From 0f2e5e0deff9ccb2ead33db2f9a84a66c1e006a7 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 23 Dec 2019 16:19:57 +0000 Subject: [PATCH] implement image checks using json schema --- checks/pullPolicyNotAlways.yaml | 13 +++++++++++++ checks/tagNotSpecified.yaml | 18 ++++++++++++++++++ pkg/validator/container.go | 27 --------------------------- pkg/validator/container_test.go | 5 ++++- pkg/validator/schema.go | 2 ++ 5 files changed, 37 insertions(+), 28 deletions(-) create mode 100644 checks/pullPolicyNotAlways.yaml create mode 100644 checks/tagNotSpecified.yaml diff --git a/checks/pullPolicyNotAlways.yaml b/checks/pullPolicyNotAlways.yaml new file mode 100644 index 00000000..5aeac39a --- /dev/null +++ b/checks/pullPolicyNotAlways.yaml @@ -0,0 +1,13 @@ +name: PullPolicyNotAlways +id: pullPolicyNotAlways +successMessage: Image pull policy is "Always" +failureMessage: Image pull policy should be "Always" +category: Images +target: Container +schema: + '$schema': http://json-schema.org/draft-07/schema + required: + - imagePullPolicy + properties: + imagePullPolicy: + const: Always diff --git a/checks/tagNotSpecified.yaml b/checks/tagNotSpecified.yaml new file mode 100644 index 00000000..322d806d --- /dev/null +++ b/checks/tagNotSpecified.yaml @@ -0,0 +1,18 @@ +name: TagNotSpecified +id: tagNotSpecified +successMessage: Image tag is specified +failureMessage: Image tag should be specified +category: Images +target: Container +schema: + '$schema': http://json-schema.org/draft-07/schema + required: + - image + allOf: + - properties: + image: + pattern: ^.+:.+$ + - properties: + image: + not: + pattern: ^.+:latest$ diff --git a/pkg/validator/container.go b/pkg/validator/container.go index da3d5031..d2814368 100644 --- a/pkg/validator/container.go +++ b/pkg/validator/container.go @@ -16,7 +16,6 @@ package validator import ( "fmt" - "strings" "github.com/fairwindsops/polaris/pkg/config" "github.com/fairwindsops/polaris/pkg/validator/messages" @@ -65,7 +64,6 @@ func ValidateContainer(container *corev1.Container, parentPodResult *PodResult, panic(err) } - cv.validateImage(conf, controllerName) cv.validateNetworking(conf, controllerName) cv.validateSecurity(conf, controllerName) @@ -157,31 +155,6 @@ func (cv *ContainerValidation) validateResourceRange(id, resourceName string, ra } } -func (cv *ContainerValidation) validateImage(conf *config.Configuration, controllerName string) { - category := messages.CategoryImages - - name := "PullPolicyNotAlways" - if conf.IsActionable(conf.Images, name, controllerName) { - id := config.GetIDFromField(conf.Images, name) - if cv.Container.ImagePullPolicy != corev1.PullAlways { - cv.addFailure(messages.ImagePullPolicyFailure, conf.Images.PullPolicyNotAlways, category, id) - } else { - cv.addSuccess(messages.ImagePullPolicySuccess, category, id) - } - } - - name = "TagNotSpecified" - if conf.IsActionable(conf.Images, name, controllerName) { - id := config.GetIDFromField(conf.Images, name) - img := strings.Split(cv.Container.Image, ":") - if len(img) == 1 || img[1] == "latest" { - cv.addFailure(messages.ImageTagFailure, conf.Images.TagNotSpecified, category, id) - } else { - cv.addSuccess(messages.ImageTagSuccess, category, id) - } - } -} - func (cv *ContainerValidation) validateNetworking(conf *config.Configuration, controllerName string) { category := messages.CategoryNetworking diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index 2cf4f12e..2b56485b 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -528,7 +528,10 @@ func TestValidateImage(t *testing.T) { for _, tt := range testCases { t.Run(tt.name, func(t *testing.T) { tt.cv = resetCV(tt.cv) - tt.cv.validateImage(&conf.Configuration{Images: tt.image}, "") + err := applyContainerSchemaChecks(&conf.Configuration{Images: tt.image}, tt.cv.Container, "", conf.Deployments, tt.cv.IsInitContainer, &tt.cv) + if err != nil { + panic(err) + } assert.Len(t, tt.cv.Errors, len(tt.expected)) assert.ElementsMatch(t, tt.cv.Errors, tt.expected) }) diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go index 5bf167a3..85742874 100644 --- a/pkg/validator/schema.go +++ b/pkg/validator/schema.go @@ -55,6 +55,8 @@ var ( // Container checks "readinessProbe", "livenessProbe", + "pullPolicyNotAlways", + "tagNotSpecified", } )