search

stackrox / kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.
https://docs.kubelinter.io/
Apache License 2.0
2.96k stars 233 forks source link

Support `List` kinds #596

Open DazWilkin opened 1 year ago

DazWilkin commented 1 year ago

Description of the problem/feature request

kube-linter could be very useful, thanks for creating it!

As an alternative approach to combining multiple YAML files into one using the document start (---) and stop (...) separators, I prefer to use the List kind.

Unfortunately, this appears to be ignored by kube-linter.

Please consider supporting it.

Description of the existing behavior vs. expected behavior

Using your documentation example:

echo '
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false
' | kube-linter lint -

Yields:

KubeLinter development

{elided}

Error: found 4 lint errors

But, incorporating the Pod into a List, fails:

echo '
apiVersion: v1
kind: List
metadata: {}
list:
- apiVersion: v1
  kind: Pod
  metadata:
    name: security-context-demo
  spec:
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
      fsGroup: 2000
    volumes:
    - name: sec-ctx-vol
      emptyDir: {}
    containers:
    - name: sec-ctx-demo
      image: busybox
      resources:
        requests:
          memory: "64Mi"
          cpu: "250m"
      command: [ "sh", "-c", "sleep 1h" ]
      volumeMounts:
      - name: sec-ctx-vol
        mountPath: /data/demo
      securityContext:
        allowPrivilegeEscalation: false
' | kube-linter lint -

Yields (incorrectly):

Warning: no valid objects found.

Additional context

I have various occurrences of List's in my deployments that successfully deploy using kubectl create ....

I'm unable to use these currently with kube-linter because kube-linter doesn't support List.

For example:

# Provide an Example YAML `List` with one `Deployment`, one `Service` and one `VPA`
cat example \
| kube-linter lint -
Warning: no valid objects found.
# Same Example YAML but using yq to extract the `Deployment`
cat example.yaml \
| yq '.items[0]' \
| kube-linter lint -
KubeLinter development

Error: found 4 lint errors
# Same Example YAML but using yq to extract the `Service`
cat example.yaml \
| yq '.items[1]' \
| kube-linter lint -
KubeLinter development

Error: found 1 lint errors
janisz commented 1 year ago

Keep in mind that kind: List is not part of the Kubernetes API; it is exposing an implementation detail from client-side code in those tools, used to handle groups of mixed resources.

Although Lists are not part of official API I think we should consider supporting them as kubelinter is meant to lint files applied by kubectl.