "Use of a wildcard ('*') in any verbs is forbidden."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-node-annotation-creation/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-scale"
+version = "0.1.0"
+description = "`restrict-scale` is a KCL validation module"
+

restrict-node-annotation-creation/main.k

@@ -0,0 +1,14 @@
+KINDS = [
+    "Deployment"
+]
+
+replicas: int = option("params")?.replicas or 5
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        assert (item.spec?.replicas or 0) <= replicas, "The replica count for this Deployment may not exceed ${replicas}."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-node-label-creation/README.md

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-secret-role-verbs"
+version = "0.1.0"
+description = "`restrict-secret-role-verbs` is a KCL validation module"
+

restrict-node-label-creation/kcl.mod

@@ -0,0 +1,16 @@
+KINDS = [
+    "Role"
+    "ClusterRole"
+]
+
+# Define the validation function
+validate = lambda item: {str:} {
+    if item?.kind in KINDS:
+        verbs = [v for r in item.rules for v in r.verbs or [] if "secrets" in r.resources]
+        assert all verb in verbs {
+            verb not in ["get", "list", "watch"]
+        }, "Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

restrict-node-label-creation/kcl.mod.lock

@@ -0,0 +1,5 @@
+[package]
+name = "restrict-secrets-from-env-from"
+version = "0.1.0"
+description = "`restrict-secrets-from-env-from` is a KCL validation module"
+