enhance conftest - mirror rego
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
This commit is contained in:
parent
11394666d1
commit
cd264d9046
10
.drone.yml
10
.drone.yml
|
@ -2,7 +2,11 @@ kind: pipeline
|
|||
name: conftest
|
||||
|
||||
steps:
|
||||
- name: deprek8
|
||||
image: quay.io/swade1987/deprek8ion:1.1.9
|
||||
- name: policies
|
||||
image: instrumenta/conftest:latest
|
||||
commands:
|
||||
- conftest test -p /policies ./
|
||||
- conftest test -p ./_test/policies ./
|
||||
- name: deprek8
|
||||
image: instrumenta/conftest:latest
|
||||
commands:
|
||||
- conftest test -p ./_test/deprek8 ./
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
# Policies
|
||||
|
||||
Sources:
|
||||
* https://github.com/swade1987/deprek8ion/tree/master/policies
|
||||
* https://relnotes.k8s.io/?markdown=deprecated
|
|
@ -0,0 +1,53 @@
|
|||
package main
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _deny with input as obj
|
||||
}
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _deny
|
||||
}
|
||||
|
||||
# Based on https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.16.md
|
||||
|
||||
# All resources under apps/v1beta1 and apps/v1beta2 - use apps/v1 instead
|
||||
_deny = msg {
|
||||
apis := ["apps/v1beta1", "apps/v1beta2"]
|
||||
input.apiVersion == apis[_]
|
||||
msg := sprintf("%s/%s: API %s has been deprecated, use apps/v1 instead.", [input.kind, input.metadata.name, input.apiVersion])
|
||||
}
|
||||
|
||||
# daemonsets, deployments, replicasets resources under extensions/v1beta1 - use apps/v1 instead
|
||||
_deny = msg {
|
||||
resources := ["DaemonSet", "Deployment", "ReplicaSet"]
|
||||
input.apiVersion == "extensions/v1beta1"
|
||||
input.kind == resources[_]
|
||||
msg := sprintf("%s/%s: API extensions/v1beta1 for %s has been deprecated, use apps/v1 instead.", [input.kind, input.metadata.name, input.kind])
|
||||
}
|
||||
|
||||
# networkpolicies resources under extensions/v1beta1 - use networking.k8s.io/v1 instead
|
||||
_deny = msg {
|
||||
input.apiVersion == "extensions/v1beta1"
|
||||
input.kind == "NetworkPolicy"
|
||||
msg := sprintf("%s/%s: API extensions/v1beta1 for NetworkPolicy has been deprecated, use networking.k8s.io/v1 instead.", [input.kind, input.metadata.name])
|
||||
}
|
||||
|
||||
# podsecuritypolicies resources under extensions/v1beta1 - use policy/v1beta1 instead
|
||||
_deny = msg {
|
||||
input.apiVersion == "extensions/v1beta1"
|
||||
input.kind == "PodSecurityPolicy"
|
||||
msg := sprintf("%s/%s: API extensions/v1beta1 for PodSecurityPolicy has been deprecated, use policy/v1beta1 instead.", [input.kind, input.metadata.name])
|
||||
}
|
||||
|
||||
# PriorityClass resources will no longer be served from scheduling.k8s.io/v1beta1 and scheduling.k8s.io/v1alpha1 in v1.17.
|
||||
_deny = msg {
|
||||
apis := ["scheduling.k8s.io/v1beta1", "scheduling.k8s.io/v1alpha1"]
|
||||
input.apiVersion == apis[_]
|
||||
input.kind == "PriorityClass"
|
||||
msg := sprintf("%s/%s: API %s for PriorityClass has been deprecated, use scheduling.k8s.io/v1 instead.", [input.kind, input.metadata.name, input.apiVersion])
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
package main
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _deny with input as obj
|
||||
}
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _deny
|
||||
}
|
||||
|
||||
# Based on https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.16.md
|
||||
|
||||
# PriorityClass resources will no longer be served from scheduling.k8s.io/v1beta1 and scheduling.k8s.io/v1alpha1 in v1.17.
