feat: add more istio mutation and validation modules

Signed-off-by: peefy <[email protected]>

Author: Peefy

add-network-policy-dns/kcl.mod

@@ -1,6 +1,6 @@
 [package]
 name = "add-network-policy-dns"
 edition = "*"
-version = "0.1.0"
+version = "0.1.1"
 description = "`add-network-policy-dns` is a KCL mutation module"
 

add-network-policy-dns/main.k

@@ -1,9 +1,9 @@
-ns_list = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"]
+ns_list: [str] = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"]
 items = (option("items") or []) + [{
     apiVersion: "networking.k8s.io/v1"
     kind: "NetworkPolicy"
     name: "allow-dns"
-    namespace: "${ns.metadata.name}"
+    namespace: ns
     synchronize: False
     data.spec: {
         # select all pods in the namespace

add-network-policy/kcl.mod

@@ -1,6 +1,6 @@
 [package]
 name = "add-network-policy"
 edition = "*"
-version = "0.1.0"
+version = "0.1.1"
 description = "`add-network-policy` is a KCL mutation module"
 

add-network-policy/main.k

@@ -3,7 +3,7 @@ items = (option("items") or []) + [{
     apiVersion: "networking.k8s.io/v1"
     kind: "NetworkPolicy"
     name: "default-deny"
-    namespace: "${ns.metadata.name}"
+    namespace: ns
     synchronize: True
     data.spec: {
         # select all pods in the namespace

add-rolebinding/kcl.mod

@@ -1,5 +1,5 @@
 [package]
 name = "add-rolebinding"
-version = "0.1.0"
+version = "0.1.1"
 description = "`add-rolebinding` is a KCL mutation module."
 

add-rolebinding/main.k

@@ -7,7 +7,7 @@ items = option("items") + [
         apiVersion: "rbac.authorization.k8s.io/v1"
         kind: "RoleBinding"
         name: "${username}-admin-binding"
-        namespace: ns.metadata.name
+        namespace: ns
         data: {
             roleRef: {
               apiGroup: "rbac.authorization.k8s.io"

istio-add-sidecar-injection/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`istio-add-sidecar-injection` is a KCL mutation module to add istio sidecar inject labels for `Namespace` resources.
+
+## Resource
+
+The Code sources and documents are [here](https://github.com/kcl-lang/modules/tree/main/istio-add-sidecar-injection)

istio-add-sidecar-injection/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "istio-add-sidecar-injection"
+edition = "*"
+version = "0.1.0"
+description = "`istio-add-sidecar-injection` is a KCL mutation module"

istio-add-sidecar-injection/main.k

@@ -0,0 +1,6 @@
+items = [item | {
+    if item.kind == "Namespace":
+        metadata.labels: {
+            "istio-injection" = "enabled"
+        }
+} for item in option("items") or []]

istio-check-mtls/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`istio-check-mtls` is a KCL validation module.
+
+## Resource
+
+The Code sources and documents are [here](https://github.com/kcl-lang/modules/tree/main/istio-check-mtls)

istio-check-mtls/kcl.mod

@@ -0,0 +1,6 @@
+[package]
+name = "istio-check-mtls"
+edition = "*"
+version = "0.1.0"
+description = "`istio-check-mtls` is a KCL validation module"
+

istio-check-mtls/kcl.mod.lock

@@ -0,0 +1,8 @@
+# Define the validation function
+validate = lambda item {
+    if item.kind == "PeerAuthentication":
+        assert item?.spec?.mtls?.mode in ["UNSET", "STRICT"], "PeerAuthentication resources may only set UNSET or STRICT for the mode."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

istio-check-mtls/main.k

@@ -0,0 +1,7 @@
+## Introduction
+
+`istio-check-sidecar-injection-label` is a KCL validation module.
+
+## Resource
+
+The Code sources and documents are [here](https://github.com/kcl-lang/modules/tree/main/istio-check-sidecar-injection-label)

istio-check-sidecar-injection-label/README.md

@@ -0,0 +1,6 @@
+[package]
+name = "istio-check-sidecar-injection-label"
+edition = "*"
+version = "0.1.0"
+description = "`istio-check-sidecar-injection-label` is a KCL validation module"
+

