Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

Commit

Permalink
Remove creationTS for jobspec and fix 80 char line break (#200)
Browse files Browse the repository at this point in the history
* remove creationTS for jobspec

* add test for lines longer than 80 char

* update images

* update fixed file as well
  • Loading branch information
nschhina authored Mar 28, 2019
1 parent a48ce74 commit b19f650
Show file tree
Hide file tree
Showing 6 changed files with 272 additions and 4 deletions.
7 changes: 6 additions & 1 deletion cmd/autofix_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -670,12 +670,13 @@ func splitYamlResources(filename string, toWriteFile string) (splitDecoded [][]b
func cleanupManifest(origFile string, finalData []byte) ([]byte, error) {
objectMetacreationTs := []byte("\n creationTimestamp: null\n")
specTemplatecreationTs := []byte("\n creationTimestamp: null\n")
jobSpecTemplatecreationTs := []byte("\n creationTimestamp: null\n")
nullStatus := []byte("\nstatus: {}\n")
nullReplicaStatus := []byte("status:\n replicas: 0\n")
nullLBStatus := []byte("status:\n loadBalancer: {}\n")
nullMetaStatus := []byte("\n status: {}\n")

var hasObjectMetacreationTs, hasSpecTemplatecreationTs, hasNullStatus,
var hasObjectMetacreationTs, hasSpecTemplatecreationTs, hasJobSpecTemplatecreationTs, hasNullStatus,
hasNullReplicaStatus, hasNullLBStatus, hasNullMetaStatus bool

if origFile != "" {
Expand All @@ -685,6 +686,7 @@ func cleanupManifest(origFile string, finalData []byte) ([]byte, error) {
}
hasObjectMetacreationTs = bytes.Contains(origData, objectMetacreationTs)
hasSpecTemplatecreationTs = bytes.Contains(origData, specTemplatecreationTs)
hasJobSpecTemplatecreationTs = bytes.Contains(origData, jobSpecTemplatecreationTs)

hasNullStatus = bytes.Contains(origData, nullStatus)
hasNullReplicaStatus = bytes.Contains(origData, nullReplicaStatus)
Expand All @@ -699,6 +701,9 @@ func cleanupManifest(origFile string, finalData []byte) ([]byte, error) {
if !hasSpecTemplatecreationTs {
finalData = bytes.Replace(finalData, specTemplatecreationTs, []byte("\n"), -1)
}
if !hasJobSpecTemplatecreationTs {
finalData = bytes.Replace(finalData, jobSpecTemplatecreationTs, []byte("\n"), -1)
}
if !hasNullStatus {
finalData = bytes.Replace(finalData, nullStatus, []byte("\n"), -1)
}
Expand Down
133 changes: 133 additions & 0 deletions fixtures/autofix-all-resources-fixed_v1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,139 @@ metadata:
spec: {}
status: {}
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
labels:
app: testapp
env: production
name: jobs
name: testapp
spec:
concurrencyPolicy: Forbid
jobTemplate:
spec:
backoffLimit: 0
template:
metadata:
labels:
app: testapp
env: production
name: testapp
annotations:
container.apparmor.security.beta.kubernetes.io/jobs: runtime/default
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: role
operator: In
values:
- testapp
automountServiceAccountToken: false
containers:
- env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/run/gcloud/key
image: gcr.io/docker-image/testapp:<%= current_sha %>
args:
- gcr.io/docker-images
name: jobs
resources:
limits:
cpu: "1"
memory: 10Gi
requests:
cpu: "1"
memory: 10Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- NET_RAW
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- name: google-service-account
mountPath: /var/run/gcloud
readOnly: true
restartPolicy: Never
tolerations:
- key: app
operator: Equal
value: testapp
effect: NoExecute
volumes:
- name: google-service-account
secret:
secretName: service-account-key
metadata:
schedule: 30 13 * * 1-5
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
name: fakeDeploymentImg1
namespace: fakeDeploymentImg
spec:
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
apps: fakeImage
annotations:
container.apparmor.security.beta.kubernetes.io/fakeContainerImg: runtime/default
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
# Trust me the following line is longer than 80 characters
containers:
- image: gcr.io/docker-images-directory/apps/production/fake-image-app:<%= current_sha %>
name: fakeContainerImg
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- NET_RAW
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
automountServiceAccountToken: false
selector: null
status: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
Expand Down
103 changes: 103 additions & 0 deletions fixtures/autofix-all-resources_v1.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,106 @@ metadata:
creationTimestamp: null
spec: {}
status: {}

