-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: fix no pod create/execute rules
- Loading branch information
1 parent
93306eb
commit f416729
Showing
4 changed files
with
166 additions
and
4 deletions.
There are no files selected for viewing
70 changes: 70 additions & 0 deletions
70
packages/validation/src/__tests__/MonokleValidator.kbp.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
import {expect, it} from 'vitest'; | ||
import {MonokleValidator} from '../MonokleValidator.js'; | ||
import {processRefs} from '../references/index.js'; | ||
|
||
// Usage note: This library relies on fetch being on global scope! | ||
import 'isomorphic-fetch'; | ||
import {extractK8sResources} from '@monokle/parser'; | ||
import {ValidationConfig} from '@monokle/types'; | ||
import {ResourceParser} from '../common/resourceParser.js'; | ||
import {Config, RuleMap} from '../config/parse.js'; | ||
import {readDirectory} from './testUtils.js'; | ||
import {DefaultPluginLoader} from '../pluginLoaders/PluginLoader.js'; | ||
import {SchemaLoader} from '../validators/index.js'; | ||
import {DisabledFixer} from '../sarif/index.js'; | ||
|
||
it('should detect rules which allow creation of pods', async () => { | ||
const {response} = await processResourcesInFolder('src/__tests__/resources/kbp', { | ||
'practices/no-pod-create': true, | ||
'practices/no-pod-execute': false, | ||
}); | ||
|
||
const errorCount = response.runs.reduce((sum, r) => sum + r.results.length, 0); | ||
expect(errorCount).toBe(2); | ||
}); | ||
|
||
it('should detect rules which allow execution of pods', async () => { | ||
const {response} = await processResourcesInFolder('src/__tests__/resources/kbp', { | ||
'practices/no-pod-create': false, | ||
'practices/no-pod-execute': true, | ||
}); | ||
|
||
const errorCount = response.runs.reduce((sum, r) => sum + r.results.length, 0); | ||
expect(errorCount).toBe(1); | ||
}); | ||
|
||
async function processResourcesInFolder(path: string, rules?: RuleMap) { | ||
const files = await readDirectory(path); | ||
const resources = extractK8sResources(files); | ||
|
||
const parser = new ResourceParser(); | ||
const validator = createTestValidator(parser, rules); | ||
const response = await validator.validate({resources}); | ||
return {response, resources}; | ||
} | ||
|
||
function createTestValidator(parser: ResourceParser, rules?: ValidationConfig['rules']) { | ||
const config: Config = { | ||
plugins: { | ||
practices: true, | ||
}, | ||
settings: { | ||
debug: true, | ||
}, | ||
}; | ||
|
||
if (rules) { | ||
config.rules = rules; | ||
} | ||
|
||
return new MonokleValidator( | ||
{ | ||
loader: new DefaultPluginLoader(), | ||
parser, | ||
schemaLoader: new SchemaLoader(), | ||
suppressors: [], | ||
fixer: new DisabledFixer(), | ||
}, | ||
config | ||
); | ||
} |
88 changes: 88 additions & 0 deletions
88
packages/validation/src/__tests__/resources/kbp/KBP107-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: argocd-applicationset-controller | ||
namespace: argocd | ||
labels: | ||
app.kubernetes.io/component: applicationset-controller | ||
app.kubernetes.io/name: argocd-applicationset-controller | ||
app.kubernetes.io/part-of: argocd | ||
rules: | ||
- apiGroups: | ||
- argoproj.io | ||
resources: | ||
- applications | ||
- applicationsets | ||
- applicationsets/finalizers | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- argoproj.io | ||
resources: | ||
- appprojects | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- argoproj.io | ||
resources: | ||
- applicationsets/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
- apiGroups: | ||
- argoproj.io | ||
resources: | ||
- applicationsets/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- events | ||
verbs: | ||
- create | ||
- get | ||
- list | ||
- patch | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
- configmaps | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- apps | ||
- extensions | ||
resources: | ||
- deployments | ||
verbs: | ||
- get | ||
- create | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods | ||
verbs: | ||
- get | ||
- create | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods/exec | ||
verbs: | ||
- create |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters