Giters

stackrox / kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

Home Page:https://docs.kubelinter.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[FEATURE_REQUEST] Fail linting if files cannot be decoded

rumstead opened this issue · comments

commented

Description of the problem/feature request

Kube-linter will silently ignore files that it cannot decode. This makes sense for ignoring files that aren't kubernetes resources but in the case that they are, kube-linter should fail linting.

Where I notice this the most is invalid quantities for resources (cpu, memory, storage, etc). I want to fail our CI built so our GitOps engine does not sync out invalid manfiests.

Description of the existing behavior vs. expected behavior
When kube-linter tries to decode a kubernetes resource that is invalid, it silently ignores the resource. I suggest that we add a config option that allows these errors to fail the linting.

Additional context
kubeval is also struggling with similar issues

  1. instrumenta/kubeval#185
  2. instrumenta/kubeval#195
  3. instrumenta/kubeval#208

Example

cat <<  EOF > pod-test.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: priv-pod
  name: priv-pod
  namespace: default
spec:
  containers:
  - image: busybox
    name: invalid
    command:
      - "sleep"
    args:
      - "infinity"
    resources:
      limits:
        cpu: 25m
        memory: 1GB
      requests:
        cpu: 25m
        memory: 1GB
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}
EOF

Lint the file.

>  kube-linter lint pod-test.yaml
Warning: no valid objects found.

> kube-linter lint pod-test.yaml -v                                                          
Warning: failed to load object from pod-test.yaml: failed to decode: v1.Pod.Spec: v1.PodSpec.Containers: []v1.Container: v1.Container.Resources: v1.ResourceRequirements.Requests: Limits: unmarshalerDecoder: quantities must match the regular expression '^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$', error found in #10 byte of ...|ory":"1GB"},"request|..., bigger context ...|,"resources":{"limits":{"cpu":"25m","memory":"1GB"},"requests":{"cpu":"25m","memory":"1GB"}}}],"dnsP|...
Warning: no valid objects found.
commented

I am happy to contribute this if there is buy in.

My thoughts on impl:

  1. Add a new config option --fail-on-decode
  2. If the new config option is present, output any errors and return an err similar to here.
commented

Actually, I found an existing PR - https://github.com/stackrox/kube-linter/pull/196/files

@viswajithiii can I help get this over the finish line?

commented

Hi @rumstead, sorry for the late response. Honestly, the proposed implementation (the one from the PR) seems reasonable. I was thinking of something a little more involved back then, but I don't think that makes sense any more. If you would like to help get it over the line, that works, and I can merge it!

commented

Is there anything on the PR that needs changed or can it be merged as is?

commented

Is there anything on the PR that needs changed or can it be merged as is?

Just pulling in the latest master commits since it's been a while, and adding an E2E test, if possible?

commented

PR added. Lmk if the tests aren't enough

commented

Anything I can do here to help push this along? @viswajithiii / @janisz