add kubelinter (#415)

* kubelint * Update kubelint-config.yaml * add markdownlint * Update package-lock.json * move kubelint download
razee-io · Feb 14, 2024 · 040de0e · 040de0e
1 parent b78c165
commit 040de0e
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 0 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -13,6 +13,7 @@ before_install:
   - export WS_PRODUCTNAME=${WS_PRODUCTNAME}
   - export WS_PROJECTNAME=FeatureFlagSetLD
   - export WS_WSS_URL=https://ibmets.whitesourcesoftware.com/agent
+  - ./build/download-kubelint.sh
 
 script:
   # Audit npm packages. Fail build whan a PR audit fails, otherwise report the vulnerability and proceed.
@@ -23,6 +24,7 @@ script:
   - if [ -n "${TRAVIS_TAG}" ]; then docker tag quay.io/razee/featureflagsetld:${TRAVIS_COMMIT} quay.io/razee/featureflagsetld:${TRAVIS_TAG}; fi
   - docker images
   - ./build/process-template.sh kubernetes/FeatureFlagSetLD/resource.yaml >/tmp/resource.yaml
+  - kubelint /tmp/resource.yaml
   - if [[ "${TRAVIS_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then npm version --no-git-tag-version "${TRAVIS_TAG}"; fi
   # Perform UA scan on non-PR builds
   - if [ "${TRAVIS_PULL_REQUEST}" = "false" ]; then curl -LJO https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar; java -jar wss-unified-agent.jar -d . || echo "UA Scan Error occurred"; fi

diff --git a/build/download-kubelint.sh b/build/download-kubelint.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+kubelint() {
+  DEPLOYMENT_DIR="${1}"
+  KUBELINT_CONFIG="${2}"
+  KUBELINT_VERSION="${3}"
+  if [[ -z "${DEPLOYMENT_DIR}" ]]; then
+    echo "usage: 'kubelint DEPLOYMENT_DIR KUBELINT_CONFIG KUBELINT_VERSION'"
+    exit 1
+  fi
+  [[ -z "${KUBELINT_VERSION}" ]] && KUBELINT_VERSION=latest
+  [[ -z "${KUBELINT_CONFIG}" ]] && KUBELINT_CONFIG=kubelint-config.yaml
+  mkdir -p "${HOME}/bin"
+  curl -sL -o "${HOME}/bin/kube-linter" "https://github.com/stackrox/kube-linter/releases/${KUBELINT_VERSION}/download/kube-linter-linux"
+  chmod +x "${HOME}/bin/kube-linter"
+  if [[ "$FAIL_ON_INVALID_RESOURCE" = "false" ]]; then
+    kube-linter lint -v --fail-if-no-objects-found "${DEPLOYMENT_DIR}" --config "${KUBELINT_CONFIG}"
+  else
+    kube-linter lint -v --fail-on-invalid-resource --fail-if-no-objects-found "${DEPLOYMENT_DIR}" --config "${KUBELINT_CONFIG}"
+  fi
+}
+mkdir -p "${HOME}/bin"
+echo -e "#!/bin/bash\n$(declare -f kubelint)\nkubelint \"\$@\"" > "${HOME}/bin/kubelint"
+chmod +x "${HOME}/bin/kubelint"
diff --git a/kubelint-config.yaml b/kubelint-config.yaml
@@ -0,0 +1,17 @@
+---
+checks:
+  exclude:
+    - "no-read-only-root-fs"  # impacts AT event writing
+    - "unset-cpu-requirements" # cpu limits are bad https://home.robusta.dev/blog/stop-using-cpu-limits
+    - "mismatching-selector" # selectors are immutable
+    - "non-existent-service-account" # razeedeploy-sa created in razeedeploy-delta
+customChecks:
+  - name: ensure-environment-variables-populated
+    template: env-var
+    params:
+      name: "."
+      value: \$.* #ensures no environment variable values in the deployment start with a $
+    remediation: Ensure all of your environment variables are correctly substituted with envstub
+    scope:
+      objectKinds:
+        - DeploymentLike
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -57,6 +57,7 @@
     "chai": "^4.3.6",
     "dockerlint": "^0.3.9",
     "eslint": "^8.22.0",
+    "markdownlint": "^0.33.0",
     "mocha": "^10.0.0",
     "nock": "^13.2.9",
     "npm-run-all": "^4.1.5",