Merge pull request #64 from Peefy/add-more-aws-modules

Peefy · web-flow · commit 821202bdd0c7 · 2023-11-09T19:48:18.000+08:00
feat: add aws releted kubernetes modules
diff --git a/deamon-require-aws-node-irsa/README.md b/deamon-require-aws-node-irsa/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`deamon-require-aws-node-irsa` is a KCL validation package to validate services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` with some value.
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/deamon-require-aws-node-irsa)
diff --git a/deamon-require-aws-node-irsa/kcl.mod b/deamon-require-aws-node-irsa/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "deamon-require-aws-node-irsa"
+version = "0.1.0"
+description = "`deamon-require-aws-node-irsa` is a kcl validation package"
diff --git a/deamon-require-aws-node-irsa/main.k b/deamon-require-aws-node-irsa/main.k
@@ -0,0 +1,15 @@
+"""Services of type LoadBalancer when deployed inside AWS have support for
+transport encryption if it is enabled via an annotation. This policy requires
+that Services of type LoadBalancer contain the annotation
+service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
+"""
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "DaemonSet" and item.metadata.name == "aws-node" and item.metadata.namespace == "kube-system":
+        assert item.spec?.template?.spec?.serviceAccountName == "!aws-node", "Update the aws-node daemonset to use IRSA."
+    item
+}
+
+# Validate All resource
+items = [validate(i) for i in option("items")]
diff --git a/svc-require-encryption-aws-loadbalancers/README.md b/svc-require-encryption-aws-loadbalancers/README.md
@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/artifacthub/tree/main/svc-require-encryption-aws-loadbalancers)
diff --git a/svc-require-encryption-aws-loadbalancers/kcl.mod b/svc-require-encryption-aws-loadbalancers/kcl.mod
@@ -0,0 +1,4 @@
+[package]
+name = "svc-require-encryption-aws-loadbalancers"
+version = "0.1.0"
+description = "`svc-require-encryption-aws-loadbalancers` is a kcl validation package"
diff --git a/svc-require-encryption-aws-loadbalancers/main.k b/svc-require-encryption-aws-loadbalancers/main.k
@@ -0,0 +1,15 @@
+"""Services of type LoadBalancer when deployed inside AWS have support for
+transport encryption if it is enabled via an annotation. This policy requires
+that Services of type LoadBalancer contain the annotation
+service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
+"""
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Service":
+        assert item.metadata?.annotation?["service.beta.kubernetes.io/aws-load-balancer-ssl-cert"] if item?.spec?.type == "LoadBalancer", "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert."
+    item
+}
+
+# Validate All resource
+items = [validate(i) for i in option("items")]
