container/kube-tools
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

feat: add fairwinds polaris
Some checks are pending
continuous-integration/drone/pr Build is pending
Details

Browse Source
This commit is contained in:
Robert Kaussow 2023-06-25 15:56:41 +02:00
parent 816e711d1f
commit 3b9bcea7cb
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@ -12,6 +12,7 @@ ARG YQ_VERSION
ARG HELM_VERSION ARG HELM_VERSION
ARG KUSTOMIZE_VERSION ARG KUSTOMIZE_VERSION
ARG KUBECONFORM_VERSION ARG KUBECONFORM_VERSION
ARG POLARIS_VERSION
# renovate: datasource=github-releases depName=kubernetes/kubernetes # renovate: datasource=github-releases depName=kubernetes/kubernetes
ENV KUBECTL_VERSION="${KUBECTL_VERSION:-v1.27.3}" ENV KUBECTL_VERSION="${KUBECTL_VERSION:-v1.27.3}"
@ -23,6 +24,8 @@ ENV HELM_VERSION="${HELM_VERSION:-v3.12.1}"
ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}" ENV KUSTOMIZE_VERSION="${KUSTOMIZE_VERSION:-v5.1.0}"
# renovate: datasource=github-releases depName=yannh/kubeconform # renovate: datasource=github-releases depName=yannh/kubeconform
ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}" ENV KUBECONFORM_VERSION="${KUBECONFORM_VERSION:-v0.6.2}"
# renovate: datasource=github-releases depName=FairwindsOps/polaris
ENV POLARIS_VERSION="${POLARIS_VERSION:-8.2.3}"
RUN apk --update add curl tar bash python3 py3-yaml && \ RUN apk --update add curl tar bash python3 py3-yaml && \
curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \ curl -SsfL -o /usr/local/bin/kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
@ -34,6 +37,8 @@ RUN apk --update add curl tar bash python3 py3-yaml && \
| tar xz -C /usr/local/bin kustomize && \ | tar xz -C /usr/local/bin kustomize && \
curl -SsfL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \ curl -SsfL "https://github.com/yannh/kubeconform/releases/download/${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \
| tar xz -C /usr/local/bin kubeconform && \ | tar xz -C /usr/local/bin kubeconform && \
curl -SsfL "https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_linux_amd64.tar.gz" \
| tar xz -C /usr/local/bin polaris && \
chmod 755 /usr/local/bin/kubectl && \ chmod 755 /usr/local/bin/kubectl && \
chmod 755 /usr/local/bin/kubectl-convert && \ chmod 755 /usr/local/bin/kubectl-convert && \
chmod 755 /usr/local/bin/yq && \ chmod 755 /usr/local/bin/yq && \

40
overlay/usr/local/bin/flux-audit Executable file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env bash
set -eo pipefail
KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone")
KUSTOMIZE_CONFIG="kustomization.yaml"
FLUX_PATH="${1:-.}"
POLARIS_EXCLUDE_PATHS=(
"flux/clusters/cloud-infra/flux-system/"
)
if [ -z "$POLARIS_CONFIG" ]; then
POLARIS_CONFIG=(
"--format=pretty"
"--set-exit-code-on-danger"
"--set-exit-code-below-score=80"
"--only-show-failed-tests=true"
"--audit-path=-"
)
else
# shellcheck disable=SC2128
IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG"
fi
printf "\nINFO - Auditing kustomize overlays\n"
find "${FLUX_PATH%/}" -type f -name $KUSTOMIZE_CONFIG -print0 | while IFS= read -r -d $'\0' file; do
printf "INFO - Auditing kustomization %s\n" "${file/%$KUSTOMIZE_CONFIG/}"
for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do
if [ "$EXCLUDE" == "${file/%$KUSTOMIZE_CONFIG/}" ]; then
continue 2
fi
done
kustomize build "${file/%$KUSTOMIZE_CONFIG/}" "${KUSTOMIZE_FLAGS[@]}" |
polaris audit "${POLARIS_CONFIG[@]}"
echo
if [[ ${PIPESTATUS[0]} != 0 ]]; then
exit 1
fi
done