zapier · MeNsaaH · Dec 18, 2024 · Dec 18, 2024 · Jan 2, 2025 · djeebus
diff --git a/.tool-versions b/.tool-versions
@@ -1,5 +1,5 @@
 earthly 0.8.15
-golang 1.22.7
+golang 1.23.4
 golangci-lint 1.62.2
 helm 3.16.3
 helm-cr 1.6.1

diff --git a/Tiltfile b/Tiltfile
@@ -236,7 +236,7 @@ k8s_resource(
   port_forwards=['2345:2345', '8080:8080'],
   resource_deps=[
     # 'go-build',
-    'go-test',
+    # 'go-test',
     'k8s:namespace',
     'argocd',
     'argocd-crds',

diff --git a/charts/kubechecks/templates/clusterrole.yaml b/charts/kubechecks/templates/clusterrole.yaml
@@ -7,5 +7,5 @@ rules:
     resources: ['applications', 'appprojects', 'applicationsets', 'services']
     verbs: ['get', 'list', 'watch']
   - apiGroups: [''] # The core API group, which is indicated by an empty string
-    resources: ['secrets']
+    resources: ['secrets', 'configmaps']
     verbs: ['get', 'list', 'watch']
diff --git a/cmd/controller.go b/cmd/controller.go
@@ -79,6 +79,11 @@ var ControllerCmd = &cobra.Command{
 			log.Fatal().Err(err).Msg("failed to process schema locations")
 		}
 
+		log.Info().Strs("locations", cfg.KyvernoPoliciesLocation).Msg("processing kyverno policies locations")
+		if err = processLocations(ctx, ctr, cfg.KyvernoPoliciesLocation); err != nil {
+			log.Fatal().Err(err).Msg("failed to process kyverno policies locations")
+		}
+
 		processors, err := getProcessors(ctr)
 		if err != nil {
 			log.Fatal().Err(err).Msg("failed to create processors")

diff --git a/cmd/processors.go b/cmd/processors.go
@@ -7,6 +7,7 @@ import (
 	"github.com/zapier/kubechecks/pkg/checks/diff"
 	"github.com/zapier/kubechecks/pkg/checks/hooks"
 	"github.com/zapier/kubechecks/pkg/checks/kubeconform"
+	"github.com/zapier/kubechecks/pkg/checks/kyverno"
 	"github.com/zapier/kubechecks/pkg/checks/preupgrade"
 	"github.com/zapier/kubechecks/pkg/checks/rego"
 	"github.com/zapier/kubechecks/pkg/container"
@@ -57,5 +58,13 @@ func getProcessors(ctr container.Container) ([]checks.ProcessorEntry, error) {
 		})
 	}
 
+	if ctr.Config.EnableKyvernoChecks {
+		procs = append(procs, checks.ProcessorEntry{
+			Name:       "running kyverno check",
+			Processor:  kyverno.Check,
+			WorstState: ctr.Config.WorstPreupgradeState,
+		})
+	}
+
 	return procs, nil
 }
diff --git a/cmd/root.go b/cmd/root.go
@@ -119,6 +119,11 @@ func init() {
 		newStringOpts().
 			withDefault("kubechecks again"))
 	stringSliceFlag(flags, "additional-apps-namespaces", "Additional namespaces other than the ArgoCDNamespace to monitor for applications.")
+	boolFlag(flags, "enable-kyverno-checks", "Enable kyverno policy checks.")
+	stringFlag(flags, "kyverno-policies-location", "Sets kyverno policy locations to be used for every check request. This is a git url in either git or http(s) format.")
+	stringSliceFlag(flags, "kyverno-policies-paths", "Sets the paths inside the kyverno-policies-location that contains the policies. Default to root of the repository.",
+		newStringSliceOpts().
+			withDefault([]string{"."}))
 
 	panicIfError(viper.BindPFlags(flags))
 	setupLogOutput()

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/localdev/kubechecks/values.yaml b/localdev/kubechecks/values.yaml
@@ -24,14 +24,20 @@ configMap:
     # KUBECHECKS_SCHEMAS_LOCATION: https://github.com/zapier/kubecheck-schemas.git
     KUBECHECKS_TIDY_OUTDATED_COMMENTS_MODE: "delete"
     KUBECHECKS_ENABLE_CONFTEST: "false"
+    KUBECHECKS_ENABLE_KYVERNO_CHECKS: "true"
+    KUBECHECKS_KYVERNO_POLICIES_LOCATION: "https://gitlab.com/zapier/team-sre/service-kyverno.git"
+    KUBECHECKS_KYVERNO_POLICIES_PATHS: "argocd/production/templates/checks"
+    KUBECHECKS_ARGOCD_SEND_FULL_REPOSITORY: "true"
+    KUBECHECKS_ARGOCD_REPOSITORY_ENDPOINT: argocd-repo-server.kubechecks:8081
+    GRPC_ENFORCE_ALPN_ENABLED: false
 
 
 deployment:
   annotations:
     reloader.stakater.com/auto: "true" 
 
   image:
-    pullPolicy: Never
+    pullPolicy: IfNotPresent
     name: "kubechecks"
     tag: ""
 

diff --git a/localdev/terraform/modules/vcs_files/mr5_files/apps/httpdump/overlays/a/kustomization.yaml b/localdev/terraform/modules/vcs_files/mr5_files/apps/httpdump/overlays/a/kustomization.yaml
@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../base
+- ../../base
 