|
||||
_deny = msg {
|
||||
apis := ["scheduling.k8s.io/v1beta1", "scheduling.k8s.io/v1alpha1"]
|
||||
input.apiVersion == apis[_]
|
||||
input.kind == "PriorityClass"
|
||||
msg := sprintf("%s/%s: API %s for PriorityClass has been deprecated, use scheduling.k8s.io/v1 instead.", [input.kind, input.metadata.name, input.apiVersion])
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
package main
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _deny with input as obj
|
||||
}
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _deny
|
||||
}
|
||||
|
||||
# Based on https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md
|
||||
|
||||
# Within Ingress resources spec.ingressClassName replaces the deprecated kubernetes.io/ingress.class annotation.
|
||||
_deny = msg {
|
||||
resources := ["Ingress"]
|
||||
input.kind == resources[_]
|
||||
input.metadata.annotations["kubernetes.io/ingress.class"]
|
||||
msg := sprintf("%s/%s: Ingress annotation kubernetes.io/ingress.class has been deprecated in 1.18, use spec.IngressClassName instead.", [input.kind, input.metadata.name])
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
package main
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _warn with input as obj
|
||||
}
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _warn
|
||||
}
|
||||
|
||||
# Based on https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.16.md
|
||||
|
||||
# The admissionregistration.k8s.io/v1beta1 versions of MutatingWebhookConfiguration and ValidatingWebhookConfiguration are deprecated in 1.19. Migrate to use admissionregistration.k8s.io/v1 instead
|
||||
_warn = msg {
|
||||
kinds := ["MutatingWebhookConfiguration", "ValidatingWebhookConfiguration"]
|
||||
input.apiVersion == "admissionregistration.k8s.io/v1beta1"
|
||||
input.kind == kinds[_]
|
||||
msg := sprintf("%s/%s: API admissionregistration.k8s.io/v1beta1 is deprecated in Kubernetes 1.19, use admissionregistration.k8s.io/v1 instead.", [input.kind, input.metadata.name])
|
||||
}
|
||||
|
||||
# The apiextensions.k8s.io/v1beta1 version of CustomResourceDefinition is deprecated in 1.19. Migrate to use apiextensions.k8s.io/v1 instead
|
||||
_warn = msg {
|
||||
input.apiVersion == "apiextensions.k8s.io/v1beta1"
|
||||
input.kind == "CustomResourceDefinition"
|
||||
msg := sprintf("%s/%s: API apiextensions.k8s.io/v1beta1 for CustomResourceDefinition is deprecated in 1.19, use apiextensions.k8s.io/v1 instead.", [input.kind, input.metadata.name])
|
||||
}
|
|
@ -0,0 +1,37 @@
|
|||
package main
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _warn with input as obj
|
||||
}
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _warn
|
||||
}
|
||||
|
||||
# Based on https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.16.md
|
||||
|
||||
# Ingress resources will no longer be served from extensions/v1beta1 in v1.20. Migrate use to the networking.k8s.io/v1beta1 API, available since v1.14.
|
||||
_warn = msg {
|
||||
input.apiVersion == "extensions/v1beta1"
|
||||
input.kind == "Ingress"
|
||||
msg := sprintf("%s/%s: API extensions/v1beta1 for Ingress is deprecated from Kubernetes 1.20, use networking.k8s.io/v1beta1 instead.", [input.kind, input.metadata.name])
|
||||
}
|
||||
|
||||
# All resources will no longer be served from rbac.authorization.k8s.io/v1alpha1 and rbac.authorization.k8s.io/v1beta1 in 1.20. Migrate to use rbac.authorization.k8s.io/v1 instead
|
||||
_warn = msg {
|
||||
apis := ["rbac.authorization.k8s.io/v1alpha1", "rbac.authorization.k8s.io/v1beta1"]
|
||||
input.apiVersion == apis[_]
|
||||
msg := sprintf("%s/%s: API %s is deprecated from Kubernetes 1.20, use rbac.authorization.k8s.io/v1 instead.", [input.kind, input.metadata.name, input.apiVersion])
|
||||
}
|
||||
|
||||
# Ingress resources will no longer be served from extensions/v1beta1 in v1.20. Migrate use to the networking.k8s.io/v1beta1 API, available since v1.14.