---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
labels:
app: testapp
env: production
name: jobs
name: testapp
spec:
concurrencyPolicy: Forbid
jobTemplate:
spec:
backoffLimit: 0
template:
metadata:
labels:
app: testapp
env: production
name: testapp
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: role
operator: In
values:
- testapp
automountServiceAccountToken: false
containers:
- env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/run/gcloud/key
image: gcr.io/docker-image/testapp:<%= current_sha %>
args: ["gcr.io/docker-images"]
name: jobs
resources:
limits:
cpu: "1"
memory: 10Gi
requests:
cpu: "1"
memory: 10Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- NET_RAW
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
volumeMounts:
- name: google-service-account
mountPath: "/var/run/gcloud"
readOnly: true
restartPolicy: Never
tolerations:
- key: "app"
operator: "Equal"
value: "testapp"
effect: "NoExecute"
volumes:
- name: google-service-account
secret:
secretName: service-account-key
schedule: 30 13 * * 1-5
---
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
name: fakeDeploymentImg1
namespace: fakeDeploymentImg
spec:
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
apps: fakeImage
spec:
# Trust me the following line is longer than 80 characters
containers:
- image: gcr.io/docker-images-directory/apps/production/fake-image-app:<%= current_sha %>
name: fakeContainerImg
resources: {}
status: {}
27 changes: 27 additions & 0 deletions fixtures/image_tag_missing_v1.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand All @@ -11,9 +12,35 @@ spec:
creationTimestamp: null
labels:
apps: fakeImage
annotations:
container.apparmor.security.beta.kubernetes.io/fakeContainerImg: runtime/default
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
containers:
- image: fakeContainerImg
name: fakeContainerImg
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- NET_RAW
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
automountServiceAccountToken: false
selector: null
status: {}
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module github.com/Shopify/kubeaudit

require (
cloud.google.com/go v0.34.0 // indirect
github.com/Shopify/yaml v0.0.0-20181217205125-7421e5c313a1
github.com/Shopify/yaml v0.0.0-20190328215659-1aafb9de702d
github.com/evanphx/json-patch v4.1.0+incompatible // indirect
github.com/go-test/deep v1.0.1
github.com/gogo/protobuf v1.2.0 // indirect
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
github.com/Shopify/yaml v0.0.0-20181217205125-7421e5c313a1 h1:QkXVRqdtnA8l5Dhhxo1QpFuy9vrS2NYlwMUzZKhtmzs=
github.com/Shopify/yaml v0.0.0-20181217205125-7421e5c313a1/go.mod h1:F+L2Ws/5G2Po8VIyt25PaorPQ61EWtQRwVNFF1P7DbI=
github.com/Shopify/yaml v0.0.0-20190328215659-1aafb9de702d h1:t5yaUYWv3XaeGNvWJi8vGNIsDSUqGPKaVToDkIjW/6g=
github.com/Shopify/yaml v0.0.0-20190328215659-1aafb9de702d/go.mod h1:kYv0kdKeZo6HHK51q/+psdHmkI5avnAoHFva9aKxK2Q=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/evanphx/json-patch v4.1.0+incompatible h1:K1MDoo4AZ4wU0GIU/fPmtZg7VpzLjCxu+UwBD1FvwOc=
Expand Down

0 comments on commit b19f650

Please sign in to comment.