From 9cb30dbace0f8ce8b86eae04bea543560df50fe8 Mon Sep 17 00:00:00 2001 From: Stepan Stipl Date: Mon, 14 Jun 2021 13:07:42 +0100 Subject: [PATCH 1/5] fix: Correct OPA package name for 1.22 rules --- pkg/rules/rego/deprecated-1-22.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/rules/rego/deprecated-1-22.rego b/pkg/rules/rego/deprecated-1-22.rego index 8f1eb258..7fe745b2 100644 --- a/pkg/rules/rego/deprecated-1-22.rego +++ b/pkg/rules/rego/deprecated-1-22.rego @@ -1,4 +1,4 @@ -package deprecated120 +package deprecated122 main[return] { resource := input[_] From cbe201e79206a254aa2e5805cc679cdf8e9d4a2e Mon Sep 17 00:00:00 2001 From: Stepan Stipl Date: Mon, 14 Jun 2021 13:08:33 +0100 Subject: [PATCH 2/5] feat: Cover deprecated node.k8s.io/v1beta1 API group As per https://kubernetes.io/docs/reference/using-api/deprecation-guide/ add node.k8s.io/v1beta1 group of resources. Part of #135 --- pkg/collector/cluster.go | 1 + pkg/rules/rego/deprecated-1-25.rego | 42 +++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 pkg/rules/rego/deprecated-1-25.rego diff --git a/pkg/collector/cluster.go b/pkg/collector/cluster.go index c1e9bc32..d8e633e6 100644 --- a/pkg/collector/cluster.go +++ b/pkg/collector/cluster.go @@ -98,6 +98,7 @@ func (c *ClusterCollector) Get() ([]map[string]interface{}, error) { schema.GroupVersionResource{Group: "apiextensions.k8s.io", Version: "v1", Resource: "customresourcedefinitions"}, schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1", Resource: "mutatingwebhookconfigurations"}, schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1", Resource: "validatingwebhookconfigurations"}, + schema.GroupVersionResource{Group: "node.k8s.io", Version: "v1", Resource: "runtimeclasses"}, } gvrs = append(gvrs, c.additionalResources...) diff --git a/pkg/rules/rego/deprecated-1-25.rego b/pkg/rules/rego/deprecated-1-25.rego new file mode 100644 index 00000000..c67adcd3 --- /dev/null +++ b/pkg/rules/rego/deprecated-1-25.rego @@ -0,0 +1,42 @@ +package deprecated125 + +main[return] { + resource := input[_] + api := deprecated_resource(resource) + return := { + "Name": resource.metadata.name, + # Namespace does not have to be defined in case of local manifests + "Namespace": get_default(resource.metadata, "namespace", ""), + "Kind": resource.kind, + "ApiVersion": api.old, + "ReplaceWith": api.new, + "RuleSet": "Deprecated APIs removed in 1.25", + "Since": api.since, + } +} + +deprecated_resource(r) = api { + api := deprecated_api(r.kind, r.apiVersion) +} + +deprecated_api(kind, api_version) = api { + deprecated_apis = {"RuntimeClass": { + "old": ["node.k8s.io/v1beta1"], + "new": "node.k8s.io/v1", + "since": "1.20", + }} + + deprecated_apis[kind].old[_] == api_version + + api := { + "old": api_version, + "new": deprecated_apis[kind].new, + "since": deprecated_apis[kind].since, + } +} + +get_default(val, key, _) = val[key] + +get_default(val, key, fallback) = fallback { + not val[key] +} From 8e152a4324cf59d544e9a6c14548c3180bc1702f Mon Sep 17 00:00:00 2001 From: Stepan Stipl Date: Mon, 14 Jun 2021 13:10:12 +0100 Subject: [PATCH 3/5] chore: Add fmtcoverage.html to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 978e18b5..a935d3ad 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ bin/ release-artifacts/ debug.test +fmtcoverage.html # Dependency directories (remove the comment below to include it) # vendor/ From 5df70f2f1cc19ffb42f39b02a0d582b5e120fcaf Mon Sep 17 00:00:00 2001 From: Stepan Stipl Date: Mon, 14 Jun 2021 13:11:06 +0100 Subject: [PATCH 4/5] test: Add test for node.k8s.io/v1beta1 - RuntimeClass --- fixtures/runtimeclass-v1beta1.yaml | 5 ++++ test/rules_125_test.go | 42 ++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 fixtures/runtimeclass-v1beta1.yaml create mode 100644 test/rules_125_test.go diff --git a/fixtures/runtimeclass-v1beta1.yaml b/fixtures/runtimeclass-v1beta1.yaml new file mode 100644 index 00000000..89d93445 --- /dev/null +++ b/fixtures/runtimeclass-v1beta1.yaml @@ -0,0 +1,5 @@ +apiVersion: node.k8s.io/v1beta1 +kind: RuntimeClass +metadata: + name: my-class +handler: my-cri diff --git a/test/rules_125_test.go b/test/rules_125_test.go new file mode 100644 index 00000000..d99ca41a --- /dev/null +++ b/test/rules_125_test.go @@ -0,0 +1,42 @@ +package test + +import ( + "testing" + + "github.com/doitintl/kube-no-trouble/pkg/collector" +) + +func TestRego125(t *testing.T) { + testCases := []struct { + name string + manifests []string + expectedKinds []string // kinds of objects + }{ + {"RuntimeClass", []string{"../fixtures/runtimeclass-v1beta1.yaml"}, []string{"RuntimeClass"}}, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + c, err := collector.NewFileCollector( + &collector.FileOpts{Filenames: tc.manifests}, + ) + + if err != nil { + t.Errorf("Expected to succeed for %s, failed: %s", tc.manifests, err) + } + + manifests, err := c.Get() + if err != nil { + t.Errorf("Expected to succeed for %s, failed: %s", tc.manifests, err) + } else if len(manifests) != len(tc.expectedKinds) { + t.Errorf("Expected to get %d, got %d", len(tc.expectedKinds), len(manifests)) + } + + for i := range manifests { + if manifests[i]["kind"] != tc.expectedKinds[i] { + t.Errorf("Expected to get %s, instead got: %s", tc.expectedKinds[i], manifests[i]["kind"]) + } + } + }) + } +} From 47c707c485cdbed575b95fee18ec2a8af4e0e6bc Mon Sep 17 00:00:00 2001 From: Stepan Stipl Date: Mon, 14 Jun 2021 13:35:15 +0100 Subject: [PATCH 5/5] test: Refactor rules tests to avoid duplication --- test/helper.go | 40 ++++++++++++++++++++++++++++++++++++++++ test/rules_122_test.go | 33 ++------------------------------- test/rules_125_test.go | 33 ++------------------------------- 3 files changed, 44 insertions(+), 62 deletions(-) create mode 100644 test/helper.go diff --git a/test/helper.go b/test/helper.go new file mode 100644 index 00000000..1c93c697 --- /dev/null +++ b/test/helper.go @@ -0,0 +1,40 @@ +package test + +import ( + "testing" + + "github.com/doitintl/kube-no-trouble/pkg/collector" +) + +type resourceFixtureTestCase struct { + name string + fixturePaths []string + expectedKinds []string +} + +func testReourcesUsingFixtures(t *testing.T, testCases []resourceFixtureTestCase) { + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + c, err := collector.NewFileCollector( + &collector.FileOpts{Filenames: tc.fixturePaths}, + ) + + if err != nil { + t.Errorf("Expected to succeed for %s, failed: %s", tc.fixturePaths, err) + } + + manifests, err := c.Get() + if err != nil { + t.Errorf("Expected to succeed for %s, failed: %s", tc.fixturePaths, err) + } else if len(manifests) != len(tc.expectedKinds) { + t.Errorf("Expected to get %d, got %d", len(tc.expectedKinds), len(manifests)) + } + + for i := range manifests { + if manifests[i]["kind"] != tc.expectedKinds[i] { + t.Errorf("Expected to get %s, instead got: %s", tc.expectedKinds[i], manifests[i]["kind"]) + } + } + }) + } +} diff --git a/test/rules_122_test.go b/test/rules_122_test.go index af16a18c..f6a16dca 100644 --- a/test/rules_122_test.go +++ b/test/rules_122_test.go @@ -2,16 +2,10 @@ package test import ( "testing" - - "github.com/doitintl/kube-no-trouble/pkg/collector" ) func TestRego122(t *testing.T) { - testCases := []struct { - name string - manifests []string - expectedKinds []string // kinds of objects - }{ + testCases := []resourceFixtureTestCase{ {"ClusterRole", []string{"../fixtures/clusterrole-v1beta1.yaml"}, []string{"ClusterRole"}}, {"ClusterRoleBinding", []string{"../fixtures/clusterrolebinding-v1beta1.yaml"}, []string{"ClusterRoleBinding"}}, {"CSIDriver", []string{"../fixtures/csidriver-v1beta1.yaml"}, []string{"CSIDriver"}}, @@ -35,28 +29,5 @@ func TestRego122(t *testing.T) { {"ValidatingWebhookConfiguration", []string{"../fixtures/validatingwebhookconfiguration-v1beta1.yaml"}, []string{"ValidatingWebhookConfiguration"}}, } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - c, err := collector.NewFileCollector( - &collector.FileOpts{Filenames: tc.manifests}, - ) - - if err != nil { - t.Errorf("Expected to succeed for %s, failed: %s", tc.manifests, err) - } - - manifests, err := c.Get() - if err != nil { - t.Errorf("Expected to succeed for %s, failed: %s", tc.manifests, err) - } else if len(manifests) != len(tc.expectedKinds) { - t.Errorf("Expected to get %d, got %d", len(tc.expectedKinds), len(manifests)) - } - - for i := range manifests { - if manifests[i]["kind"] != tc.expectedKinds[i] { - t.Errorf("Expected to get %s, instead got: %s", tc.expectedKinds[i], manifests[i]["kind"]) - } - } - }) - } + testReourcesUsingFixtures(t, testCases) } diff --git a/test/rules_125_test.go b/test/rules_125_test.go index d99ca41a..31944e41 100644 --- a/test/rules_125_test.go +++ b/test/rules_125_test.go @@ -2,41 +2,12 @@ package test import ( "testing" - - "github.com/doitintl/kube-no-trouble/pkg/collector" ) func TestRego125(t *testing.T) { - testCases := []struct { - name string - manifests []string - expectedKinds []string // kinds of objects - }{ + testCases := []resourceFixtureTestCase{ {"RuntimeClass", []string{"../fixtures/runtimeclass-v1beta1.yaml"}, []string{"RuntimeClass"}}, } - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - c, err := collector.NewFileCollector( - &collector.FileOpts{Filenames: tc.manifests}, - ) - - if err != nil { - t.Errorf("Expected to succeed for %s, failed: %s", tc.manifests, err) - } - - manifests, err := c.Get() - if err != nil { - t.Errorf("Expected to succeed for %s, failed: %s", tc.manifests, err) - } else if len(manifests) != len(tc.expectedKinds) { - t.Errorf("Expected to get %d, got %d", len(tc.expectedKinds), len(manifests)) - } - - for i := range manifests { - if manifests[i]["kind"] != tc.expectedKinds[i] { - t.Errorf("Expected to get %s, instead got: %s", tc.expectedKinds[i], manifests[i]["kind"]) - } - } - }) - } + testReourcesUsingFixtures(t, testCases) }