istio-check-sidecar-injection-label/kcl.mod

@@ -0,0 +1,20 @@
+import yaml
+
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Namespace":
+        assert item?.metadata?.labels?["istio-injection"] == "enabled", "All new Namespaces must have Istio sidecar injection enabled."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]
+
+if option("__test__"):
+    validate(yaml.decode("""\
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio-injection: enabled
+  name: good-istio-suite
+    """))

istio-check-sidecar-injection-label/kcl.mod.lock

@@ -0,0 +1,7 @@
+## Introduction
+
+`istio-check-virtual-service-wildcard` is a KCL validation module.
+
+## Resource
+
+The Code sources and documents are [here](https://github.com/kcl-lang/modules/tree/main/istio-check-virtual-service-wildcard)

istio-check-sidecar-injection-label/main.k

@@ -0,0 +1,6 @@
+[package]
+name = "istio-check-virtual-service-wildcard"
+edition = "*"
+version = "0.1.0"
+description = "`istio-check-virtual-service-wildcard` is a KCL validation module"
+

istio-check-virtual-service-wildcard/README.md

@@ -0,0 +1,11 @@
+# Define the validation function
+validate = lambda item {
+    if item.kind == "VirtualService":
+        hosts: [str] = item?.spec?.hosts or []
+        assert not any host in hosts {
+            "*" not in host
+        }, "Wildcards are not permitted as hosts ${hosts}."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

istio-check-virtual-service-wildcard/kcl.mod

@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/modules/tree/main/istio-create-authorization-policy)

istio-check-virtual-service-wildcard/kcl.mod.lock

@@ -0,0 +1,4 @@
+[package]
+name = "istio-create-authorization-policy"
+version = "0.1.0"
+description = "`istio-create-authorization-policy` is a kcl mutation package"

istio-check-virtual-service-wildcard/main.k

@@ -0,0 +1,12 @@
+ns_list: [str] = [item.metadata.name for item in option("items") or [] if item.kind == "Namespace"]
+
+items = (option("items") or []) + [
+    {
+        apiVersion: "security.istio.io/v1beta1"
+        kind: "AuthorizationPolicy"
+        name: "default-deny"
+        namespace: ns
+        synchronize: True
+        data.spec: {}
+    } for ns in ns_list
+]

istio-create-authorization-policy/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`istio-enforce-tls-hosts-host-subnets` is a KCL validation module.
+
+## Resource
+
+The Code sources and documents are [here](https://github.com/kcl-lang/modules/tree/main/istio-enforce-tls-hosts-host-subnets)

istio-create-authorization-policy/kcl.mod

@@ -0,0 +1,6 @@
+[package]
+name = "istio-enforce-tls-hosts-host-subnets"
+edition = "*"
+version = "0.1.0"
+description = "`istio-enforce-tls-hosts-host-subnets` is a KCL validation module"
+

istio-create-authorization-policy/main.k

@@ -0,0 +1,8 @@
+# Define the validation function
+validate = lambda item {
+    if item.kind == "DestinationRule":
+        assert item?.spec?.trafficPolicy?.tls?.mode not in ["DISABLE"], "TLS may not be disabled for the trafficPolicy in any host."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]

istio-enforce-tls-hosts-host-subnets/README.md

@@ -0,0 +1,7 @@
+## Introduction
+
+`istio-prevent-disabling-injection-pods` is a KCL validation module.
+
+## Resource
+
+The Code sources and documents are [here](https://github.com/kcl-lang/modules/tree/main/istio-prevent-disabling-injection-pods)

istio-enforce-tls-hosts-host-subnets/kcl.mod

@@ -0,0 +1,6 @@
+[package]
+name = "istio-prevent-disabling-injection-pods"
+edition = "*"
+version = "0.1.0"
+description = "`istio-prevent-disabling-injection-pods` is a KCL validation module"
+

istio-enforce-tls-hosts-host-subnets/kcl.mod.lock

@@ -0,0 +1,8 @@
+# Define the validation function
+validate = lambda item {
+    if item.kind == "Pod":
+        assert item?.metadata?.annotations?["sidecar.istio.io/inject"] != "false", "Pods may not disable sidecar injection by setting the annotation sidecar.istio.io/inject to a value of false."
+    item
+}
+# Validate All resource
+items = [validate(i) for i in option("items") or []]