add kubelinter (#437)

* add kubelint * Update .travis.yml * Update .travis.yml * Update .travis.yml * update kubelint * Update .travis.yml * Update .travis.yml * Update .travis.yml * Update .travis.yml * Update kubelint-config.yaml * move kubelint download to build * chmod * Update download-kubelint.sh * remove duplicate
razee-io · Feb 14, 2024 · d2597d4 · d2597d4
1 parent 9952103
commit d2597d4
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 4 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -18,6 +18,7 @@ before_install:
   - export WS_PRODUCTNAME=${WS_PRODUCTNAME}
   - export WS_PROJECTNAME=RemoteResource
   - export WS_WSS_URL=https://ibmets.whitesourcesoftware.com/agent
+  - ./build/download-kubelint.sh
 
 jobs:
   include:
@@ -33,8 +34,6 @@ jobs:
        - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-amd64" .
        - if [ -n "${TRAVIS_TAG}" ]; then docker tag quay.io/razee/remoteresource:${TRAVIS_COMMIT}-amd64 quay.io/razee/remoteresource:${TRAVIS_TAG}-amd64; fi
        - docker images
-       - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml
-
      before_deploy:
        - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io
 
@@ -64,7 +63,6 @@ jobs:
        - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-ppc64le" .
        - if [ -n "${TRAVIS_TAG}" ]; then docker tag quay.io/razee/remoteresource:${TRAVIS_COMMIT}-ppc64le quay.io/razee/remoteresource:${TRAVIS_TAG}-ppc64le; fi
        - docker images
-       - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml
 
      before_deploy:
        - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io
@@ -96,7 +94,6 @@ jobs:
        - docker build --rm -t "quay.io/razee/remoteresource:${TRAVIS_COMMIT}-s390x" .
        - if [ -n "${TRAVIS_TAG}" ]; then docker tag quay.io/razee/remoteresource:${TRAVIS_COMMIT}-s390x quay.io/razee/remoteresource:${TRAVIS_TAG}-s390x; fi
        - docker images
-       - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml
 
      before_deploy:
        - docker login -u="${QUAY_ID}" -p="${QUAY_TOKEN}" quay.io
@@ -123,6 +120,7 @@ jobs:
      script:
        - if [[ $TRAVIS_TAG =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi
        - ./build/process-template.sh kubernetes/RemoteResource/resource.yaml >/tmp/resource.yaml
+       - kubelint /tmp/resource.yaml
        - export DOCKER_CLI_EXPERIMENTAL=enabled
        - sudo chown -R $USER:$USER /etc/docker/
        - |

diff --git a/build/download-kubelint.sh b/build/download-kubelint.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+kubelint() {
+  DEPLOYMENT_DIR="${1}"
+  KUBELINT_CONFIG="${2}"
+  KUBELINT_VERSION="${3}"
+  if [[ -z "${DEPLOYMENT_DIR}" ]]; then
+    echo "usage: 'kubelint DEPLOYMENT_DIR KUBELINT_CONFIG KUBELINT_VERSION'"
+    exit 1
+  fi
+  [[ -z "${KUBELINT_VERSION}" ]] && KUBELINT_VERSION=latest
+  [[ -z "${KUBELINT_CONFIG}" ]] && KUBELINT_CONFIG=kubelint-config.yaml
+  mkdir -p "${HOME}/bin"
+  curl -sL -o "${HOME}/bin/kube-linter" "https://github.com/stackrox/kube-linter/releases/${KUBELINT_VERSION}/download/kube-linter-linux"
+  chmod +x "${HOME}/bin/kube-linter"
+  if [[ "$FAIL_ON_INVALID_RESOURCE" = "false" ]]; then
+    kube-linter lint -v --fail-if-no-objects-found "${DEPLOYMENT_DIR}" --config "${KUBELINT_CONFIG}"
+  else
+    kube-linter lint -v --fail-on-invalid-resource --fail-if-no-objects-found "${DEPLOYMENT_DIR}" --config "${KUBELINT_CONFIG}"
+  fi
+}
+mkdir -p "${HOME}/bin"
+echo -e "#!/bin/bash\n$(declare -f kubelint)\nkubelint \"\$@\"" > "${HOME}/bin/kubelint"
+chmod +x "${HOME}/bin/kubelint"
diff --git a/kubelint-config.yaml b/kubelint-config.yaml
@@ -0,0 +1,17 @@
+---
+checks:
+  exclude:
+    - "no-read-only-root-fs"  # impacts AT event writing
+    - "unset-cpu-requirements" # cpu limits are bad https://home.robusta.dev/blog/stop-using-cpu-limits
+    - "mismatching-selector" # selectors are immutable
+    - "non-existent-service-account" # razeedeploy-sa created in razeedeploy-delta
+customChecks:
+  - name: ensure-environment-variables-populated
+    template: env-var
+    params:
+      name: "."
+      value: \$.* #ensures no environment variable values in the deployment start with a $
+    remediation: Ensure all of your environment variables are correctly substituted with envstub
+    scope:
+      objectKinds:
+        - DeploymentLike