kube-linter icon indicating copy to clipboard operation
kube-linter copied to clipboard

Published 20 hours ago verified publisher icon stackrox

Support OpenShift objects

Open viswajithiii opened this issue 3 years ago • 7 comments

Support checks on OpenShift objects. Suggestions we got were to look at imagestreams, deploymentconfigs, buildconfigs and routes.

viswajithiii avatar Oct 29 '20 15:10 viswajithiii

+1 for the feature! kube-linter is a great tool for GitOps and DevSecOps

mancubus77 avatar Mar 21 '21 01:03 mancubus77

@viswajithiii ; any plans to support Template? in the same way, k8s List and helm are.

garethahealy avatar Aug 20 '21 13:08 garethahealy

@viswajithiii ; any plans to support Template? in the same way, k8s List and helm are.

Hmm, I'm not familiar with Template. Can you elaborate on how it's used?

viswajithiii avatar Aug 20 '21 15:08 viswajithiii

They are a way to provide a simple template for a list of resources (pre-helm, started in OCP3). Obviously, customers are migrating to better/other ways, but they are still used by a large number of customers.

  • https://docs.openshift.com/container-platform/4.8/openshift_images/using-templates.html
cat << EOF > template.yaml
apiVersion: template.openshift.io/v1
kind: Template
metadata:
  name: redis-template
  annotations:
    description: "Description"
    iconClass: "icon-redis"
    tags: "database,nosql"
objects:
- apiVersion: v1
  kind: Pod
  metadata:
    name: redis-master
  spec:
    containers:
    - env:
      - name: REDIS_PASSWORD
        value: ${REDIS_PASSWORD}
      image: dockerfile/redis
      name: master
      ports:
      - containerPort: 6379
        protocol: TCP
parameters:
- description: Password used for Redis authentication
  from: '[A-Z0-9]{8}'
  generate: expression
  name: REDIS_PASSWORD
EOF

oc process --local -f template.yaml

garethahealy avatar Aug 20 '21 16:08 garethahealy

Hmm, got it. Interesting. It's definitely worth tracking, but as low priority -- meaning we are unlikely to do it anytime soon internally, but we will accept a PR if someone sends one our way.

viswajithiii avatar Aug 20 '21 16:08 viswajithiii

There is a workaround to make OpenShift templates work with kube-linter: just transform the file using basic jq and/or yq commands, which is easily feasible in an automated environment.

An exemple:

oc process --local -f your-openshift-template.yaml \
  -p NAME="some_name" \
  -p ENV="prod" \
  -p IMAGE="myregistry.mycompany.com/image:tag" \
  -p SOME_OTHER_PARAM="someothervalue" \
  -o yaml > list.yaml

file="list.json"

# For yq up to version  3.3.2:
# yq r --prettyPrint -j list.yaml > $file

# For yq version 4.8.0:
yq eval -o json list.yaml > $file

for k in $(jq '.items | keys | .[]' $file); do
  echo "---" >> all.yaml
  jq ".items[$k]" $file | yq e -P - >> all.yaml
done

rm -f $file list.yaml

kube-linter lint all.yaml

The idea is to give to kube-linter a native k8s object, there are many ways to do it but here's mine, and it is working like a charm!

jfroment avatar Sep 09 '21 08:09 jfroment

@jfroment ; i already have some code that does that as I required it for OPA policies I was writing.

  • https://github.com/redhat-cop/bats-library/blob/master/src/yaml-json-manipulation.bash

It does a bit more than you've suggested, but the idea is the same. Take in a yaml file and convert it to single k8s resources.

The suggestion for this issue was purely based on a few options (List/Helm) that are already supported, so it would be nice to add in another (Templates)

garethahealy avatar Sep 09 '21 09:09 garethahealy