|
||||
_warn = msg {
|
||||
input.apiVersion == "extensions/v1beta1"
|
||||
input.kind == "Ingress"
|
||||
msg := sprintf("%s/%s: API extensions/v1beta1 for Ingress is deprecated from Kubernetes 1.20, use networking.k8s.io/v1beta1 instead.", [input.kind, input.metadata.name])
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
package main
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _deny with input as obj
|
||||
}
|
||||
|
||||
deny[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _deny
|
||||
}
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _warn with input as obj
|
||||
}
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _warn
|
||||
}
|
||||
|
||||
# Based on https://github.com/jetstack/cert-manager/releases/tag/v0.11.0
|
||||
|
||||
_deny = msg {
|
||||
kinds := ["Certificate", "Issuer", "ClusterIssuer", "CertificateRequest"]
|
||||
input.apiVersion == "certmanager.k8s.io/v1alpha1"
|
||||
input.kind == kinds[_]
|
||||
msg := sprintf("%s/%s: API certmanager.k8s.io/v1alpha1 for %s is obsolete, use cert-manager.io/v1alpha2 instead.", [input.kind, input.metadata.name, input.kind])
|
||||
}
|
||||
|
||||
_deny = msg {
|
||||
kinds := ["Order", "Challenge"]
|
||||
input.apiVersion == "certmanager.k8s.io/v1alpha1"
|
||||
input.kind == kinds[_]
|
||||
msg := sprintf("%s/%s: API certmanager.k8s.io/v1alpha1 for %s is obsolete, use acme.cert-manager.io/v1alpha2 instead.", [input.kind, input.metadata.name, input.kind])
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
package main
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion == "v1"
|
||||
input.kind == "List"
|
||||
obj := input.items[_]
|
||||
msg := _warn with input as obj
|
||||
}
|
||||
|
||||
warn[msg] {
|
||||
input.apiVersion != "v1"
|
||||
input.kind != "List"
|
||||
msg := _warn
|
||||
}
|
||||
|
||||
# Based on https://github.com/kubernetes/kubernetes/issues/47198
|
||||
# Warn about the deprecated serviceAccount field in podSpec.
|
||||
|
||||
_warn = msg {
|
||||
resources := ["Pod"]
|
||||
input.kind == resources[_]
|
||||
input.spec.serviceAccount
|
||||
msg := sprintf("%s/%s: The serviceAccount field in the podSpec will be deprecated soon, use serviceAccountName instead.", [input.kind, input.metadata.name])
|
||||
}
|
||||
|
||||
_warn = msg {
|
||||
resources := ["CronJob"]
|
||||
input.kind == resources[_]
|
||||
input.spec.jobTemplate.spec.template.spec.serviceAccount
|
||||
msg := sprintf("%s/%s: The serviceAccount field in the podSpec will be deprecated soon, use serviceAccountName instead.", [input.kind, input.metadata.name])
|
||||
}
|
||||
|
||||
_warn = msg {
|
||||
resources := ["Deployment", "DaemonSet", "Job", "ReplicaSet", "ReplicationController", "StatefulSet"]
|
||||
input.kind == resources[_]
|
||||
input.spec.template.spec.serviceAccount
|
||||
msg := sprintf("%s/%s: The serviceAccount field in the podSpec will be deprecated soon, use serviceAccountName instead.", [input.kind, input.metadata.name])
|
||||
}
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
package main
|
||||
|
||||
deny[msg] {
|
||||
input.kind = "Deployment"
|
||||
not input.spec.template.spec.securityContext.runAsNonRoot = true
|
||||
msg = "Containers must not run as root"
|
||||
}
|
||||
|
||||
deny[msg] {
|
||||
input.kind = "Deployment"
|
||||
not input.spec.selector.matchLabels.app
|
||||
msg = "Containers must provide app label for pod selectors"
|
||||
}
|
Reference in New Issue