From 95c04b1e9db0a1dc5c7516d7766dd0a5feb53bb9 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Mon, 23 Dec 2019 17:04:44 +0000 Subject: [PATCH] move networking checks over to json schema --- checks/hostPortSet.yaml | 24 ++++++++++++++++++++++++ pkg/validator/container.go | 23 ----------------------- pkg/validator/container_test.go | 5 ++++- pkg/validator/schema.go | 1 + 4 files changed, 29 insertions(+), 24 deletions(-) create mode 100644 checks/hostPortSet.yaml diff --git a/checks/hostPortSet.yaml b/checks/hostPortSet.yaml new file mode 100644 index 00000000..00689c7c --- /dev/null +++ b/checks/hostPortSet.yaml @@ -0,0 +1,24 @@ +name: HostPortSet +id: hostPortSet +successMessage: Host port is not configured +failureMessage: Host port should not be configured +category: Networking +controllers: + exclude: + - Job + - CronJob +containers: + exclude: + - initContainer +target: Container +schema: + '$schema': http://json-schema.org/draft-07/schema + type: object + required: + properties: + ports: + type: array + items: + properties: + hostPort: + const: 0 diff --git a/pkg/validator/container.go b/pkg/validator/container.go index d2814368..8a026339 100644 --- a/pkg/validator/container.go +++ b/pkg/validator/container.go @@ -64,7 +64,6 @@ func ValidateContainer(container *corev1.Container, parentPodResult *PodResult, panic(err) } - cv.validateNetworking(conf, controllerName) cv.validateSecurity(conf, controllerName) cRes := ContainerResult{ @@ -155,28 +154,6 @@ func (cv *ContainerValidation) validateResourceRange(id, resourceName string, ra } } -func (cv *ContainerValidation) validateNetworking(conf *config.Configuration, controllerName string) { - category := messages.CategoryNetworking - - name := "HostPortSet" - if conf.IsActionable(conf.Networking, name, controllerName) { - hostPortSet := false - for _, port := range cv.Container.Ports { - if port.HostPort != 0 { - hostPortSet = true - break - } - } - - id := config.GetIDFromField(conf.Networking, name) - if hostPortSet { - cv.addFailure(messages.HostPortFailure, conf.Networking.HostPortSet, category, id) - } else { - cv.addSuccess(messages.HostPortSuccess, category, id) - } - } -} - func (cv *ContainerValidation) validateSecurity(conf *config.Configuration, controllerName string) { category := messages.CategorySecurity securityContext := cv.Container.SecurityContext diff --git a/pkg/validator/container_test.go b/pkg/validator/container_test.go index 2b56485b..fc4f5067 100644 --- a/pkg/validator/container_test.go +++ b/pkg/validator/container_test.go @@ -650,7 +650,10 @@ func TestValidateNetworking(t *testing.T) { for _, tt := range testCases { t.Run(tt.name, func(t *testing.T) { tt.cv = resetCV(tt.cv) - tt.cv.validateNetworking(&conf.Configuration{Networking: tt.networkConf}, "") + err := applyContainerSchemaChecks(&conf.Configuration{Networking: tt.networkConf}, tt.cv.Container, "", conf.Deployments, tt.cv.IsInitContainer, &tt.cv) + if err != nil { + panic(err) + } assert.Len(t, tt.cv.messages(), len(tt.expectedMessages)) assert.ElementsMatch(t, tt.cv.messages(), tt.expectedMessages) }) diff --git a/pkg/validator/schema.go b/pkg/validator/schema.go index 85742874..d6a8015c 100644 --- a/pkg/validator/schema.go +++ b/pkg/validator/schema.go @@ -57,6 +57,7 @@ var ( "livenessProbe", "pullPolicyNotAlways", "tagNotSpecified", + "hostPortSet", } )