-patchesStrategicMerge:
-  - replica-patch.yaml
+patches:
+- path: replica-patch.yaml
diff --git a/pkg/checks/kyverno/check.go b/pkg/checks/kyverno/check.go
@@ -0,0 +1,12 @@
+package kyverno
+
+import (
+	"context"
+
+	"github.com/zapier/kubechecks/pkg/checks"
+	"github.com/zapier/kubechecks/pkg/msg"
+)
+
+func Check(ctx context.Context, request checks.Request) (msg.Result, error) {
+	return kyvernoValidate(ctx, request.Container, request.AppName, request.KubernetesVersion, request.YamlManifests)
+}
diff --git a/pkg/checks/kyverno/kyverno.go b/pkg/checks/kyverno/kyverno.go
@@ -0,0 +1,92 @@
+package kyverno
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/rs/zerolog/log"
+	"github.com/zapier/kubechecks/pkg"
+	"github.com/zapier/kubechecks/pkg/container"
+	"github.com/zapier/kubechecks/pkg/msg"
+	"go.opentelemetry.io/otel"
+
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/apply"
+)
+
+var tracer = otel.Tracer("pkg/checks/kyverno")
+
+func kyvernoValidate(ctx context.Context, ctr container.Container, appName, targetKubernetesVersion string, appManifests []string) (msg.Result, error) {
+	_, span := tracer.Start(ctx, "KyvernoValidate")
+	defer span.End()
+
+	log.Debug().Msg("Creating temporary file for app manifests")
+	tempFile, err := os.CreateTemp("/tmp", "appManifests-*.yaml")
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to create temporary file")
+		return msg.Result{}, err
+	}
+	defer os.Remove(tempFile.Name())
+
+	log.Debug().Str("tempFile", tempFile.Name()).Msg("Temporary file created")
+
+	for _, manifest := range appManifests {
+		if _, err := tempFile.WriteString(manifest + "\n"); err != nil {
+			log.Error().Err(err).Msg("Failed to write manifest to temporary file")
+			return msg.Result{}, err
+		}
+	}
+
+	if err := tempFile.Close(); err != nil {
+		log.Error().Err(err).Msg("Failed to close temporary file")
+		return msg.Result{}, err
+	}
+
+	// This calls the kyverno apply -r <RESOURCE_FILE> <POLICY LOCATIONS ...> command
+	applyCommand := apply.Command()
+	applyCommand.SetArgs(
+		append(
+			getPoliciesLocations(ctr),
+			[]string{"-r", tempFile.Name()}...))
+	var output strings.Builder
+	applyCommand.SetOutput(&output)
+	if err := applyCommand.Execute(); err != nil {
+		log.Error().Err(err).Msg("Failed to execute kyverno apply command")
+		return msg.Result{}, err
+	}
+	log.Info().Msg(output.String())
+
+	var cr msg.Result
+	if output.Len() == 0 {
+		cr.State = pkg.StateWarning
+	} else {
+		cr.State = pkg.StateSuccess
+	}
+
+	log.Debug().Str("report", output.String()).Msg("Kyverno validation completed")
+	cr.Summary = "<b>Show kyverno report:</b>"
+	cr.Details = fmt.Sprintf(">Kyverno Policy Report \n\n%s", output.String())
+
+	log.Debug().Msg("Kyverno validation completed")
+
+	return cr, nil
+}
+
+func getPoliciesLocations(ctr container.Container) []string {
+	cfg := ctr.Config
+
+	// schemas configured globally
+	var locations []string
+
+	for _, location := range cfg.KyvernoPoliciesLocation {
+		for _, path := range cfg.KyvernoPoliciesPaths {
+			locations = append(locations, filepath.Join(location, path))
+		}
+	}
+
+	log.Debug().Strs("locations", locations).Msg("processed kyverno policies locations")
+
+	return locations
+}
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -69,6 +69,10 @@ type ServerConfig struct {
 	// -- preupgrade
 	EnablePreupgrade     bool            `mapstructure:"enable-preupgrade"`
 	WorstPreupgradeState pkg.CommitState `mapstructure:"worst-preupgrade-state"`
+	// -- kyverno
+	EnableKyvernoChecks     bool     `mapstructure:"enable-kyverno-checks"`
+	KyvernoPoliciesLocation []string `mapstructure:"kyverno-policies-location"`
+	KyvernoPoliciesPaths    []string `mapstructure:"kyverno-policies-paths"`
 
 	// misc
 	AdditionalAppsNamespaces []string      `mapstructure:"additional-apps-namespaces"`