search

stackrox / kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
https://docs.kubelinter.io/
Apache License 2.0
2.92k stars 233 forks source link

Support OpenShift objects #25

Open viswajithiii opened 3 years ago

viswajithiii commented 3 years ago

Support checks on OpenShift objects. Suggestions we got were to look at imagestreams, deploymentconfigs, buildconfigs and routes.

mancubus77 commented 3 years ago

+1 for the feature! kube-linter is a great tool for GitOps and DevSecOps

garethahealy commented 3 years ago

@viswajithiii ; any plans to support Template? in the same way, k8s List and helm are.

viswajithiii commented 3 years ago

@viswajithiii ; any plans to support Template? in the same way, k8s List and helm are.

Hmm, I'm not familiar with Template. Can you elaborate on how it's used?

garethahealy commented 3 years ago

They are a way to provide a simple template for a list of resources (pre-helm, started in OCP3). Obviously, customers are migrating to better/other ways, but they are still used by a large number of customers.

cat << EOF > template.yaml
apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: redis-template
  annotations:
    description: "Description"
    iconClass: "icon-redis"
    tags: "database,nosql"
objects:
- apiVersion: v1
  kind: Pod
  metadata:
    name: redis-master
  spec:
    containers:
    - env:
      - name: REDIS_PASSWORD
        value: ${REDIS_PASSWORD}
      image: dockerfile/redis
      name: master
      ports:
      - containerPort: 6379
        protocol: TCP
parameters:
- description: Password used for Redis authentication
  from: '[A-Z0-9]{8}'
  generate: expression
  name: REDIS_PASSWORD
EOF

oc process --local -f template.yaml
viswajithiii commented 3 years ago

Hmm, got it. Interesting. It's definitely worth tracking, but as low priority -- meaning we are unlikely to do it anytime soon internally, but we will accept a PR if someone sends one our way.

jfroment commented 3 years ago

There is a workaround to make OpenShift templates work with kube-linter: just transform the file using basic jq and/or yq commands, which is easily feasible in an automated environment.

An exemple:

oc process --local -f your-openshift-template.yaml \
  -p NAME="some_name" \
  -p ENV="prod" \
  -p IMAGE="myregistry.mycompany.com/image:tag" \
  -p SOME_OTHER_PARAM="someothervalue" \
  -o yaml > list.yaml

file="list.json"

# For yq up to version  3.3.2:
# yq r --prettyPrint -j list.yaml > $file

# For yq version 4.8.0:
yq eval -o json list.yaml > $file

for k in $(jq '.items | keys | .[]' $file); do
  echo "---" >> all.yaml
  jq ".items[$k]" $file | yq e -P - >> all.yaml
done

rm -f $file list.yaml

kube-linter lint all.yaml

The idea is to give to kube-linter a native k8s object, there are many ways to do it but here's mine, and it is working like a charm!

garethahealy commented 3 years ago

@jfroment ; i already have some code that does that as I required it for OPA policies I was writing.

It does a bit more than you've suggested, but the idea is the same. Take in a yaml file and convert it to single k8s resources.

The suggestion for this issue was purely based on a few options (List/Helm) that are already supported, so it would be nice to add in another (Templates)