diff --git a/Dockerfile b/Dockerfile index 702d380..00dc4c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ ARG YQ_VERSION ARG HELM_VERSION ARG KUSTOMIZE_VERSION ARG KUBECONFORM_VERSION +ARG POLARIS_VERSION # renovate: datasource=github-releases depName=kubernetes/kubernetes ENV KUBECTL_VERSION="${KUBECTL_VERSION:-v1.27.3}" @@ -23,6 +24,8 @@ ENV HELM_VERSION="${HELM_VERSION:-v3.12.1}" ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}" # renovate: datasource=github-releases depName=yannh/kubeconform ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}" +# renovate: datasource=github-releases depName=FairwindsOps/polaris +ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}" RUN apk --update add curl tar bash python3 py3-yaml && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ @@ -34,6 +37,8 @@ RUN apk --update add curl tar bash python3 py3-yaml && \ | tar xz -C /usr/local/bin kustomize && \ curl -SsfL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \ | tar xz -C /usr/local/bin kubeconform && \ + curl -SsfL "https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_linux_amd64.tar.gz" \ + | tar xz -C /usr/local/bin polaris && \ chmod 755 /usr/local/bin/kubectl && \ chmod 755 /usr/local/bin/kubectl-convert && \ chmod 755 /usr/local/bin/yq && \ diff --git a/overlay/usr/local/bin/flux-audit b/overlay/usr/local/bin/flux-audit new file mode 100755 index 0000000..3927ba2 --- /dev/null +++ b/overlay/usr/local/bin/flux-audit @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +set -eo pipefail + +KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone") +KUSTOMIZE_CONFIG="kustomization.yaml" + +FLUX_PATH="${1:-.}" +POLARIS_EXCLUDE_PATHS=( + "flux/clusters/cloud-infra/flux-system/" +) + +if [ -z "$POLARIS_CONFIG" ]; then + POLARIS_CONFIG=( + "--format=pretty" + "--set-exit-code-on-danger" + "--set-exit-code-below-score=80" + "--only-show-failed-tests=true" + "--audit-path=-" + ) +else + # shellcheck disable=SC2128 + IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG" +fi + +printf "\nINFO - Auditing kustomize overlays\n" +find "${FLUX_PATH%/}" -type f -name $KUSTOMIZE_CONFIG -print0 | while IFS= read -r -d $'\0' file; do + printf "INFO - Auditing kustomization %s\n" "${file/%$KUSTOMIZE_CONFIG/}" + for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do + if [ "$EXCLUDE" == "${file/%$KUSTOMIZE_CONFIG/}" ]; then + continue 2 + fi + done + + kustomize build "${file/%$KUSTOMIZE_CONFIG/}" "${KUSTOMIZE_FLAGS[@]}" | + polaris audit "${POLARIS_CONFIG[@]}" + echo + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done